bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
1811s
max time network
1819s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3028-5-0x00000000003D0000-0x0000000000452000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-6-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-9-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-11-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-7-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-13-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-15-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-17-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-19-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-21-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-23-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-27-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-25-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-29-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-31-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-33-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-35-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-37-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-39-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-41-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-43-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-45-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-47-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-49-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-51-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-53-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-55-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-57-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-59-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-61-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-63-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-65-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-67-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-69-0x00000000003D0000-0x000000000044C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	acprotect

Executes dropped EXE 64 IoCs

Processes:

WinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exe

pid	process
304	WinSock.exe
2228	WinSock.exe
1600	WinSock.exe
2812	WinSock.exe
936	WinSock.exe
1700	WinSock.exe
2444	WinSock.exe
564	WinSock.exe
1092	WinSock.exe
1404	WinSock.exe
2352	WinSock.exe
1884	WinSock.exe
2292	WinSock.exe
2988	WinSock.exe
1820	WinSock.exe
1564	WinSock.exe
1168	WinSock.exe
2440	WinSock.exe
1692	WinSock.exe
3020	WinSock.exe
2344	WinSock.exe
2824	WinSock.exe
2728	WinSock.exe
2564	WinSock.exe
1212	WinSock.exe
3044	WinSock.exe
1404	WinSock.exe
572	WinSock.exe
1136	WinSock.exe
1892	WinSock.exe
2744	WinSock.exe
2880	WinSock.exe
2648	WinSock.exe
2860	WinSock.exe
672	WinSock.exe
1892	WinSock.exe
2604	WinSock.exe
1944	WinSock.exe
2760	WinSock.exe
2528	WinSock.exe
1576	WinSock.exe
1720	WinSock.exe
1184	WinSock.exe
2456	WinSock.exe
824	WinSock.exe
2736	WinSock.exe
2536	WinSock.exe
2688	WinSock.exe
2840	WinSock.exe
684	WinSock.exe
2328	WinSock.exe
2684	WinSock.exe
2680	WinSock.exe
2516	WinSock.exe
1476	WinSock.exe
2840	WinSock.exe
2104	WinSock.exe
2652	WinSock.exe
608	WinSock.exe
2644	WinSock.exe
2292	WinSock.exe
2412	WinSock.exe
1896	WinSock.exe
1644	WinSock.exe

Loads dropped DLL 64 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exeWinSock.exe

