749684b3bb68d16324b74b2bd3e073ac90af70f3e80b49b1ef5680d9a3bcf164

Analysis

max time kernel
102s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99000dc6fb6055facc482f2a3e416710N.exe
Size

2.8MB
MD5

99000dc6fb6055facc482f2a3e416710
SHA1

51da63cf6e8636cd022f71067a9e6d545a2aaba7
SHA256

749684b3bb68d16324b74b2bd3e073ac90af70f3e80b49b1ef5680d9a3bcf164
SHA512

a174881605e91f670307ae55d1cc52f790f756f01bb1eb431e8201a30ab12f82860b7976d84b8b8bf5f1132ea9eb451b9db841024498fc17feeec0e1b814133d
SSDEEP

49152:JnVWf6wUA70vvJdYcSh0R+9cjWT9Nr9r8+P1yoE2z/LoWBWYiIliSNF0i0baOnl3:UgvJdYc2bt9xdVPIoE2/oVqliSNF49Tj

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

psiphon3-meek.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exe

pid	process
1720	psiphon3-meek.exe
1504	psiphon3-plonk.exe
2168	psiphon3-plonk.exe
2564	psiphon3-plonk.exe
2696	psiphon3-plonk.exe
1656	psiphon3-plonk.exe
3068	psiphon3-plonk.exe
2648	psiphon3-plonk.exe
2616	psiphon3-plonk.exe
2560	psiphon3-plonk.exe
2668	psiphon3-plonk.exe
1324	psiphon3-plonk.exe
2924	psiphon3-plonk.exe
2368	psiphon3-plonk.exe
1620	psiphon3-plonk.exe
1680	psiphon3-plonk.exe
1932	psiphon3-plonk.exe
832	psiphon3-plonk.exe
1060	psiphon3-plonk.exe
864	psiphon3-plonk.exe
704	psiphon3-plonk.exe
2036	psiphon3-plonk.exe
1368	psiphon3-plonk.exe
2284	psiphon3-plonk.exe
1608	psiphon3-plonk.exe
2600	psiphon3-plonk.exe
2308	psiphon3-plonk.exe
2416	psiphon3-plonk.exe
1716	psiphon3-plonk.exe
1384	psiphon3-plonk.exe
700	psiphon3-plonk.exe
2668	psiphon3-plonk.exe
904	psiphon3-plonk.exe
852	psiphon3-plonk.exe
3052	psiphon3-plonk.exe
1740	psiphon3-plonk.exe
2124	psiphon3-plonk.exe
1020	psiphon3-plonk.exe
1888	psiphon3-plonk.exe
2208	psiphon3-plonk.exe
2240	psiphon3-plonk.exe
2836	psiphon3-plonk.exe
1604	psiphon3-plonk.exe
1776	psiphon3-plonk.exe
2092	psiphon3-plonk.exe
1324	psiphon3-plonk.exe
1072	psiphon3-plonk.exe
1696	psiphon3-plonk.exe
2456	psiphon3-plonk.exe
2652	psiphon3-plonk.exe
1860	psiphon3-plonk.exe
2300	psiphon3-plonk.exe
1968	psiphon3-plonk.exe
1184	psiphon3-plonk.exe
2832	psiphon3-plonk.exe
2812	psiphon3-plonk.exe
2796	psiphon3-plonk.exe
2776	psiphon3-plonk.exe
1964	psiphon3-plonk.exe
2408	psiphon3-plonk.exe
2616	psiphon3-plonk.exe
2184	psiphon3-plonk.exe
2344	psiphon3-plonk.exe
2732	psiphon3-plonk.exe

Loads dropped DLL 64 IoCs

Processes:

99000dc6fb6055facc482f2a3e416710N.exe

pid	process
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe
3016	99000dc6fb6055facc482f2a3e416710N.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-63-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2648-62-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1656-61-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2668-58-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe	upx
behavioral1/memory/2564-65-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1504-50-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1324-70-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1720-10-0x0000000000400000-0x0000000000A61000-memory.dmp	upx
behavioral1/memory/3016-9-0x0000000004B70000-0x00000000051D1000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\psiphon3-meek.exe	upx
behavioral1/memory/3016-0-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/2616-293-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2648-297-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-309-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/1720-310-0x0000000000400000-0x0000000000A61000-memory.dmp	upx
behavioral1/memory/3068-315-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2696-314-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1504-316-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2168-317-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1324-320-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-321-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/2368-332-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2924-331-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-337-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/2696-358-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1656-354-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1504-364-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/864-399-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1060-398-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/832-397-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1932-396-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1680-395-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-393-0x0000000003FB0000-0x0000000004086000-memory.dmp	upx
behavioral1/memory/2168-350-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3068-346-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2560-345-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2668-339-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1324-403-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2036-408-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1932-411-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2924-423-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2368-422-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-426-0x0000000003FB0000-0x0000000004086000-memory.dmp	upx
behavioral1/memory/1620-431-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/704-438-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2036-439-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1368-440-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-441-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/1608-445-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2284-451-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/864-457-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1620-463-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1680-462-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/832-468-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1060-467-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/700-493-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1716-492-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/3016-479-0x0000000000880000-0x0000000000CD2000-memory.dmp	upx
behavioral1/memory/704-474-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/2036-537-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1720-534-0x0000000000400000-0x0000000000A61000-memory.dmp	upx
behavioral1/memory/1368-552-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/904-574-0x0000000000400000-0x00000000004D6000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 107.170.225.246

