amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
1198s
max time network
1199s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey asyncrat quasar redline sectoprat xmrig zgrat 666 kz1 office04 evasion infostealer miner persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

Mutex

a244256d-314d-4857-83fe-790ac24d7897

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

KZ1

77.232.132.25:5001

Mutex

AsyncMutex_6SI8OJU68

Attributes

delay
3
install
false
install_file
service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

KZ1

77.232.132.25:4999

Mutex

8892f097-602a-41ca-8df2-0bf3fd113bd2

Attributes

encryption_key
790BD6D1C1540AE1BFB811F2DC1E0185525C5DCB
install_name
LestaClient.exe
log_directory
LestaLogs
reconnect_delay
3000
startup_key
Lesta Game Center
subdirectory
Lesta

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\M5traider.exe	family_zgrat_v1
behavioral1/memory/2784-416-0x0000000000F90000-0x000000000142E000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe	family_zgrat_v1
behavioral1/memory/1640-428-0x0000000000FB0000-0x00000000016C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-955-0x0000000005130000-0x00000000055DB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-952-0x0000000005130000-0x00000000055DB000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe	family_quasar
behavioral1/memory/2592-203-0x00000000013A0000-0x00000000016C4000-memory.dmp	family_quasar
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2616-729-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2616-740-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2616-748-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2616-753-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2616-751-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-717-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2968-718-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2968-721-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2968-723-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2968-725-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe	family_asyncrat

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2560-775-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-777-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-786-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-787-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-788-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-789-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-790-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-830-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2560-834-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2472-177-0x00000000046D0000-0x0000000004736000-memory.dmp	net_reactor
behavioral1/memory/2472-181-0x0000000004780000-0x00000000047E4000-memory.dmp	net_reactor
behavioral1/memory/2432-551-0x0000000000ED0000-0x000000000143C000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor

Executes dropped EXE 8 IoCs

Processes:

dsdasda.exeFirstZ.exehghgfhjfhmain.exeboomlumma.exeM5traider.exesvchost.execp.exeRtkAudUKZ1.exe

pid process

2472 dsdasda.exe
1624 FirstZ.exe
2592 hghgfhjfhmain.exe
2892 boomlumma.exe
2784 M5traider.exe
1640 svchost.exe
1884 cp.exe
772 RtkAudUKZ1.exe

pid	process
2472	dsdasda.exe
1624	FirstZ.exe
2592	hghgfhjfhmain.exe
2892	boomlumma.exe
2784	M5traider.exe
1640	svchost.exe
1884	cp.exe
772	RtkAudUKZ1.exe

Loads dropped DLL 16 IoCs

Processes:

FUCKER.exeWerFault.exe

pid	process
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe
2196	FUCKER.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-769-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-771-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-774-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-775-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-777-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-772-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-770-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-786-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-787-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-788-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-789-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-790-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-830-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2560-834-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RtkAudUKZ1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\RtkAudUApp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\RtkAudUKZ1.exe"	RtkAudUKZ1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

Processes:

flow	ioc
251	pastebin.com
333	bitbucket.org
422	pastebin.com
20	bitbucket.org
21	bitbucket.org
58	pastebin.com
75	raw.githubusercontent.com
245	pastebin.com
332	bitbucket.org
423	pastebin.com
173	raw.githubusercontent.com
174	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com
59	pastebin.com
134	bitbucket.org
135	bitbucket.org
66	pastebin.com
143	pastebin.com
540	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

boomlumma.exe

description pid process target process

PID 2892 set thread context of 2120 2892 boomlumma.exe RegAsm.exe

description	pid	process	target process
PID 2892 set thread context of 2120	2892	boomlumma.exe	RegAsm.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2672	sc.exe
1040	sc.exe
2052	sc.exe
1712	sc.exe
1756	sc.exe
2884	sc.exe
2032	sc.exe
2576	sc.exe
2516	sc.exe
1996	sc.exe
612	sc.exe
2856	sc.exe
2420	sc.exe
1096	sc.exe
1924	sc.exe
2124	sc.exe
3052	sc.exe
2656	sc.exe
1608	sc.exe
2572	sc.exe
592	sc.exe
2364	sc.exe
2220	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1660	2472	WerFault.exe	dsdasda.exe
2016	2120	WerFault.exe	RegAsm.exe
2632	2156	WerFault.exe	koooooo.exe
1260	1640	WerFault.exe	svchost.exe
2028	1072	WerFault.exe	RegAsm.exe
2000	308	WerFault.exe	tidex_-_short_stuff.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe

pid	process
1376	schtasks.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FUCKER.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FUCKER.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1956 PING.EXE
2340 PING.EXE

pid	process
1956	PING.EXE
2340	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1900	powershell.exe
1532	powershell.exe
1816	powershell.exe
1872	powershell.exe
2400	powershell.exe
2944	powershell.exe
1856	powershell.exe
884	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

