metasploit | b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

Analysis

max time kernel
62s
max time network
302s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

metasploit rhadamanthys sectoprat vidar xehook xmrig xworm backdoor evasion execution miner persistence rat stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_http

http://89.197.154.116:7810/O6Z_Oh2DCu_X-db4sYLFEg1hYXRf_R2oUsq-2FBCe7OY5fyzWx30F0mf2_tTjbnFbloJRApsw

Extracted

Family

xworm

Version

3.1

185.91.127.220:7000

Mutex

0liuzqSbSYrrf5nM

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\vi.exe	family_vidar_v7

Detect Xehook Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\27.exe	family_xehook
behavioral1/memory/8608-42359-0x0000000000E90000-0x0000000000EBC000-memory.dmp	family_xehook

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7256-27309-0x0000000000400000-0x0000000000436000-memory.dmp	family_xworm
behavioral1/memory/7924-37193-0x0000000001170000-0x0000000001196000-memory.dmp	family_xworm
behavioral1/memory/3032-42330-0x0000000000080000-0x00000000000B6000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/8336-42385-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

zxcvb.exe

description pid process target process

PID 1600 created 1160 1600 zxcvb.exe Explorer.EXE
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 1600 created 1160	1600	zxcvb.exe	Explorer.EXE

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1020-106-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1020-105-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/7164-42274-0x0000000000FC0000-0x000000000152C000-memory.dmp	net_reactor

Executes dropped EXE 10 IoCs

Processes:

putty.exezxcvb.exeApep_7.3.5.26365.exeuxtldsktkgfv.exeBLueHvffhw.exezxcvb.exeBLueHvffhw.exeSvCpJuhbT.exenet.exe

pid	process
1212	putty.exe
1860	zxcvb.exe
1128	Apep_7.3.5.26365.exe
476
2404	uxtldsktkgfv.exe
912	BLueHvffhw.exe
1600	zxcvb.exe
3308	BLueHvffhw.exe
8908	SvCpJuhbT.exe
9012	net.exe

Loads dropped DLL 12 IoCs

Processes:

4363463463464363463463463.exezxcvb.exeBLueHvffhw.exe

pid	process
3008	4363463463464363463463463.exe
3008	4363463463464363463463463.exe
3008	4363463463464363463463463.exe
3008	4363463463464363463463463.exe
476
1860	zxcvb.exe
1860	zxcvb.exe
912	BLueHvffhw.exe
3008	4363463463464363463463463.exe
3008	4363463463464363463463463.exe
8944
3008	4363463463464363463463463.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1020-104-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-103-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-106-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-102-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1020-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Files\UpdaterR.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\win.exe	upx
behavioral1/memory/7888-32258-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/388-32269-0x00000000000D0000-0x00000000010F6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 bitbucket.org
16 bitbucket.org

flow	ioc
15	bitbucket.org
16	bitbucket.org

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

Apep_7.3.5.26365.exe

pid	process
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

uxtldsktkgfv.exezxcvb.exeBLueHvffhw.exe

description	pid	process	target process
PID 2404 set thread context of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 set thread context of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 1860 set thread context of 1600	1860	zxcvb.exe	zxcvb.exe
PID 912 set thread context of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1980 sc.exe
2972 sc.exe
2928 sc.exe
2984 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

6124 Powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

7448 3476 WerFault.exe vi.exe
7344 7888 WerFault.exe UpdaterR.exe
9172 7164 WerFault.exe hv.exe

pid	process
1980	sc.exe
2972	sc.exe
2928	sc.exe
2984	sc.exe

pid	process
6124	Powershell.exe

pid	pid_target	process	target process
7448	3476	WerFault.exe	vi.exe
7344	7888	WerFault.exe	UpdaterR.exe
9172	7164	WerFault.exe	hv.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

putty.exeApep_7.3.5.26365.exeuxtldsktkgfv.exezxcvb.exedialer.exe

pid	process
1212	putty.exe
1212	putty.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1212	putty.exe
1212	putty.exe
1212	putty.exe
2404	uxtldsktkgfv.exe
2404	uxtldsktkgfv.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1600	zxcvb.exe
1600	zxcvb.exe
2840	dialer.exe
2840	dialer.exe
1128	Apep_7.3.5.26365.exe
2840	dialer.exe
2840	dialer.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe
1128	Apep_7.3.5.26365.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