description	ioc
Destination IP	107.170.225.246

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

psiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-meek.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exe99000dc6fb6055facc482f2a3e416710N.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exepsiphon3-plonk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-meek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99000dc6fb6055facc482f2a3e416710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon3-plonk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99000dc6fb6055facc482f2a3e416710N.exe

description	pid	process	target process
PID 3016 wrote to memory of 1720	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-meek.exe
PID 3016 wrote to memory of 1720	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-meek.exe
PID 3016 wrote to memory of 1720	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-meek.exe
PID 3016 wrote to memory of 1720	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-meek.exe
PID 3016 wrote to memory of 1504	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1504	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1504	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1504	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1656	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1656	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1656	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1656	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2168	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2168	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2168	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2168	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 3068	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 3068	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 3068	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 3068	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2564	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2564	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2564	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2564	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2648	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2648	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2648	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2648	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2696	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2696	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2696	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2696	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2616	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2616	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2616	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2616	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2560	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2560	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2560	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2560	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2668	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2668	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2668	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2668	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1324	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1324	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1324	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1324	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2924	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2924	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2924	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2924	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2368	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2368	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2368	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 2368	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1620	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1620	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1620	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 1620	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 832	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 832	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 832	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe
PID 3016 wrote to memory of 832	3016	99000dc6fb6055facc482f2a3e416710N.exe	psiphon3-plonk.exe