FUCKER.exehghgfhjfhmain.exeRtkAudUKZ1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2196	FUCKER.exe
Token: SeDebugPrivilege	2592	hghgfhjfhmain.exe
Token: SeDebugPrivilege	772	RtkAudUKZ1.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exedsdasda.exehghgfhjfhmain.exeboomlumma.exeRegAsm.exeRtkAudUKZ1.exe

description	pid	process	target process
PID 2196 wrote to memory of 2472	2196	FUCKER.exe	dsdasda.exe
PID 2196 wrote to memory of 2472	2196	FUCKER.exe	dsdasda.exe
PID 2196 wrote to memory of 2472	2196	FUCKER.exe	dsdasda.exe
PID 2196 wrote to memory of 2472	2196	FUCKER.exe	dsdasda.exe
PID 2472 wrote to memory of 1660	2472	dsdasda.exe	WerFault.exe
PID 2472 wrote to memory of 1660	2472	dsdasda.exe	WerFault.exe
PID 2472 wrote to memory of 1660	2472	dsdasda.exe	WerFault.exe
PID 2472 wrote to memory of 1660	2472	dsdasda.exe	WerFault.exe
PID 2196 wrote to memory of 1624	2196	FUCKER.exe	FirstZ.exe
PID 2196 wrote to memory of 1624	2196	FUCKER.exe	FirstZ.exe
PID 2196 wrote to memory of 1624	2196	FUCKER.exe	FirstZ.exe
PID 2196 wrote to memory of 1624	2196	FUCKER.exe	FirstZ.exe
PID 2196 wrote to memory of 2592	2196	FUCKER.exe	hghgfhjfhmain.exe
PID 2196 wrote to memory of 2592	2196	FUCKER.exe	hghgfhjfhmain.exe
PID 2196 wrote to memory of 2592	2196	FUCKER.exe	hghgfhjfhmain.exe
PID 2196 wrote to memory of 2592	2196	FUCKER.exe	hghgfhjfhmain.exe
PID 2196 wrote to memory of 2892	2196	FUCKER.exe	boomlumma.exe
PID 2196 wrote to memory of 2892	2196	FUCKER.exe	boomlumma.exe
PID 2196 wrote to memory of 2892	2196	FUCKER.exe	boomlumma.exe
PID 2196 wrote to memory of 2892	2196	FUCKER.exe	boomlumma.exe
PID 2592 wrote to memory of 1376	2592	hghgfhjfhmain.exe	schtasks.exe
PID 2592 wrote to memory of 1376	2592	hghgfhjfhmain.exe	schtasks.exe
PID 2592 wrote to memory of 1376	2592	hghgfhjfhmain.exe	schtasks.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2892 wrote to memory of 2120	2892	boomlumma.exe	RegAsm.exe
PID 2120 wrote to memory of 2016	2120	RegAsm.exe	WerFault.exe
PID 2120 wrote to memory of 2016	2120	RegAsm.exe	WerFault.exe
PID 2120 wrote to memory of 2016	2120	RegAsm.exe	WerFault.exe
PID 2120 wrote to memory of 2016	2120	RegAsm.exe	WerFault.exe
PID 2196 wrote to memory of 2784	2196	FUCKER.exe	M5traider.exe
PID 2196 wrote to memory of 2784	2196	FUCKER.exe	M5traider.exe
PID 2196 wrote to memory of 2784	2196	FUCKER.exe	M5traider.exe
PID 2196 wrote to memory of 2784	2196	FUCKER.exe	M5traider.exe
PID 2196 wrote to memory of 1640	2196	FUCKER.exe	svchost.exe
PID 2196 wrote to memory of 1640	2196	FUCKER.exe	svchost.exe
PID 2196 wrote to memory of 1640	2196	FUCKER.exe	svchost.exe
PID 2196 wrote to memory of 1640	2196	FUCKER.exe	svchost.exe
PID 2196 wrote to memory of 1884	2196	FUCKER.exe	cp.exe
PID 2196 wrote to memory of 1884	2196	FUCKER.exe	cp.exe
PID 2196 wrote to memory of 1884	2196	FUCKER.exe	cp.exe
PID 2196 wrote to memory of 1884	2196	FUCKER.exe	cp.exe
PID 2196 wrote to memory of 772	2196	FUCKER.exe	RtkAudUKZ1.exe
PID 2196 wrote to memory of 772	2196	FUCKER.exe	RtkAudUKZ1.exe
PID 2196 wrote to memory of 772	2196	FUCKER.exe	RtkAudUKZ1.exe
PID 2196 wrote to memory of 772	2196	FUCKER.exe	RtkAudUKZ1.exe
PID 772 wrote to memory of 1900	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1900	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1900	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1816	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1816	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1816	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1532	772	RtkAudUKZ1.exe	powershell.exe
PID 772 wrote to memory of 1532	772	RtkAudUKZ1.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 600
3⤵
- Loads dropped DLL
- Program crash
PID:1660