4363463463464363463463463.exeApep_7.3.5.26365.exezxcvb.exeexplorer.exeBLueHvffhw.exeBLueHvffhw.exenet.exe

description	pid	process
Token: SeDebugPrivilege	3008	4363463463464363463463463.exe
Token: SeDebugPrivilege	1128	Apep_7.3.5.26365.exe
Token: SeDebugPrivilege	1860	zxcvb.exe
Token: SeLockMemoryPrivilege	1020	explorer.exe
Token: SeDebugPrivilege	1860	zxcvb.exe
Token: SeDebugPrivilege	912	BLueHvffhw.exe
Token: SeDebugPrivilege	912	BLueHvffhw.exe
Token: SeDebugPrivilege	3308	BLueHvffhw.exe
Token: SeDebugPrivilege	9012	net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Apep_7.3.5.26365.exe

pid process

1128 Apep_7.3.5.26365.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.execmd.exeuxtldsktkgfv.exezxcvb.exeBLueHvffhw.exezxcvb.exe

description	pid	process	target process
PID 3008 wrote to memory of 1212	3008	4363463463464363463463463.exe	putty.exe
PID 3008 wrote to memory of 1212	3008	4363463463464363463463463.exe	putty.exe
PID 3008 wrote to memory of 1212	3008	4363463463464363463463463.exe	putty.exe
PID 3008 wrote to memory of 1212	3008	4363463463464363463463463.exe	putty.exe
PID 3008 wrote to memory of 1860	3008	4363463463464363463463463.exe	zxcvb.exe
PID 3008 wrote to memory of 1860	3008	4363463463464363463463463.exe	zxcvb.exe
PID 3008 wrote to memory of 1860	3008	4363463463464363463463463.exe	zxcvb.exe
PID 3008 wrote to memory of 1860	3008	4363463463464363463463463.exe	zxcvb.exe
PID 3008 wrote to memory of 1128	3008	4363463463464363463463463.exe	Apep_7.3.5.26365.exe
PID 3008 wrote to memory of 1128	3008	4363463463464363463463463.exe	Apep_7.3.5.26365.exe
PID 3008 wrote to memory of 1128	3008	4363463463464363463463463.exe	Apep_7.3.5.26365.exe
PID 3008 wrote to memory of 1128	3008	4363463463464363463463463.exe	Apep_7.3.5.26365.exe
PID 2912 wrote to memory of 108	2912	cmd.exe	choice.exe
PID 2912 wrote to memory of 108	2912	cmd.exe	choice.exe
PID 2912 wrote to memory of 108	2912	cmd.exe	choice.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 816	2404	uxtldsktkgfv.exe	conhost.exe
PID 2404 wrote to memory of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 2404 wrote to memory of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 2404 wrote to memory of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 2404 wrote to memory of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 2404 wrote to memory of 1020	2404	uxtldsktkgfv.exe	explorer.exe
PID 1860 wrote to memory of 912	1860	zxcvb.exe	BLueHvffhw.exe
PID 1860 wrote to memory of 912	1860	zxcvb.exe	BLueHvffhw.exe
PID 1860 wrote to memory of 912	1860	zxcvb.exe	BLueHvffhw.exe
PID 1860 wrote to memory of 912	1860	zxcvb.exe	BLueHvffhw.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 1860 wrote to memory of 1600	1860	zxcvb.exe	zxcvb.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 912 wrote to memory of 3308	912	BLueHvffhw.exe	BLueHvffhw.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 1600 wrote to memory of 2840	1600	zxcvb.exe	dialer.exe
PID 3008 wrote to memory of 8908	3008	4363463463464363463463463.exe	SvCpJuhbT.exe
PID 3008 wrote to memory of 8908	3008	4363463463464363463463463.exe	SvCpJuhbT.exe
PID 3008 wrote to memory of 8908	3008	4363463463464363463463463.exe	SvCpJuhbT.exe
PID 3008 wrote to memory of 8908	3008	4363463463464363463463463.exe	SvCpJuhbT.exe
PID 3008 wrote to memory of 9012	3008	4363463463464363463463463.exe	net.exe
PID 3008 wrote to memory of 9012	3008	4363463463464363463463463.exe	net.exe
PID 3008 wrote to memory of 9012	3008	4363463463464363463463463.exe	net.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\Files\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\putty.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "CGMNDIHH"
      4⤵
      Launches sc.exe
      PID:1980
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2972
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2984
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "CGMNDIHH"
      4⤵
      Launches sc.exe
      PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Files\putty.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:108
- - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
      "C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\Files\Apep_7.3.5.26365.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Apep_7.3.5.26365.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe"