C:\Users\Admin\AppData\Local\Temp\99000dc6fb6055facc482f2a3e416710N.exe
"C:\Users\Admin\AppData\Local\Temp\99000dc6fb6055facc482f2a3e416710N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\psiphon3-meek.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-meek.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_0614a9f53060035e -pw 534BF96921A1F7EE8ACB69C105CAB671ec0053d5164b691119434c9a7ab6a68c231d5121d6c61ebde66ec111bde906cd -D 1080 -v -z -Z e6472e9fe41870f1a6daf7d8aa59be98f2cfc6c763befd1566898ff06a18d559 146.185.183.59
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 218 -l psiphon_ssh_3786a89554f23c59 -pw 699245D156D591BF0585A53A065B857091c24d8ed1237e5295886468d6163053921ab54ca9e5cc319abd9a23bc072440 -D 1080 -v -z -Z 58c5def8668812d9260c6f661212ef51358bc4ef1635ad9393f4462ef3200cde 213.171.197.204
2⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 465 -l psiphon_ssh_5d8ced9806f83899 -pw 8618A768228041121656D684302B9C02b0a3ad70059f9974878c4d7e82547c68c728d9e03657824e6287dc94621bd2ee -D 1080 -v -z -Z 647365742ea7b7d0cc9d305c7e7a3f06566532e32d7cec198977226f7aa4061d 109.228.16.82
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 280 -l psiphon_ssh_a92c7da26ccc8c9f -pw B4286DF12BA06DA66907ACE54654094045b88db70f74a8e9fbb795d6e4623d6a70ef4513c969bfcfd23cd9ec1b1dc441 -D 1080 -v -z -Z e72433605381b0d4020a06e5a4ffb2a26961cc898ee8278ea8a9e18eda577a21 146.185.181.174
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 823 -l psiphon_ssh_e02afc4fa4c69cf4 -pw 88FDC68369811ECD92924DFB747D18D7d9cfdf7ba313aacd75cdb153432bc6f05210e318f70a217bbe539f813747b77b -D 1080 -v -z -Z e8d51c1a22f602feb6afe0c106e74c4e09b159a878c36e3422d2ddd208a18d83 212.71.254.222
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -proxy_username pserver=88.208.221.101:228;sshid=4ADC7DD145CA09BE03C01FFC1ED8EEBF;obfskey=1b2da9194ef9b9780dc0e0169025b5a83a5ab643988c61bd4ec818b3b730642b;fhostname=hareware-reless-lickbash.psiphon3.com;cpubkey=hq9ADbnK+C/JhhCti+k8kfvpRS8Uh7dZ+TyIYFW7vy4\= -proxy_type socks4a -proxy_host 127.0.0.1 -proxy_port 49211 -P 443 -l psiphon_ssh_03315d2ebd4ceacd -pw 4ADC7DD145CA09BE03C01FFC1ED8EEBF0113f3260eccbb62cbe1339c92ac42d4dadc74dbb93b815873d1ae6618471a47 -D 1080 -v -z -Z 003605f780d5d56a5dae80fab77d4412307ee9d631ebc66da7637163f0273731 prod.global.ssl.fastly.net
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_cb582a295487cbdd -pw 124A06DE04A3F5752AECEBD43FAE5CE65125b6fcb50ae638c17f177c0484a98735dec119de850bdfc11fc081a64721c7 -D 1080 -v -z -Z e8fc60412d9c442e97b12055b06f79b466f0009c6efd0a6522a19426a4639625 109.228.3.122
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -proxy_username pserver=77.68.41.66:509;sshid=DC753FE73ECABAFC1E95545306E5E0F5;obfskey=a0257de60edef6cd990609b978ced103064088c4a52e2d2a7f4003cbc04b79a7;fhostname=moding-kers-acting.psiphon3.com;cpubkey=x5A5F0fzHYJ4vu3Szl4WVTMLiQHten1T52g7Sd7lZiY\= -proxy_type socks4a -proxy_host 127.0.0.1 -proxy_port 49211 -P 443 -l psiphon_ssh_b396051cbf730f4c -pw DC753FE73ECABAFC1E95545306E5E0F5296fb4aa7b91cf402a8d1994c7ac932ab97f17a1f131ac43a2626e7997792594 -D 1080 -v -z -Z b4189aa88eab54284c479c9900f284c2975c3df49b1a0fa70cf0ad5347edf843 prod.global.ssl.fastly.net
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_56a0667824b9d21c -pw 7E83922BADD6E195E4EAA48227E4527Ee2e95643839c1128b4b74f42aae2a80386485d49a3d4d7cefb80c6ef609a7421 -D 1080 -v -z -Z edf8104d96d133ba775d91ef691ce341a5bd56598b7642715cd1f88cc4b586cc 109.228.2.32
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 780 -l psiphon_ssh_91983ef15fc35bce -pw 2D978B2CE440EEF4C304143D78063ACE0dfe2a2ce6ee5bf6b002c12d63f131d1f84181119be4ecb42f8aa33d99aaf21e -D 1080 -v -z -Z cc85469ddb6c48eb8b247b2449fdda5e8422c82e802a34e1ea95cdb85da39493 77.68.41.246
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 280 -l psiphon_ssh_f3d4cd49ab1c1ab1 -pw 6B34EAB7158EAD0CA3C7453B40458778a919ba1e778227ec8706697549df067d2794a19d529f773430f357d614160c9f -D 1080 -v -z -Z 7181cafe3a795de1627a6bd04247a32e3073e1a47b199b09497358838ab024d2 107.170.12.29
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 251 -l psiphon_ssh_febac25bfa380b5b -pw 9ED8E76653F34F58646F85529794941587a10ee95bc36979ddada50b7134e0f081af968e61ff8cf36cdce6e288d75621 -D 1080 -v -z -Z ed4298f555bc05def4d370096bed5fc1c8931dec142fd4810b500f8084756f23 88.208.205.231
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 687 -l psiphon_ssh_3ff18759b45491bf -pw F75038754C1A8B94FF3023983CA4F885c8cc8e50e818372e1fe51b66aa4f34e3e0c8362529356b182e77e357161ae9ef -D 1080 -v -z -Z ce47bd48ec3f0f0d2fbf5df4a8396f73cecf5115ea3fec0a7e7ea9bf41b2d712 77.68.41.55
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_52ea8f6a67445557 -pw 1C1AF04C759DA750A97D1FA2291478318a9087950a855bac77a2e35528cac77c9f84cff238fe32f89dd1b6dfdda1892d -D 1080 -v -z -Z a417071bb977471f9e73d21b362172d96da2107c203670689b2a3e0585c97724 146.185.178.30
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 364 -l psiphon_ssh_188fc2dbadb27210 -pw 39F1FCBC2CBF96C793C991209AAC0673cf51ba64817ef99d26261d3379d968fceb5d9c63e867bb1ba2eb3aa9b8d350aa -D 1080 -v -z -Z 4ce811d258644b4519a5d46573ccc9d80e823173ae02422492214ee9b3a400f4 109.228.3.123
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_ec84a930f3db3141 -pw 77A75365C40391373222B9B47FC7C8019f1cb0a5ad455b563601cd6beb6ba298e25d777d1fa3ef368c652e183a755d2c -D 1080 -v -z -Z ccdc862363debdba487bb524167791684dee05ee29279d3f590699daebc8e9c8 213.171.199.169
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 587 -l psiphon_ssh_db2b268e1577c459 -pw 9AAFFFBF70B68C1D8D042B9EDF50491Be5f57c3db2915bdc67042859c96de6a1301957e6f05d83b4d969ab5f31fe8074 -D 1080 -v -z -Z ecc3dcbe159a8293508d2ad7eb5fabfc89f51ade0b5b2ca86d14e018bb6e9216 88.208.221.254
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 443 -l psiphon_ssh_a546a5bd9e4e2bd8 -pw 4482E7EAA45492569945BD8068EB972F373630d8b446041d4c5f7cd2ec20ec32b5b1325ae87e374a148e9eea78fa33bd -D 1080 -v -z -Z 75a3f8ea61759e6eec1e55a6729d8c893c434f8051dc98754ab11696df410359 178.79.137.243
2⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_d68929c0e8d3db91 -pw 848B308D9555A62584D2A20BC37E485F8d3b7b333f04c776b961e1bcbd74ebc02a5ec2e59eee8eebe87e87855eff3d22 -D 1080 -v -z -Z b3e3751eb2fe30fa4e904005aaa60decdae126650d4b7b1b87acad4004d0e375 77.68.40.190
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 465 -l psiphon_ssh_884dc22a6a31b321 -pw 307710915C9F374D8E8D4197E1574BD5f4da88aa0bba321e4103a4ceede196bc23fcde5e33e3a65ba309642186e3e3fe -D 1080 -v -z -Z 7725a2b65f4c89dbbd0c71872199fac4b42b1b3e19f6ab883e767dc04dff128f 109.228.19.93
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 959 -l psiphon_ssh_f28dc40012ba5b6c -pw 0DC8401D3C11FA1C75FB3204DD63C05B3b07199be2c5a0debbc9e5f9d82eaccc4048ac94cc163b22a5c8516b6e17e08c -D 1080 -v -z -Z 892395eb6590e53f0e31a8e8728ce4a01a74ef90b3caaf07927fec3354ed4f51 88.208.222.1
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 1021 -l psiphon_ssh_40491df96d157f35 -pw BF393D26C499EBB791A98B7C44D95B8717eb80e52c83387a6343760e41df402b40030c019799e1861c02f57b1305a12a -D 1080 -v -z -Z 7e5a28d76266cef16de6a4321eb0b143fabb5d921d232bd3c78abeab42f85ade 109.228.19.172
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 19 -l psiphon_ssh_78e7e3fa4338bb36 -pw BCCD30472875AF3336FA99780F2EC7C984a5ad45e0b415d22c144ea230cc5cada104a4a95ee487042098e32d3b033ea6 -D 1080 -v -z -Z 1d0c8fa9b33d8a58c44b1b0a68857cfa44f472e885645a66df463bbd3409652e 88.208.223.31
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 53 -l psiphon_ssh_2b3a6755ed668af7 -pw B7E2B71AF9DFA4B6C8EDB5A9B43656F4dd4f879f0ef46bd35dc36b487df2be80ba877bcf69e3e7d1dfd3839177e36239 -D 1080 -v -z -Z 0a5e8d53374bdde4c59015a3768c9205c8c2e2352c49cdce3a5821c674e94655 107.170.225.246
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 683 -l psiphon_ssh_b7a7dbcd7e12effe -pw F9F7E3393A41AFBA4C40C69814FB4B07c565631adc01611f12c8c10027cc3e5957e93e8a2127cf0fd31caaf8d1b2ae97 -D 1080 -v -z -Z 38f2bf17f0b59415f43e0baa95831755fd3fe8cac3f1a234b05995cc994be31b 95.85.23.152
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 114 -l psiphon_ssh_1bf1f163b3e14c39 -pw E7B6A18C44607079F8B2EB34638BC6B095d9309fb14a813aab5ab839b8054d4f69aebe6ff3f40a29267c6a2990355d08 -D 1080 -v -z -Z f01ae0bec26e753fb8c8c0773452d6326fc2f629d9a5577d83589d6f448166fa 88.208.230.119
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 443 -l psiphon_ssh_dede2432ee92acd7 -pw 06AF9AFDC6CC462FD0048694EFD2720E28c92e3073e7b12b10256967350612504a5d57001f06b96f864e5d3f8f72ccbc -D 1080 -v -z -Z 2848193b03bff7705fdc4bc689afa3e3ac156615bffbdbb6686ba4f1f1d60dd6 146.185.161.135
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 931 -l psiphon_ssh_628ba0bc13e8c56e -pw 506A8DAEB775AF8D6619FFE880383386607ae4abf5f75a30360ced342257c578c0ffb3a99f331297b233d4ebafa3f4db -D 1080 -v -z -Z 0e39e6c255b76351d518c7faaa6f961251ac185e1f5863accde76a35c04243d7 77.68.41.32
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 547 -l psiphon_ssh_fb2178a70d5af645 -pw 9E49A9EBE09B257F2354997952E2BDB6be251f39509e9523bd557fe722e13fc7cd94b5a1ba883c8212d085f6d42afffa -D 1080 -v -z -Z b4e7a03a8625e7d09ceda43b64060683cd39e6775a1d45158b895a40757f6482 109.228.17.128
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -proxy_username pserver=213.171.220.218:68;sshid=CEA7E9ECCB97540F19A81D9399048707;obfskey=5abb32d9cc800a75de88ef71b5d9615f346a430e53be6564ecf4f7a4e2b550d2;fhostname=lican-deboad-morer.psiphon3.com;cpubkey=O9No8SKRb6rUBrhg82vC525+V+fR5qBwFHZzdj3giz0\= -proxy_type socks4a -proxy_host 127.0.0.1 -proxy_port 49211 -P 443 -l psiphon_ssh_fa2281f826370f1c -pw CEA7E9ECCB97540F19A81D93990487077662e7d401966c0c2eae8340cbb736a51778c604e22aa6d28217b1de1cf06988 -D 1080 -v -z -Z 43b67cb12f0695c492b9194a992cb4cd2dd907dfd2de3f013e3b3f4a9fc88e7a prod.global.ssl.fastly.net
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 557 -l psiphon_ssh_3e94c34965f614be -pw C2124524493B0E48A5C73F1D01C36FBA67c22e5e419ddbe71ac32d361ad4e14424dc762d4bccd76d0b323d270e2876cc -D 1080 -v -z -Z e8a23ce4b2eab55b62cc3c62b3300120acf865fb6cef0f85dfc9aa5f3f32265b 88.208.210.65
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_f5377ee7ca9f3f5a -pw 6C346D66C0BA4596B24462D21CACBB0F19322eb08d552da321dcafafe0737fd4a16f1305addb3872aa707d943d2a596b -D 1080 -v -z -Z c80179fc03499e04774f08f2a9e721c6d981bfdec2936217d395a0dcf5a5371f 88.208.221.49
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 280 -l psiphon_ssh_3c37cb5369fcd4db -pw 59C629542730744BE3633B49A4104A26370836b7679668157a45978418b4759097c88d5881a8d651a378f1e72569ddbf -D 1080 -v -z -Z 8c1a71f80bb9bc1cfac3424db5167d248f9c60efc32c947a782dcba9faf6a9bf 106.185.24.149
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 547 -l psiphon_ssh_7b1261346143581b -pw F45505E750985415227F07E7444AA117c39730599fb2afd796ee8ce99268d42bcefb1b0c978d785b1de670e97ae6225c -D 1080 -v -z -Z 23bf7b453f2321b54a37e9c3e072d872af78053b2bda43a5eb1589754ec9dc37 109.228.17.111
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 587 -l psiphon_ssh_0d8f1d5cec6a6d9a -pw 920ECD339498AF7A15FE866B6624CDC9baba4d3a3b9c63375e5d87452652ad80f6be0ccf2f11990e946fae41f9f6c393 -D 1080 -v -z -Z 62d6190ca411fd92447e8a19bef247b69150d86b8e10ff2635e41a7eecc0c397 88.208.206.230
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 443 -l psiphon_ssh_c6e5841dbe772a41 -pw 73CBA0B25AE825386CBD30CE1DCEABF1c691be04ef36b67e220c3cba8fe744b9f440be467ad5ffc7a5198a65501bd190 -D 1080 -v -z -Z 8b36d3f825aa8bee793e7d41455783acbae0aa41baa6e7b55f32a169a668ffd3 107.170.121.61
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 195 -l psiphon_ssh_f95be93484778a53 -pw F82ACAEAC303AC5FB0B1C8740A7649F9bdfc8980bc09655c5de2eac9b3f7a62605da98b7b9ab3d579cc9c4aae52c4513 -D 1080 -v -z -Z b895e563a0885ea53acb6c4f142025831b37d7790bbef3f34cc948306ff78d6d 88.80.189.154
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 392 -l psiphon_ssh_f23e3e42ed24722f -pw F73F5E92339418AF480490F85B42CA36b87ccb3eaadf1077fb074356280c5d6113ce55e7870db189ec8a3ec56f3c9d07 -D 1080 -v -z -Z f4fc2036e321e4209d337fefd5cdde449fcf1855ccf51ae0cabea6e0ee1af106 77.68.40.74
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1888