pid	process
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
304	WinSock.exe
304	WinSock.exe
304	WinSock.exe
304	WinSock.exe
304	WinSock.exe
304	WinSock.exe
304	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
2228	WinSock.exe
2228	WinSock.exe
2228	WinSock.exe
2228	WinSock.exe
2228	WinSock.exe
2228	WinSock.exe
2228	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1600	WinSock.exe
1600	WinSock.exe
1600	WinSock.exe
1600	WinSock.exe
1600	WinSock.exe
1600	WinSock.exe
1600	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
2812	WinSock.exe
2812	WinSock.exe
2812	WinSock.exe
2812	WinSock.exe
2812	WinSock.exe
2812	WinSock.exe
2812	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
936	WinSock.exe
936	WinSock.exe
936	WinSock.exe
936	WinSock.exe
936	WinSock.exe
936	WinSock.exe
936	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1700	WinSock.exe
1700	WinSock.exe
1700	WinSock.exe
1700	WinSock.exe
1700	WinSock.exe
1700	WinSock.exe
1700	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
2444	WinSock.exe
2444	WinSock.exe
2444	WinSock.exe
2444	WinSock.exe
2444	WinSock.exe
2444	WinSock.exe
2444	WinSock.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
564	WinSock.exe
564	WinSock.exe
564	WinSock.exe
564	WinSock.exe
564	WinSock.exe
564	WinSock.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
behavioral1/memory/1760-2472-0x0000000004820000-0x0000000004C24000-memory.dmp	upx
behavioral1/memory/304-2473-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/304-2477-0x0000000074680000-0x000000007494F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	upx
behavioral1/memory/304-2480-0x0000000074630000-0x0000000074679000-memory.dmp	upx
behavioral1/memory/304-2483-0x0000000074560000-0x0000000074628000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	upx
behavioral1/memory/304-2486-0x0000000074450000-0x000000007455A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	upx
behavioral1/memory/304-2489-0x00000000743C0000-0x0000000074448000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
behavioral1/memory/304-2492-0x00000000742F0000-0x00000000743BE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	upx
behavioral1/memory/304-2495-0x0000000075090000-0x00000000750B4000-memory.dmp	upx
behavioral1/memory/304-2506-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/304-2516-0x0000000074680000-0x000000007494F000-memory.dmp	upx
behavioral1/memory/304-2517-0x0000000074630000-0x0000000074679000-memory.dmp	upx
behavioral1/memory/304-2518-0x0000000074560000-0x0000000074628000-memory.dmp	upx
behavioral1/memory/304-2519-0x0000000074450000-0x000000007455A000-memory.dmp	upx
behavioral1/memory/304-2528-0x00000000743C0000-0x0000000074448000-memory.dmp	upx
behavioral1/memory/304-2529-0x00000000742F0000-0x00000000743BE000-memory.dmp	upx
behavioral1/memory/1760-2564-0x0000000005730000-0x0000000005B34000-memory.dmp	upx
behavioral1/memory/2228-2565-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/2228-2567-0x0000000074680000-0x000000007494F000-memory.dmp	upx
behavioral1/memory/2228-2568-0x0000000074630000-0x0000000074679000-memory.dmp	upx
behavioral1/memory/2228-2569-0x0000000074560000-0x0000000074628000-memory.dmp	upx
behavioral1/memory/2228-2571-0x00000000743C0000-0x0000000074448000-memory.dmp	upx
behavioral1/memory/2228-2572-0x00000000742F0000-0x00000000743BE000-memory.dmp	upx
behavioral1/memory/2228-2573-0x0000000075090000-0x00000000750B4000-memory.dmp	upx
behavioral1/memory/2228-2570-0x0000000074450000-0x000000007455A000-memory.dmp	upx
behavioral1/memory/2228-2586-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/2228-2588-0x0000000074630000-0x0000000074679000-memory.dmp	upx
behavioral1/memory/2228-2589-0x0000000074560000-0x0000000074628000-memory.dmp	upx
behavioral1/memory/2228-2590-0x0000000074450000-0x000000007455A000-memory.dmp	upx
behavioral1/memory/2228-2591-0x00000000743C0000-0x0000000074448000-memory.dmp	upx
behavioral1/memory/2228-2592-0x00000000742F0000-0x00000000743BE000-memory.dmp	upx
behavioral1/memory/2228-2593-0x0000000075090000-0x00000000750B4000-memory.dmp	upx
behavioral1/memory/2228-2587-0x0000000074680000-0x000000007494F000-memory.dmp	upx
behavioral1/memory/1600-2610-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/1600-2611-0x0000000074900000-0x0000000074949000-memory.dmp	upx
behavioral1/memory/1600-2612-0x0000000074830000-0x00000000748F8000-memory.dmp	upx
behavioral1/memory/1600-2615-0x0000000074720000-0x000000007482A000-memory.dmp	upx
behavioral1/memory/1600-2616-0x0000000074690000-0x0000000074718000-memory.dmp	upx
behavioral1/memory/1600-2617-0x00000000742E0000-0x00000000743AE000-memory.dmp	upx
behavioral1/memory/1600-2619-0x00000000743B0000-0x000000007467F000-memory.dmp	upx
behavioral1/memory/1600-2618-0x00000000742B0000-0x00000000742D4000-memory.dmp	upx
behavioral1/memory/1760-2639-0x0000000005730000-0x0000000005B34000-memory.dmp	upx
behavioral1/memory/1600-2640-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/1600-2641-0x0000000074830000-0x00000000748F8000-memory.dmp	upx
behavioral1/memory/1760-2681-0x0000000005730000-0x0000000005B34000-memory.dmp	upx
behavioral1/memory/2812-2683-0x0000000000E90000-0x0000000001294000-memory.dmp	upx
behavioral1/memory/2812-2685-0x00000000743B0000-0x000000007467F000-memory.dmp	upx
behavioral1/memory/2812-2686-0x0000000074900000-0x0000000074949000-memory.dmp	upx
behavioral1/memory/2812-2687-0x0000000074830000-0x00000000748F8000-memory.dmp	upx
behavioral1/memory/2812-2689-0x0000000074690000-0x0000000074718000-memory.dmp	upx
behavioral1/memory/2812-2688-0x0000000074720000-0x000000007482A000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 87.236.195.203