    3⤵
    - Executes dropped EXE
    PID:8908
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\SysWOW64\notepad.exe"
      4⤵
      PID:5860
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:9012
  - - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
      4⤵
      PID:5392
- - C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe"
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\is-LV3V9.tmp\KuwaitSetupHockey.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LV3V9.tmp\KuwaitSetupHockey.tmp" /SL5="$301A8,3849412,851968,C:\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe"
      4⤵
      PID:5980
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
    3⤵
    PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
      4⤵
      PID:1860
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
    3⤵
    PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
      4⤵
      PID:5840
- - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
    3⤵
    PID:6568
- - C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
    3⤵
    PID:6268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\msa.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
      4⤵
      PID:7256
- - C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe"
    3⤵
    PID:6444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:7044
- - C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe"
    3⤵
    PID:7276
- - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
    3⤵
    PID:7796
  - - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
      4⤵
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\Files\UpdaterR.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\UpdaterR.exe"
    3⤵
    PID:7888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7888 -s 808
      4⤵
      Program crash
      PID:7344
- - C:\Users\Admin\AppData\Local\Temp\Files\win.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\win.exe"
    3⤵
    PID:388
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
      4⤵
      PID:2260
- - C:\Users\Admin\AppData\Local\Temp\Files\vi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vi.exe"
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1408
      4⤵
      Program crash
      PID:7448
- - C:\Users\Admin\AppData\Local\Temp\Files\server.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\server.exe"
    3⤵
    PID:7924
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
    3⤵
    PID:6836
  - - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
      4⤵
      PID:7584
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
    3⤵
    PID:7164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:8336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 728
      4⤵
      Program crash
      PID:9172
- - C:\Users\Admin\AppData\Local\Temp\Files\look.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
    3⤵
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\Files\look.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
      4⤵
      PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Files\lummac2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lummac2.exe"
    3⤵
    PID:8076
- - C:\Users\Admin\AppData\Local\Temp\Files\27.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\27.exe"
    3⤵
    PID:8608
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:5624
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:6636
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:3236
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:7876

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:816
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

C:\Windows\system32\taskeng.exe
taskeng.exe {18435407-51A8-4D83-B58B-3117612BB77B} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:S4U:
1⤵
PID:6096

C:\Windows\system32\taskeng.exe
taskeng.exe {92B6F633-8F8A-40D8-925D-27F442C4BDD5} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
PID:7432
- C:\Users\Admin\AppData\Local\Current\ibfgpsj\FallbackBuffer.exe
  C:\Users\Admin\AppData\Local\Current\ibfgpsj\FallbackBuffer.exe
  2⤵
  PID:7280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b5e2bab0a7bd5e6446e2fe86f55f083