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 195 -l psiphon_ssh_825e4a24b049d8cf -pw C20CB50C720F07B676C16C93AF5E54E723bd2dcb0b14c29f9fde267608d0f1f49e4130b16056ec94c4afa59b399101af -D 1080 -v -z -Z c0cb39060e32f7e6ed99bbc7410055553e4e37beafab9b11b1c64687b31aae81 162.243.106.158
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_56b880c5ce840a4a -pw 3A9F036F13DC91B99D384D79CD90C3B95cee61dfcf6354f320d1df78887be5ec46532c7a1d723e43d6f3679947fefe3e -D 1080 -v -z -Z 4d11820bc0a522034fc21a9a64a03fea3d769f3fbd7f974e5007f967d94768b7 88.208.221.47
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_155135bb17004088 -pw A6E7AAE56C9F6F4FD40103B20FD613AB7d5dd46592c1cf143353fa77ee9671303b67d0758c88fe20272ea0559cd343ca -D 1080 -v -z -Z 6a3176271620e550fd909466580ea4719bd0c0f3e122bf97143cabf973e6cc44 173.230.158.42
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 465 -l psiphon_ssh_56a7e8d72f4c5e22 -pw E794ECA502A03B824D0601B0B3A5187C888e11fb85fa7094bc2e21ab660c27b04d4000ab18a8e13777b15e544f015045 -D 1080 -v -z -Z a60f55a4aad8be6310ee3ad9007c5a303996ed648f0f618c30d87f18b64b5ec9 213.171.199.168
2⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_5960fc9397ce6096 -pw AC49D1A2A6B62B15564CDF3915B5196Acab8506eaa9ec1c55506232e32204235ee9b6b69f45a4616de16192b3598b0f2 -D 1080 -v -z -Z 53351bbaffed8c879a75bcb1e029872fc8816faa976d70426c2f0ea577724f6d 77.68.40.38
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 591 -l psiphon_ssh_7dd65cc1a822efc0 -pw FE8F543DE5E3AD6F1E33B0DDFFC63B0Fe59083c1ec0ae3e28437675d9ffb44c09d59211def647e9142e711c9ca5a61c9 -D 1080 -v -z -Z bdd00aabdae95f68b796250ea477343a53bc730044e94e0e8be510003d2208b6 72.14.190.107
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 789 -l psiphon_ssh_08db3c4560972309 -pw D0E9FC64312A02B7534605B9320B475Fe11ba005f94c55c5965d09235096af78fb3c247cc3230364e32e36a93e1e7b4c -D 1080 -v -z -Z d93d98c9ff36fb53cd7e3961bde30e1a0c5069ac26928202f993dcb5e9d41eb5 109.228.19.171
2⤵
- Executes dropped EXE
PID:1324