description	ioc
Destination IP	87.236.195.203

Looks up external IP address via web service 33 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
126	myexternalip.com
196	myexternalip.com
271	myexternalip.com
279	myexternalip.com
303	myexternalip.com
39	myexternalip.com
329	myexternalip.com
360	myexternalip.com
212	myexternalip.com
78	myexternalip.com
134	myexternalip.com
188	myexternalip.com
248	myexternalip.com
63	myexternalip.com
150	myexternalip.com
233	myexternalip.com
311	myexternalip.com
142	myexternalip.com
263	myexternalip.com
321	myexternalip.com
352	myexternalip.com
295	myexternalip.com
336	myexternalip.com
344	myexternalip.com
40	myexternalip.com
118	myexternalip.com
176	myexternalip.com
256	myexternalip.com
287	myexternalip.com
55	myexternalip.com
71	myexternalip.com
92	myexternalip.com
204	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe
1760	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description pid process target process

PID 3028 set thread context of 1760 3028 75bff99becc32bcbe56efbe7a75f4d45.exe 75bff99becc32bcbe56efbe7a75f4d45.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3028 set thread context of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	75bff99becc32bcbe56efbe7a75f4d45.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

3028 75bff99becc32bcbe56efbe7a75f4d45.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

1760 75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
3028	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process
Token: SeDebugPrivilege	3028	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeDebugPrivilege	1760	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	1760	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

1760 75bff99becc32bcbe56efbe7a75f4d45.exe
1760 75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process	target process
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3028 wrote to memory of 1760	3028	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 1760 wrote to memory of 304	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 304	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 304	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 304	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2228	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2228	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2228	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2228	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1600	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1600	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1600	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1600	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2812	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2812	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2812	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2812	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 936	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 936	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 936	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 936	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1700	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1700	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1700	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1700	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2444	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2444	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2444	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2444	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 564	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 564	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 564	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 564	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1092	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1092	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1092	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1092	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1404	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1404	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1404	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1404	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2352	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2352	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2352	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2352	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1884	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1884	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1884	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 1884	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2292	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2292	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1760 wrote to memory of 2292	1760	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2860

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:672

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:608

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2484

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1748

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:900

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1712

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1864

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:824

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2364

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2100

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2272

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1716

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2204

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1756

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1632

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1268

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1376

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1712

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:3012

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:928

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1828

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2016

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1620

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:2828

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab475F.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB52.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs
Filesize
20KB

MD5
07d7902f08d134eba6309e8ea4423712

SHA1
a5d51ad90925b39b4f8289c37740b933c12a00ce

SHA256
c8f69f019b7f76508387183d65f3d1f6afefcc23414e4b25f0f2698fe4c39d93

SHA512
528546aba03d44c4737fc33c4eb2e574935a1fc776b5af4467e7a2ae4b240510e3373f10573e9d04bb5e1b3d8248b13f12d06a7c0dac38751583133f3a64ff08

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
6fcc4b924d58bbb8462b7ee1961c7977

SHA1
41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d

SHA256
edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed

SHA512
2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
9.3MB

MD5
4f9c177fd3c8cae50dd316dbd32d9513

SHA1
75d22045b7fa3be6a80a1474c66bd6f64b37998b

SHA256
187a8933819ba01a1b2bda3faf023aa7794e3b0138d986ad5f1031412d8fbdeb

SHA512
a7a592226d954cdf59f31a1b7ddf04a3fd1c3b0a51247304bbdf6fde03fd004ba6adf041c1bc8dadbd57594c68068c3b2b406be3587fb1dfaaaf5c49c42459c7