SHA1
005cb32bc932be727142b4d73f8336c238609b5b

SHA256
345599edbc0d1e1b7fc05e504160bd90eed09dc61329cc1f9c32f82991c32e85

SHA512
a6bcd60acb8db61809786f9e60cea209fef511313f281d5cb96dc62ced3a1ecc5c29136080d61b35471780c6189b4af687ee80e9704e712bcf10ceef01e26363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77f7b821f852cb6fc99bba2fb6384032

SHA1
0350bf473f4bc5e8ebf049b6c805e628686a4b3a

SHA256
95d029c26860074fd1b0139809c4b71bf48976c56df4af8da84bf85d3aae5ae8

SHA512
569eb933cd35f33b5106ae1ab26d6d21a40b7212f58ca7bbe52884e316336978aecccce12b1a79c05e2e54c6b393c28eea04c2f35fc22a5a1d515c7603f795d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb0d5b1950b4fa405ae7c94441592b10

SHA1
2d14ed8f89ed3183a50d5cef0430eb226e66c273

SHA256
cdd8a5f3e99af2abbe54dfee25cf4475b170c8994b59a49333e65413ab05a920

SHA512
39fc4edfe2176f2a8fcb281aeaad1e2e94be00c3cb148618ba398ab94e39509b9f3e5fbe8af7676b551c65cfe339f573479878d813f0fa543a7176d17fd7f127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed1251966c463b7fbdd45857fdc32fe4

SHA1
a4fae5c4829681309710e858f8ae1bd30f828a4e

SHA256
b1c17048742ccac750be322228763ba48b56cd25269fb5738074b1a12f93dfe1

SHA512
0a576fa6b37fe0a85907123b3a49947c0641cfd7c883afe5c181f7799c3e26a0814d774eac259e1e65faf61b9fe271dc5ecdddee1d5034f212fe31c7eb3be0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D9D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\27.exe

Filesize
149KB

MD5
ee3b16d7188ad9b08cb1cbe52708b134

SHA1
946ec3b88c7eb1442512cd1ba450b05132e48dc6

SHA256
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e

SHA512
2c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test.exe

Filesize
1.4MB

MD5
8dc615a726d1e47c1bbda80d36de8eb4

SHA1
c37198624c15c5a541fce60a164ee0f957b9c269

SHA256
e00aa3c4c4c619fc05fc7deec32ca06959076b3df1063fd2da4205cca4882a94

SHA512
ab52c58de0e7242f78165450498b64e610c36bfc63cb302b33d0400100ae3cd12b444a7b6ed708e0f11bb8b46b5c4d4147ab0ba1ccc5b3633549b65a12146031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vi.exe

Filesize
205KB

MD5
baa9e1a92bab85279dca0aed641f1fa9

SHA1
e26721107dce1355b8ecc71b457543b25ceab823

SHA256
d649524fba7b0571351c386359e13228781700def5904eed2c2455e15b2afd66

SHA512
f0f4d1ac701be8ee45b60f2a11d8831b8f53da73a55eeaed08b76cf0b544fc89ae515c5cf8082d67d94c4437b5b4337c6d9f501a25fd45bb3064a00fe0150e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\win.exe

Filesize
5.7MB

MD5
36dcf115331160b2f88e83e5b8d07036

SHA1
70a1eacbb83628c336792a5d5a1961a81b8d3a48

SHA256
6730f3ff0586fe95fd3c8514df7dc362eb4efe30a3a43f072797681bb196ad2c

SHA512
c63046a6decdddd1fccd4854bb76a38dc796677497b1cfdde03f1c8c72f60e3292bfcb335651220b89e8de70b5772a47ec73cb0e796045aeff0145c2af3552c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe

Filesize
7.9MB

MD5
414d550d9c7fed5b71913ed7e4dd967b

SHA1
54e2587ae7b0911bce614baff9c3c143eb8565b9

SHA256
8537ddcdf90cfb74ec563ce669da68cb0c48bf1e9a47461dce1f9f87d8b1468c

SHA512
df1a34db483480e946e12804d01aa1157ddb03cb784ec4d701ec90454a130326e1cff88ba81e08f656fc2c3b3e06d2341b2db77fdddc104941939ed668d32324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DCE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe

Filesize
2.7MB

MD5
abf2da5b3e7845f50463a72f8b6e6aaa

SHA1
a5299f55950ca82134da73b9e9844c5d624114c3

SHA256
2a4b1ae0ae67cd31f85680e6351bd5b92ff61e246c158decb1a43a3ef01d9f2c

SHA512
570e8becd18b36d66a2ac295518c8ba3c0bc83d8a6175e601b509efd9237462d1d0826dbeb9e52465e7cdcd57cb4ae7fd859ddc4a5aad895cef6ef7fa981e8a4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Apep_7.3.5.26365.exe

Filesize
1.7MB

MD5
7034f0621dd09fcaced30a72a608d48d

SHA1
2c508dd75efb16081936a21f1c33b3cd01665c64

SHA256
30cca8eff9a77d856b6ed35c404871f8e1021eb8751ecf738669317297b31864

SHA512
6f487a1f711e6fca18bd7ff45e89ba313626827e3c3dbb004c2ec70d70de19f8f45273f2d4c14e9199e67aefb289ab706c4c435b1fe1e96bec620208d210a73d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\KuwaitSetupHockey.exe

Filesize
4.4MB

MD5
7f69b1fa6c0a0fe8252b40794adc49c6

SHA1
5d1b7a341b1af20eae2cae8732f902a87a04b12b

SHA256
68662d24f56c624dee35c36010f923a8bf8d14b8c779ad3dafe8dd6b81bb3431

SHA512
6a9e13e0b1c1b0c8fbf41c94147c7cf16a41af7bd656dc606c1ca1dc8bc0986785252155661d19cc2f9ec35b26fb47456d842bc5fdf469bdd09f72d48b3a5256

Download Submit
\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe

Filesize
1.7MB

MD5
c726a4eba148b17c9ccf3692fbc90701

SHA1
52d203ff30f7a23fdc4cb45caa2efa40324a43d9

SHA256
9eb758edc7a192e4a4fcfe1eac1799c1e64408cc57809628f2ae8c2114ff8eb6

SHA512
8499f446c1a7ae0f52f75e61073c916e2531f09b4cf7fc133c63b874d3c42a5cddc280f8b9b9d1be038c6bb789e763213c8d0a1e27add3796cb3a46523ea707e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\UpdaterR.exe

Filesize
47KB

MD5
be101f8181d00ee2196fbc988d85d7d3

SHA1
33ad1f1d1b139b6f2ffe3fe0c7a94f61e4ec7088

SHA256
a1b36b37454873c6afe0f5822e343a029b9724ee07ec6ae4243d5a688e9a84c7

SHA512
167b1e1e2064a3368a7c0d0fcb5883170651325bae540413fdd8b9fcca234b3c6cc598867e640c8272e68fc966dd39378259f8818bff4024ed1edbb25e7bc880

Download Submit
\Users\Admin\AppData\Local\Temp\Files\msa.exe

Filesize
552KB

MD5
230ef121bcb5b8c9b91a2c35788d60ca

SHA1
476b00d10869e5931bbb799d16f563ac803b50e3

SHA256
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a

SHA512
440e54e9a053a494bdfe1b055ee9ef10a39688ed38e4a620d199059efcd23c669f2f86d1f2e0197b9f7be259dc9ca05b1ab599d8f910e082b8dd0dfcf4ee5775