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 921 -l psiphon_ssh_225eb556051bd2ba -pw 8A24E3BB177C5A51687B9BEE12F67E131a41414fc20a3c6059ac11b37935cfb51362d374918fee9043256819a83c5dc5 -D 1080 -v -z -Z 51087f1d92eff311cfbb9af035d26a72d6b2172b76fab8598844b5748ce3f1e0 88.208.233.111
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 443 -l psiphon_ssh_b8da049865b4bf35 -pw CA73EE543B664468C0A0B1E679DA86A1e9c218bc8d52889ea66bd14a716b4dea8548331ee0c902bc81e5def9c768c6cc -D 1080 -v -z -Z 178bdcbb5d4b89846d2287758be33ca8549669b6bef50ebdc527534c37c6dd54 212.71.237.152
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 123 -l psiphon_ssh_b6b66e0b810bfa79 -pw 8B01325C1EC35E9339F9AE96BAE02B56496f75fd5aa6be7dc5942cd8d83bc33ca16e662e2f97fcb40c4f74527ff8780f -D 1080 -v -z -Z 406815c4d4c28bc4240a93a5ad9e3a07f169ae359f35ba5ef38370088c36cd4b 109.228.19.174
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 465 -l psiphon_ssh_5592fa098347c386 -pw 4BDF7F34E4846DBCD20B83682FE0345A95f1f0c73084dc3ac12b4e7c254e1508b2b94826b1b76237c4386168ce4dacbf -D 1080 -v -z -Z 9279484b4277749d24accd0089fcd07659effaffb2a6fc5af0587f0010caf8d7 88.208.223.93
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 114 -l psiphon_ssh_330c14d8e76d7566 -pw 733269D9948CC3524578985A07FD1194d233a10b31f55e7004553775817b00dd828c2752508fcdef8f8597fcc94510c7 -D 1080 -v -z -Z f7460cc2ed14932c02c1c0a16bae4884b5542adefc89ce06616382e52307f550 88.208.205.207
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 407 -l psiphon_ssh_37e1218d1542a764 -pw 0B8F27FCA21BC5538D6E9724EB1630AD57abffb5cd3161cfa308305f0c308a90805f319155b984037bdb8f23f00b0c1a -D 1080 -v -z -Z 5fc752ca334109948785f055b745fe5c72cd9705f5d20b57fef46c5e10ac7500 109.228.3.119
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_2f2a71776b15297f -pw 6DBDF4DAD05EF71BE23783D160B5AB8A4de3aebd31feb20118618dd3f5972d2c37635c9740eeba40f5140350d180d477 -D 1080 -v -z -Z 8559cb9e6c3c25f6925232e56b5a7c5c1609bdaefdb71554d3a179b31295a5c5 213.171.197.188
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 813 -l psiphon_ssh_cc8d0d6e5f87ab0e -pw 759A015F21DCE141FEEE7A569FF3B6B545a97c2a37176ab910e1b54a934f7ee8bb029e40051dc575444a5f06c0a15e5e -D 1080 -v -z -Z 894c03a08acb21c6550478cc0ea497e05ff9a5ce729087333b4dddf26e23a7e7 213.171.207.95
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 473 -l psiphon_ssh_780052da587c07f7 -pw F2E4AA307FCB687485C70BEFE84449DF6aa38c1716cc969a829eacfeaa43e3e287839e16462ac70180e28d6494c8f378 -D 1080 -v -z -Z 5ed6987bbd92fcc9a01eabff552b819c732b5ffb30b9563d2896e2ca719686b9 77.68.39.6
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 947 -l psiphon_ssh_3ed5a3f4dbd8a144 -pw 312B68C40CDBEFDC371A445D02271F4A95dc9029284d870b0ccae64617767a5531404be4e2beba14f12e80ac82e2e805 -D 1080 -v -z -Z ea2129a768089af5ba8e20479093b0fde7f7370cf0a7b31d6b04dd41fbf62a66 77.68.41.232
2⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 280 -l psiphon_ssh_87a8d6960329d219 -pw 9D7C21A01029AAFC53CBB4DC95B2E21Ed614b767d17ee02545835849b32b9856ab7f280528430ab0687b5dc46643e363 -D 1080 -v -z -Z d0240e6101132378e9d6bb012a217f805c98a202a102814801b4487c108a6492 77.68.40.187
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_bd238a84e901b28c -pw C48B7EE3D3122E0A82CA3D36950D59FD453455602969c8779447d8a4237238d65dc76627c4f8ef03f25d5d1835a595d9 -D 1080 -v -z -Z dee7776d1da0c10cde4e8408ac78ec50be3e49bdf7bca4e1e0b69ad04b5180bf 23.92.24.232
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 465 -l psiphon_ssh_8986f7ee28a5eb0a -pw 1F2FC3116D04257B7AD7B2B169A562914606261cdc9fc8a50f721b49df47eede8d584f5ca5609bafe8f1805d49d32cbe -D 1080 -v -z -Z ce6cf384ed1f43a93eeb388f09373103f05717d2a228c693d05e9de770c7a3f1 88.208.205.62
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 235 -l psiphon_ssh_7b567df349cb7c5f -pw 858A710A40B86BB69BA014A7E5A70A0Fcaf71b0986e428bf30672f787d7bb9b1771a7258b9c23c62b671d5ed17b60c99 -D 1080 -v -z -Z 34c24768dc946ac7ffbf1fab226e9f1055580034880a01c0ef3b5d0b6cd3261c 77.68.37.80
2⤵
- Executes dropped EXE
PID:2408