C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1468

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:3064

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:2420

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:3052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:1096

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:1756

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3036

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:1800

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:2484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
3⤵
- Launches sc.exe
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
3⤵
- Launches sc.exe
PID:1924

C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1376

C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 256
4⤵
- Program crash
PID:2016

C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
"C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
2⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 584
3⤵
- Program crash
PID:1260

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
4⤵
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
4⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
3⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
4⤵
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
4⤵
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
4⤵
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
4⤵
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
4⤵
PID:2456

C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe
"C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe"
3⤵
PID:2012

C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe
"C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe"
3⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 560
3⤵
- Program crash
PID:2632

C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe"
2⤵
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 460
3⤵
- Program crash
PID:2000

C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe"
2⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\u28k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u28k.0.exe"
3⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAFIJKKEHJ.exe"
4⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\AAFIJKKEHJ.exe
"C:\Users\Admin\AppData\Local\Temp\AAFIJKKEHJ.exe"
5⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AAFIJKKEHJ.exe
6⤵
PID:864

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHIEBKJK.exe"
4⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\u28k.1.exe
"C:\Users\Admin\AppData\Local\Temp\u28k.1.exe"
3⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\Files\fud.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fud.exe"
2⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
3⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe"
2⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
3⤵
PID:2040

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1956

C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe"
2⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 252
4⤵
- Program crash
PID:2028

C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Max.exe"
2⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe"
2⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
2⤵
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
2⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\onefile_1920_133571325990190000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
3⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
2⤵
PID:2336

C:\Windows\SysWOW64\clip.exe
"C:\Windows\SysWOW64\clip.exe"
3⤵
PID:2624

C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
"C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
4⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
"C:\Users\Admin\AppData\Local\Temp\Files\niks.exe"
2⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mk.exe"
2⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:2108

C:\Users\Admin\Pictures\mwsPoDEpmOp2TiZIT377BcHq.exe
"C:\Users\Admin\Pictures\mwsPoDEpmOp2TiZIT377BcHq.exe"
4⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\u9s.0.exe
"C:\Users\Admin\AppData\Local\Temp\u9s.0.exe"
5⤵
PID:2412

C:\Users\Admin\Pictures\UrcGgJ10JMw6iw0OHVzsuRsn.exe
"C:\Users\Admin\Pictures\UrcGgJ10JMw6iw0OHVzsuRsn.exe"
4⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\u1bk.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1bk.0.exe"
5⤵
PID:3428

C:\Users\Admin\Pictures\uF7dOdZWjV3GT7Wb1dsZ662y.exe
"C:\Users\Admin\Pictures\uF7dOdZWjV3GT7Wb1dsZ662y.exe"
4⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
2⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
2⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
2⤵
- Launches sc.exe
PID:612

C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
"C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"
2⤵
PID:2868

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1556

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:2460

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:2420

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:2124

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:2856

C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ama2.exe"
2⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe"
2⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe"
2⤵
PID:3140

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:764

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:824

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1608

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:2100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:2444

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:2892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:2640

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
PID:904

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
3⤵
PID:1604

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:320

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:1996

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2364

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:2588

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:2904

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:2244

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:2140

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\CNSWA.exe
Filesize
37.1MB

MD5
55056a354010e2d3efccfcc90d507b5b

SHA1
a8887594be566a5b8cbd9cb9b03fdc419d9de7cb

SHA256
263a4d5c1dd9ddaf2f466008c3e188448ff53bec48220e063d686a8b5ab27a5f

SHA512
83f494960608f8160778286439c38f9bdd39e0965e5d3e82b04858be871e6693f54d5af915a0ddb6c7cdc35f13f72aefb739b10f77aa8e8ef6f3b30b7606a650