Download Submit
\Users\Admin\AppData\Local\Temp\Files\putty.exe

Filesize
2.5MB

MD5
744f16da7768ed9f66393cb57f760746

SHA1
759f5bded9426a4b553d6cdd9c07100b775ece4c

SHA256
40332ac6fe28c775fa236b647cd3f4ca015ac140a6344ed88ce7ba33bbf1c501

SHA512
6f081e656299c947a764e1900db14bea62bae1ecde6e0e97d809223caf8bd63b14bcbe2ebfa73051b8e666fd49ebf2989bce3cd378e42df7808a64e5df1b4014

Download Submit
\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe

Filesize
5.4MB

MD5
a2a9c309c5300a53d2c2fc41b71b174b

SHA1
f6c26eae1925425fa8966266e87a57b688fad218

SHA256
7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224

SHA512
a29eec8fa98174a74e9bd93c5902cdd95ce329ff8b7a1469901a95705dc1d7fffde58afa296399febb8559d8cd73c932945e85cce8af54e7a672d8f1618e3f7c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LV3V9.tmp\KuwaitSetupHockey.tmp

Filesize
2.5MB

MD5
656ac8a5f7d94898aca0506acaff40f5

SHA1
4bb836b01cb0bdca3ee39c2541109f76499918ac

SHA256
7da8b863d9db6bf1a94be017c302ca5e2116d0380c86ff4f05fc3f790c18f630

SHA512
0e5dcd1b60d28b4f8f8c38e18d71e2dade166db84c519e3831886b03fd02b5cf50a31dd4e60babb108108f2be23391e61a22de463e43404d96771cf9bb761c02

Download Submit
memory/388-32269-0x00000000000D0000-0x00000000010F6000-memory.dmp

Filesize
16.1MB

Download
memory/816-100-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/816-95-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/816-92-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/816-94-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/816-93-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/816-91-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/912-5027-0x0000000004C30000-0x0000000004EE8000-memory.dmp

Filesize
2.7MB

Download
memory/912-9914-0x0000000004EF0000-0x0000000004FE4000-memory.dmp

Filesize
976KB

Download
memory/912-5010-0x0000000000040000-0x00000000002FC000-memory.dmp

Filesize
2.7MB

Download
memory/1020-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-102-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-105-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-107-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/1020-106-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-103-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1020-104-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1128-27306-0x0000000000840000-0x0000000000CD0000-memory.dmp

Filesize
4.6MB

Download
memory/1128-83-0x0000000000840000-0x0000000000CD0000-memory.dmp

Filesize
4.6MB

Download
memory/1128-82-0x0000000000840000-0x0000000000CD0000-memory.dmp

Filesize
4.6MB

Download
memory/1128-84-0x0000000000840000-0x0000000000CD0000-memory.dmp

Filesize
4.6MB

Download
memory/1128-37192-0x0000000000840000-0x0000000000CD0000-memory.dmp

Filesize
4.6MB

Download
memory/1540-32276-0x0000000000B20000-0x0000000001098000-memory.dmp

Filesize
5.5MB

Download
memory/1540-37177-0x0000000002620000-0x0000000002674000-memory.dmp

Filesize
336KB

Download
memory/1600-5025-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1600-10287-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/1860-123-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-145-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-153-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-151-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-149-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-4999-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1860-5001-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/1860-115-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-5026-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1860-133-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-139-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-155-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-141-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-5008-0x0000000005FF0000-0x0000000006044000-memory.dmp

Filesize
336KB

Download
memory/1860-125-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-127-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-5000-0x0000000006E10000-0x00000000071C0000-memory.dmp

Filesize
3.7MB

Download
memory/1860-131-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-72-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1860-147-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-129-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-122-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-119-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-73-0x00000000011C0000-0x0000000001738000-memory.dmp

Filesize
5.5MB

Download
memory/1860-135-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-108-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-143-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-109-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-87-0x0000000006120000-0x0000000006694000-memory.dmp

Filesize
5.5MB

Download
memory/1860-111-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-22242-0x0000000000080000-0x0000000000130000-memory.dmp