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_2cc2b44485f492fa -pw 32E271082636166E755DDF2D1B8D635C741f4fdf4e86768c5617d5f737686a7e6292fd3fa6fa383e0548fcb625dab1c2 -D 1080 -v -z -Z c879d8200e927d233d2b1510cd5648c077513a80cdb7783f5b4f01a5409dc38b 109.228.16.80
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 547 -l psiphon_ssh_0ef67b986b5bf0f2 -pw 53BCF4AC6B7B2853CD422AC062B12D3645651d54820da62b84b9c295d6db14b3212b3346a7e72b05f31fbb5a05aa9bad -D 1080 -v -z -Z 12143ea07f65bf59faa52590c8b0d5e78caa7fb354de149f15af869d94128a53 109.228.17.208
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 901 -l psiphon_ssh_0e1988076cd2eabe -pw 733ACDC3E4E0B256390237151B4DDE0Ef7609b50dadd34feac4f2f8ea78ee0791df860e4f3d62980b3c20f01af3c7bdf -D 1080 -v -z -Z 15596fbfae32b9bd574cf109c299219b15a2eb3bafd56ee2027396faf212c37d 106.186.113.109
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 770 -l psiphon_ssh_72835fb7bb568b71 -pw A25482298804D289F3E8E6F577FEE60Dff49167a461265c70563ab7e7c7c186517f416930f088a46fa0d9065cfdd9da4 -D 1080 -v -z -Z 6e8b4c540f8e826d9f871c7dceb8c2269b72b99c2056540cf07996c961c3d0a6 77.68.37.81
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 595 -l psiphon_ssh_640cc1fff55f38fa -pw 9BAD6CE66EB0F1C696935F328BEABAFC609691c9c4e83b951d44381a8d6e4c9b4030d85f8ae9be8fa2885a468701c2bc -D 1080 -v -z -Z c6bbab6b4b2ec9f01808396f8c88f6a84d7ed7335aede7162ca0ed7210018c0c 77.68.41.243
2⤵
- System Location Discovery: System Language Discovery
PID:2376