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
5.8MB

MD5
d1f7f84b91c7d2d582d09708be6f9f4f

SHA1
c8a6a446ed52e8d21f4ac037abce8b6ac6f2f3d7

SHA256
180e4c2d638515c422676596dc6714998c145d12663f71aa71d60b7ae7775079

SHA512
3a5349495fe773b7a678aeced8333ea268a9b7e6bd8acbd82c24116f968ff2df7766c4cd3b4a0dcdd6eeac014fdb35a8305601a51a8c7c096673d79a597f2dc9

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state
Filesize
232B

MD5
74bdccd277577bf2411057f88d2efde7

SHA1
f79908bcc4c58928bfd3d7be1d7ad7db7f23b67e

SHA256
4ee7e5b6dde68c04ec20595b172ad42f5f9d9838a6920f24a6dbb85a23184171

SHA512
9f76b1e9b176bcd28f192465e3a00e2be8a0d14f827188741df8d6079ffb0dc3d7e9a0b0ee646331f0ccdc4c5282d3c66f464d812fb86eac1b37cd4d4b250045

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state
Filesize
232B

MD5
68e6978b636480675b08e5fa8462604b

SHA1
21ac04edded23f251c3a65719c4d8b099b352e76

SHA256
dc07c73d954d9af363effb04f4e7239959648d2610cfed7fb84b7999a80c3af6

SHA512
a30c19dea6f7b86366934e444e161b41b6f3fc57dcd7596bef8bacf59c502db397f0f6c6513536183c3befb158d61a1d7ef898d977431c49faf3cce2ff568efa

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc
Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
memory/304-2489-0x00000000743C0000-0x0000000074448000-memory.dmp

Filesize
544KB

Download
memory/304-2506-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/304-2477-0x0000000074680000-0x000000007494F000-memory.dmp

Filesize
2.8MB

Download
memory/304-2486-0x0000000074450000-0x000000007455A000-memory.dmp

Filesize
1.0MB

Download
memory/304-2492-0x00000000742F0000-0x00000000743BE000-memory.dmp

Filesize
824KB

Download
memory/304-2483-0x0000000074560000-0x0000000074628000-memory.dmp

Filesize
800KB

Download
memory/304-2529-0x00000000742F0000-0x00000000743BE000-memory.dmp

Filesize
824KB

Download
memory/304-2528-0x00000000743C0000-0x0000000074448000-memory.dmp

Filesize
544KB

Download
memory/304-2519-0x0000000074450000-0x000000007455A000-memory.dmp

Filesize
1.0MB

Download
memory/304-2518-0x0000000074560000-0x0000000074628000-memory.dmp

Filesize
800KB

Download
memory/304-2517-0x0000000074630000-0x0000000074679000-memory.dmp

Filesize
292KB

Download
memory/304-2516-0x0000000074680000-0x000000007494F000-memory.dmp

Filesize
2.8MB

Download
memory/304-2480-0x0000000074630000-0x0000000074679000-memory.dmp

Filesize
292KB

Download
memory/304-2473-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/304-2495-0x0000000075090000-0x00000000750B4000-memory.dmp

Filesize
144KB

Download
memory/1600-2616-0x0000000074690000-0x0000000074718000-memory.dmp

Filesize
544KB

Download
memory/1600-2641-0x0000000074830000-0x00000000748F8000-memory.dmp

Filesize
800KB

Download
memory/1600-2615-0x0000000074720000-0x000000007482A000-memory.dmp

Filesize
1.0MB

Download
memory/1600-2617-0x00000000742E0000-0x00000000743AE000-memory.dmp

Filesize
824KB

Download
memory/1600-2610-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/1600-2619-0x00000000743B0000-0x000000007467F000-memory.dmp

Filesize
2.8MB

Download
memory/1600-2611-0x0000000074900000-0x0000000074949000-memory.dmp

Filesize
292KB

Download
memory/1600-2640-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/1600-2618-0x00000000742B0000-0x00000000742D4000-memory.dmp