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe
Filesize
45KB

MD5
310b982faa6a9c8473c6a6097a64317f

SHA1
abdc0ee76d9f21d318c04b12cbbb4453c18a4c57

SHA256
c21d1dd6391ae93398507c94f9b075dbe8baceed4903a78b3f6bebfa85cd155e

SHA512
e9434ff38d01f8983febbd7a4cafeaa4b2f11166adee44a4f6e10a9c25c265e0cefbe7c7a43dd38a3c77bdebdf662e98311184595e52419c03666658a0a4cb8c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe
Filesize
3.1MB

MD5
7b9d9f41d274ddd8fac0544e188ade4a

SHA1
20050de536fbf27cdbfbdd0671af913e04106363

SHA256
50684cb3400e3cd4959c2ccd2dd900a157ef3163179adcf8da15ed5b7b41694b

SHA512
c102873fa15ffd776ab17b16cd39d6ac95c8412dc8c4a0c8c28e1579dd0d03f9fa4f4985d419a76cd4853c5769ea4e95a24c4c1a9c61c98b7508d97c13b345af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a4cb9cd87502f167adfcbae6bfe9833c

SHA1
1ac4605dab9950f0568c076ddf28efaeafebe2dc

SHA256
34e598c48bad44ae9e8f674660026c95295bab4cd141107739e415df900c45be

SHA512
46ae4dd2f28ff6ee6cf3da5dc6cadd46655639668648ee288eb11653c1086c012e8f984463c24dcd1cbaa04de8b6519c857eca7e44798a0e93db3fc04a89cded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29f3629b98dd0b666a0e08bb21416b92

SHA1
31632278bd5ae09ecf0c752f07a305fbf78beb4d

SHA256
11318f88ec93705f631a6b4495c88577fc4957dd956292d00e5c7d4bfa12e97b

SHA512
cb12fde90b3fac8213ae6a452b2f84798e81aceab55e71534558e3b0a6ba5468f309984133725609a3438b702145fc6bf2322a5fdbde444c0971eeffdecb7bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f64dbd1b496dc1aef31dab55d93380df

SHA1
b497d6c63ea1a78c1827daf5e97fb7654547e456

SHA256
d905efe63d1e7420486038859e0ac6bacdbfd35c748620b167e3cb4db321357a

SHA512
7a28032b4b6548548820db6ed8978414449138affc436d265b02241736260fb4905b425593b9553d06c757a937fc0301757e061582a384eae648e7ada830a7ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
529b3d67030fffe821c28db5ffa96d78

SHA1
521f2c879990ff54fd81190885af9797d356b000

SHA256
9869e46469e6cc430070b88df90e820f7a351eb30124a6c8ef5defa3f55a40cc

SHA512
7ff41bb81bc6dfd5da818f8979de385f4ab466e112618ca19bb8571ffb1b9a9e08c62106c4e09f4358071ea52aae69ff199dbbd9d88b7809f9cf953eabc277f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ecb0bac4b052ddad48a3bcc4993e0a3

SHA1
3d9e085fc10ba35c80490aaf48a8d946df325994

SHA256
f0333e82f2b0db312fec19b142732a311794c45e578912b4725b58af1e35bcd7

SHA512
e45a0e5ae14e90f5024261cbdbe53e46f102847d7386f12c8e8b634722c295871abf7056c9c9299e89a1a8dbe429687322c1178dbe411a1d7bef8ef68d8aeee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
43e7789e129dc23da672686d42aa3920

SHA1
a2e434c39e2a873aa52d7edba5ca7e8cb3b545de

SHA256
9d3dcc2e157530de22897481374a5791eb27285fe38a431cd2e5073904527a4f

SHA512
956209e445db1c67d1828a9b75f4ed9c666a763b49a0b5905118831049ca41ae7ecdf38b2cb6913357a29ead6b49607d96d387548d3d430a0880f36200f73492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0affe2526986ff1506df0d30b301b8d4

SHA1
63e40cc3e39faac40536a6ffc5592a16033ea3fc

SHA256
26c088e93e2fc9661c55474ddbbad7d85cfd4cd06d5f0cb63c2ed4d34f347c2b

SHA512
e53c0de30db704124f93333ef5274a0b2372e82f6fe95fd62a3f2d3d9085a9c4f2d6b7cb60d9c73800eddd3826998ce019f377f517d29beaa680e40886d5f50a