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 922 -l psiphon_ssh_a6faa74b215a1320 -pw 55CAB3735505C26592B34C93455A2F4249116638609b938029e977d2d66def64a00287bd154e97774563a5319369bf3f -D 1080 -v -z -Z b8c629679bfcab28ad64d22cce1134ec3f6851c30d2e3e8f97e9ae82eebed443 88.208.231.44
2⤵
- System Location Discovery: System Language Discovery
PID:1316

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 995 -l psiphon_ssh_6bd293c9a110b356 -pw D9DFC60B81F3F1C9F6F74F5C273E7F4A0ade00b5bffab352f1e82376d3a502ec3e5428717bcb30f1e5465d5f1dce19bb -D 1080 -v -z -Z 38af2287af84ed804d5d7328b7b5104397763f02aa85c5f4abfdd91e9032f46c 88.208.206.237
2⤵
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 995 -l psiphon_ssh_50d8edf66f40ef0a -pw 04379789A4A8FDC8A4B0701F56AC4DC01fa325fde0c1d4c2881b228975be6d8eb973c04413d386dbf7aa06e19c2c8c64 -D 1080 -v -z -Z 3be9c49ec113da61da0fbd19c0f08866d2b0dccf030345b42ccdf82bb5cb3c60 109.228.17.62
2⤵
- System Location Discovery: System Language Discovery
PID:1684

C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe -ssh -C -N -batch -P 587 -l psiphon_ssh_c7466b8ed0324498 -pw 7E4E96FE27DA77894520EE91E11BB2829f03443e30cdffc3eba1dcec304c4d5c058a7b21e80cfcba9b1ad2be3e2f9566 -D 1080 -v -z -Z aeb4fce445d1aac89ecd376a6ca3d64d6137deb8a5e4b79384e54e37c61f3efe 213.171.199.170
2⤵
- System Location Discovery: System Language Discovery
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a6eae0999f1c78157881106b90b6e2

SHA1
6ec23d22398d3c3de64f771bc3d7d4b5328080df

SHA256
4f13a8d314f9c1aeda62219f398a3b61ead64639f513d4190be58cc5eb0f74e7

SHA512
2f4640f11a061bd9e5ebd68a59d438e95e7a88776ee02489d7b896ec1cce05615f20d21111e679d8298542d23f3feeb41d6bea54426aab9a2bbf07919d78cafa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebae2024b03cdbcc688696db7aac7777

SHA1
b764a0f4379ac04117170772ac9b5f92f1b6b925

SHA256
90c9e2e2360c6f294e690d3ad35c3dfecbcb7e38a3dc36d1928e814ff40771b7

SHA512
b9c7b19c000fc105c15f7e34b71f58402b6ae3543e2456271565346cd88051a0622f7d0ca089e81b7a1392f4fcd50b072bf45e9245149cb4572a977a85ad7a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76fdce9eabeb44b0619634c8821e07c