Filesize
144KB

Download
memory/1600-2612-0x0000000074830000-0x00000000748F8000-memory.dmp

Filesize
800KB

Download
memory/1760-2494-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1760-2472-0x0000000004820000-0x0000000004C24000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2639-0x0000000005730000-0x0000000005B34000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2474-0x0000000004820000-0x0000000004C24000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2630-0x0000000005730000-0x0000000005B34000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2451-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1760-2499-0x0000000004820000-0x0000000004C24000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2507-0x0000000004820000-0x0000000004C24000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2564-0x0000000005730000-0x0000000005B34000-memory.dmp

Filesize
4.0MB

Download
memory/1760-2681-0x0000000005730000-0x0000000005B34000-memory.dmp

Filesize
4.0MB

Download
memory/2228-2592-0x00000000742F0000-0x00000000743BE000-memory.dmp

Filesize
824KB

Download
memory/2228-2573-0x0000000075090000-0x00000000750B4000-memory.dmp

Filesize
144KB

Download
memory/2228-2568-0x0000000074630000-0x0000000074679000-memory.dmp

Filesize
292KB

Download
memory/2228-2567-0x0000000074680000-0x000000007494F000-memory.dmp

Filesize
2.8MB

Download
memory/2228-2565-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/2228-2571-0x00000000743C0000-0x0000000074448000-memory.dmp

Filesize
544KB

Download
memory/2228-2572-0x00000000742F0000-0x00000000743BE000-memory.dmp

Filesize
824KB

Download
memory/2228-2569-0x0000000074560000-0x0000000074628000-memory.dmp

Filesize
800KB

Download
memory/2228-2587-0x0000000074680000-0x000000007494F000-memory.dmp

Filesize
2.8MB

Download
memory/2228-2593-0x0000000075090000-0x00000000750B4000-memory.dmp

Filesize
144KB

Download
memory/2228-2591-0x00000000743C0000-0x0000000074448000-memory.dmp

Filesize
544KB

Download
memory/2228-2590-0x0000000074450000-0x000000007455A000-memory.dmp

Filesize
1.0MB

Download
memory/2228-2589-0x0000000074560000-0x0000000074628000-memory.dmp

Filesize
800KB

Download
memory/2228-2588-0x0000000074630000-0x0000000074679000-memory.dmp

Filesize
292KB

Download
memory/2228-2586-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/2228-2570-0x0000000074450000-0x000000007455A000-memory.dmp

Filesize
1.0MB

Download
memory/2812-2683-0x0000000000E90000-0x0000000001294000-memory.dmp

Filesize
4.0MB

Download
memory/2812-2685-0x00000000743B0000-0x000000007467F000-memory.dmp

Filesize
2.8MB

Download
memory/2812-2686-0x0000000074900000-0x0000000074949000-memory.dmp

Filesize
292KB

Download
memory/2812-2687-0x0000000074830000-0x00000000748F8000-memory.dmp

Filesize
800KB

Download
memory/2812-2689-0x0000000074690000-0x0000000074718000-memory.dmp

Filesize
544KB

Download
memory/2812-2688-0x0000000074720000-0x000000007482A000-memory.dmp

Filesize
1.0MB

Download
memory/3028-41-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-23-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-39-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-2452-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-43-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-45-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-47-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-49-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-51-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-53-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-0-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-55-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-57-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-35-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-33-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-31-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-29-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-25-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-27-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-37-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-21-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-19-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-17-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-15-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-13-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-7-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-11-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-9-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-6-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-59-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-61-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-63-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-65-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-67-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-69-0x00000000003D0000-0x000000000044C000-memory.dmp

Filesize
496KB

Download
memory/3028-5-0x00000000003D0000-0x0000000000452000-memory.dmp

Filesize
520KB

Download
memory/3028-4-0x00000000095D0000-0x0000000009AF0000-memory.dmp

Filesize
5.1MB

Download
memory/3028-3-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-2-0x0000000005660000-0x00000000056A0000-memory.dmp

Filesize
256KB

Download
memory/3028-1-0x0000000001150000-0x0000000001858000-memory.dmp

Filesize
7.0MB

Download