Download Submit
C:\Users\Admin\AppData\Local\5Swb1qD2ThJM84u7lq9wIqMy.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAFIJKKEHJ.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
Filesize
5.1MB

MD5
db5417155182f4e3a9277c2652065256

SHA1
d6ebaa6ee5c323a562c3f1742731f0eb3e333f42

SHA256
0f1fe064d3d23499968b8f3e972e775bf81903a9b3e85422d156e36795c48ad3

SHA512
961b2108bfd1c8afa8c125cc7d94e122a2085b6d49151ea00b0a7def1d8c83edac3ae02ab562732aa1be5fef71cec5eca5d3cce19f7c7a9eaf134de405d69a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe
Filesize
16KB

MD5
2644dec48ca3539cfc4a7b4dba0bd212

SHA1
d5fd9c4b6f865ba7dec0604bdd7b06f0f00023f8

SHA256
ea7efe5b685adb6324eea4717d5a9ef0c09c0222acc527d3bff2dc752d0cdcf9

SHA512
756a9acf67292a0cc2107188316e0ccf15c3ca8317e65fb5add57a525bb0fece07f5e0d9ef430a54ec21ae6b2a9242f7bd3926b1791dc3e704ae40f10b194ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe
Filesize
351KB

MD5
059e591f9dda7d3ee0de23f64d791cb1

SHA1
55e1be730e1426d00354e994f3596764d40634a6

SHA256
9550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9

SHA512
c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fud.exe
Filesize
414KB

MD5
6e56b1e5660b59f0c44738f837adabe1

SHA1
41b7d0db71ac1bd1d673574f0cea0419ea4c4c2a

SHA256
b36d61f1da438fef617ecb289756a700e545ec7033e9fdffd929d79a9e2f37d7

SHA512
fac7fb348ad204330e6b4864a29495d2db575d3b39b442ba0c91d18bada1558ba6a3ab7670c5145556c30e65ceaed7ee000bf8f4e86dfddfe68642f89531c286

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe
Filesize
3.1MB

MD5
caddfe2adb6d8c878a2a1001e7fd4fd7

SHA1
6d4b54d81a061efc4a1562d3adae524a22d158df

SHA256
5ac4db28729ef274c94e5a65ea6f2900be893f63d3b984a7ba27cc83a2c54e1b

SHA512
1aa011a1be34baa824468af55317c66cf78abc36883075cb3388a0631db512c97d05b0b9ab2a6ee9f93bfe3a276fd557eab07d5653a02b5eb67eb3f62870a405

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe
Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
Filesize
1.7MB

MD5
3f6a4819237be89e6871a3f02ebed508

SHA1
bfe8f70423e337d0c9f5db31d63a386f30afa3bf

SHA256
7d4b825f76a58f12e5b1f44cfa5396623fe5b4b26cd1000fd1c4d871e2303012

SHA512
a5b68c6fd95ac1bddbaa23f3cd50276a3ab6222050e76e2ab47c814f6cc666f789d7c9c6ffeace4d7867fa8e83b8d741467f56656dacee8145e68e7b8f7de9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
Filesize
7.1MB

MD5
45d20d471e6f3f8f088d489d62058f23

SHA1
d261d037781fb5e7124a40df3d2e32e4d694c2c4

SHA256
36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711

SHA512
3e04852233147146e76684ebcc335e6281413796cf148d34234b86753a3f2b2afb2e58853d44873dc43f9578639ef55f35aab98aaee7dda718f6cfaeb4e4a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F0A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
ca0cd1b75712d27e9f38302b5d55d18f

SHA1
3b4cdb2b6aaf894ac4cc79b41f51397fd7168f7b

SHA256
d085a801ad4396c1f33db8c16cbd02493dec0fdd1500c7201577497db68fa03b

SHA512
21a9838065f4ac83ff47c1e05bec922319023d221d659e548a3bf6efa0b14b8c25e7e87ab2a917f6f43ce4b2f7cd289b89b0b9aada476bfd81606bb18b45cc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28k.0.exe
Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28k.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\ynZnCybQCYZARS9HQ81mhRww.exe
Filesize
413KB