Filesize
704KB

Download
memory/1860-117-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-113-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/1860-137-0x0000000006120000-0x000000000668E000-memory.dmp

Filesize
5.4MB

Download
memory/3008-32262-0x00000000077D0000-0x00000000087F6000-memory.dmp

Filesize
16.1MB

Download
memory/3008-32266-0x00000000077D0000-0x00000000087F6000-memory.dmp

Filesize
16.1MB

Download
memory/3008-1-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/3008-2-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-27522-0x0000000000A80000-0x0000000000A99000-memory.dmp

Filesize
100KB

Download
memory/3008-12471-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-80-0x0000000006A70000-0x0000000006F00000-memory.dmp

Filesize
4.6MB

Download
memory/3008-27285-0x0000000006A70000-0x0000000006F00000-memory.dmp

Filesize
4.6MB

Download
memory/3008-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/3008-12354-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/3032-42330-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/3308-12179-0x0000000004340000-0x0000000004396000-memory.dmp

Filesize
344KB

Download
memory/3308-12178-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/3308-9934-0x0000000000340000-0x00000000003EC000-memory.dmp

Filesize
688KB

Download
memory/3308-9935-0x0000000004810000-0x00000000048F8000-memory.dmp

Filesize
928KB

Download
memory/5620-17292-0x0000000001390000-0x0000000001908000-memory.dmp

Filesize
5.5MB

Download
memory/5668-42299-0x0000000000C10000-0x0000000000C76000-memory.dmp

Filesize
408KB

Download
memory/5668-42295-0x0000000000F70000-0x000000000101C000-memory.dmp

Filesize
688KB

Download
memory/6268-27202-0x0000000001090000-0x0000000001120000-memory.dmp

Filesize
576KB

Download
memory/6268-27205-0x0000000000E80000-0x0000000000EE6000-memory.dmp

Filesize
408KB

Download
memory/6268-27287-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/6444-27216-0x0000000001340000-0x00000000016DC000-memory.dmp

Filesize
3.6MB

Download
memory/6444-27218-0x0000000000E90000-0x0000000000F96000-memory.dmp

Filesize
1.0MB

Download
memory/6444-27220-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/6444-27219-0x00000000010D0000-0x00000000011BC000-memory.dmp

Filesize
944KB

Download
memory/6568-37194-0x0000000000C10000-0x0000000000D70000-memory.dmp

Filesize
1.4MB

Download
memory/6568-37363-0x0000000022130000-0x0000000022172000-memory.dmp

Filesize
264KB

Download
memory/6836-37368-0x0000000001040000-0x00000000015B8000-memory.dmp

Filesize
5.5MB

Download
memory/7164-42358-0x0000000006CE0000-0x00000000070C0000-memory.dmp

Filesize
3.9MB

Download
memory/7164-42274-0x0000000000FC0000-0x000000000152C000-memory.dmp

Filesize
5.4MB

Download
memory/7164-42367-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/7164-42363-0x00000000070C0000-0x0000000007252000-memory.dmp

Filesize
1.6MB

Download
memory/7256-27309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/7280-42345-0x00000000009F0000-0x0000000000CAC000-memory.dmp

Filesize
2.7MB

Download
memory/7796-27341-0x0000000000BF0000-0x0000000001168000-memory.dmp

Filesize
5.5MB

Download
memory/7796-32237-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

Filesize
336KB

Download
memory/7888-32258-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/7888-32261-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/7888-32260-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/7924-37193-0x0000000001170000-0x0000000001196000-memory.dmp

Filesize
152KB

Download
memory/8336-42385-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/8608-42359-0x0000000000E90000-0x0000000000EBC000-memory.dmp

Filesize
176KB

Download
memory/8608-42360-0x0000000000990000-0x00000000009AA000-memory.dmp

Filesize
104KB

Download
memory/9012-12353-0x0000000000DF0000-0x0000000001368000-memory.dmp

Filesize
5.5MB

Download