MD5
765e590bdf6597f282def847dd94d4bd

SHA1
1029898323e174062d9d0adb298bb0f6874675ae

SHA256
6d9a0fff1e5344852494b9eb3a12f4c8119d2009c16b7d762386217e6924e2fd

SHA512
bfde5fa68047b4fada753c110dd1830431467756d2881ad63a32fad9fdb29091fba35887935ac745036bcd88530fbcc2a0ad05b444ae5159c1c5e2c9bf9a4fa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b34d13a263e74cca31a4861b23abaf87

SHA1
d8525d74faa5a38f207d0a94e908dba008ba9b60

SHA256
5f62d4244288e9538b0f101aa94b5ba60a21e01a562f9b19fc12dd9a4ba692f9

SHA512
383c0b0c308e2910a54a246422b19abf964ec4adbd2b4062b5b00ad5701a132946546f136a7fa753c87da4a7239d4ae0b868fc5837adc7ffe1a9c84ae177e713

Download Submit
\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
Filesize
4.6MB

MD5
1713300ba962c869477e37e4b31e40af

SHA1
d5c4835bc910acccd28dbed0c451043ea8de95ef

SHA256
2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

SHA512
70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\cp.exe
Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
Filesize
484KB

MD5
5e88980bb982663f2d687fd72bacd880

SHA1
04ea23d8cc91ee71b13476b4b60eee4fe478e01c

SHA256
c61c9ed0fdbcc1a5be82feb4895fe1a553659738137d8ed319c9f63ad301e423

SHA512
06b744b1a238c76b90a1182315838ee22e240cbd33d7ba9fabca344abca6e52e20fdfcd965febc18d82d05ad478aff7a4720715d7ed124ead75d9b91afc8301d

Download Submit
memory/772-450-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/772-451-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/884-552-0x0000000002C40000-0x0000000002CC0000-memory.dmp

Filesize
512KB

Download
memory/1160-616-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1160-621-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1532-504-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/1532-503-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1532-505-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1532-509-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/1532-510-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/1640-427-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-439-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/1640-428-0x0000000000FB0000-0x00000000016C0000-memory.dmp

Filesize
7.1MB

Download
memory/1816-513-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1816-517-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1816-518-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1816-514-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1856-543-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1856-537-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1856-538-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1872-520-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1872-519-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-531-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1872-523-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1884-615-0x00000000000F0000-0x000000000015C000-memory.dmp

Filesize
432KB

Download
memory/1900-508-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1900-507-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1900-486-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1900-511-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1900-506-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1900-488-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2120-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2120-223-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-270-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-233-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-273-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-236-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-219-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-232-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2120-231-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2196-272-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2196-1-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-0-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2196-217-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2400-544-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2400-532-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2400-521-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/2400-522-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2400-533-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2432-551-0x0000000000ED0000-0x000000000143C000-memory.dmp

Filesize
5.4MB

Download
memory/2472-178-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-179-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/2472-418-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-180-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/2472-181-0x0000000004780000-0x00000000047E4000-memory.dmp

Filesize
400KB

Download
memory/2472-177-0x00000000046D0000-0x0000000004736000-memory.dmp

Filesize
408KB

Download
memory/2516-955-0x0000000005130000-0x00000000055DB000-memory.dmp

Filesize
4.7MB

Download
memory/2516-952-0x0000000005130000-0x00000000055DB000-memory.dmp

Filesize
4.7MB

Download
memory/2560-789-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-778-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/2560-786-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-788-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-787-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-770-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-772-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-830-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-777-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-775-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-774-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-771-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-769-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-790-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2560-834-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2592-205-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2592-438-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2592-449-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2592-204-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2592-203-0x00000000013A0000-0x00000000016C4000-memory.dmp

Filesize
3.1MB

Download
memory/2616-751-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-753-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-748-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-744-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-740-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-729-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-728-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-727-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-417-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-416-0x0000000000F90000-0x000000000142E000-memory.dmp

Filesize
4.6MB

Download
memory/2784-512-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-419-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2892-214-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-271-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-220-0x00000000022F0000-0x00000000042F0000-memory.dmp

Filesize
32.0MB

Download
memory/2892-213-0x00000000009C0000-0x0000000000A1E000-memory.dmp

Filesize
376KB

Download
memory/2936-764-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2936-761-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2936-762-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2936-763-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2936-765-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2936-767-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-524-0x000007FEEDB20000-0x000007FEEE4BD000-memory.dmp

Filesize
9.6MB

Download
memory/2944-534-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2944-536-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2944-572-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2944-525-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2968-725-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-709-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-711-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-717-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-718-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-719-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-721-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2968-723-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download