SHA1
49711c0e49c65876be9a8ae60449d2fd69a86b7b

SHA256
718bed1996d29e0626b515cb2b4310efdda61ed76f2cd5cef8c60e7b714b8954

SHA512
626735224b346a8c5f3973d5e8ee3c02164a30789a6f9b4948087be317283e93e405eb4c0823c226e43a28e9dc173aa57294e1a7c4f815243c912fa71eeac917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0668b37487145a860b33801c2918a483

SHA1
3ef07573c640f6fe7fdcfc5f9e921757a556061e

SHA256
c21d49b653a095bff12ce3791c78f702f39490869b5ce60cd6b321f33c8c92c0

SHA512
1d8d4a3348c94196d38ff0c5b705e12ae96ddc3547fac420edd2d241b5553e2af6c1fdfc8ad11ad877961cf217b5ad712703fa0e45103daa258c03df5a9e1ace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e49fba71303adfeac52250f156b171

SHA1
be78aad7e1eb6db402cb24aa87b789b61b68f490

SHA256
5f7cda2a9892338aabf6cdd7cf25f4392d18164a1cb6dc0917e81227903fbea8

SHA512
4cb5ec24c8dc53de8eea57c18a6ba52480e0346865afdc1da7d4e1efb64d4ac1958e067d82b66b9f53bf243019bd08a57f76b5c82a106cfd8d73b158e9e126df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9c8a608f967f31b494315f02e9e3659

SHA1
b659cf260d6a3555ae50bbfee568fb39c3948713

SHA256
801694d3353fff2396d8fcb0157e861c1bff969fff58765ad9a2f3389d5384fd

SHA512
93f9458c176520f953dfc91d81ebcdac8d2a212c331a5d071f7bf5a0f6469c5754760a710103504afb45622c220fb7529cc619f801b1f18fa4ae9a97c087424a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
ab79ded5f8df3aad28ed73517c9ce171

SHA1
81981ae07f6f43a37aa49316d7c1d1adb54e7714

SHA256
26ab84e5bff2f365acf54fa3326d2ce0d13a103b90ab760061135ff09818b3ff

SHA512
5396e8e48ad6ace59626a69b9f491bc58956df78ca9d2df842d711fd9405edb475b384df9bce4b7247763f008515edb05ac8dfb9e17d7d469cd4e7b0637d1e49

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
d01520583bfd7f6fb1f52ae580ad0225

SHA1
42362f7487433cfefa4adef6ed6dd38134818f6c

SHA256
fe85bb8495aa5489a4e4f7345dca7be91c485a3715ee642e1b3574cd95714685

SHA512
4d95d562d0154c3c0e91feb60e70d87d284f130603a05c72d580901af2a0371b56a55ffc40ddde0c5132d58cf4ef3c9d43f5c2f9e30e8fdf410e53aebc4c0f23

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
4dc3464405c942c18d68039c6cfd133a

SHA1
514f0872d63c6394b78d507d87ee2f6fae719d07

SHA256
0f0c64a69d3dd5e8760f53059199f704977eb7c4427f456fd1073658c343b289

SHA512
120622132d3667cf22f5e2cfdd2aaee430a728c2bf40df6523174ff2ceb4ad828fca969bee88109bc8b762c3025596fb3e468db27bb0d9c1b5bafddbafc65f10

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
258a6388981360c2277366f1c53a8197

SHA1
746faf2f989d7b6c75170c7862bc8866fdf1c7fc

SHA256
2df923a4f921efb215bcf6959477f30c7aa2604a26316952c835a2bcf08923db

SHA512
e31e33c1f4e1ca9e5df5fa3dd643237dc52a43eb7fbb09762c64ffa45495ce72d122963765dfc14a3eca8e8c31bb5ce6738a916dff378d2a67b03c771c592292

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
bb59b2da287745c5aec5754b1c8403b2

SHA1
90e57bd14f9c93fb8f2ef6c05d6031b65044af5c

SHA256
9cbf6470531e52797fd291847abbf6b9d8e04b7aead1fc716f9dc601bc9a376a

SHA512
20e28189876c1dadc680aaf39d809035aef9eca996c25fd84b7e5e73c76fbe33f545bddc28fd79b1a6c3eba04223cb06f193ca396586667035ebefb0de1ad83e

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
9401631912cbac1a0909bce79657d9c3

SHA1
20c9d1884aa7e617e64f8d3ebe488ebf96b99871

SHA256
7bc0cd6cfacf704a9b3b47b3fcf3f1e3cc9e322dd1eb76f7d791bc138d3bbc83

SHA512
c87c14d4f6f2168bccd3e2094e4292746ea226e1f06d59543a54b45409c74409ab696b70a3df8e5938221b12c228814e519151b58d23c06e1d5fb87065c15242

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
6a8a0f4af2e8060b5facde0ea260928e

SHA1
5f72e1f4a94127b5fd555eb3bc9f90d83bd2edb8

SHA256
7d79bb4808d7cfc2a2ede1df7b6b056e29c1a73fb14cb190a9e9ac061dd83ecf

SHA512
4704e76ddbbf38311c6b8a5df55afc4d12ee43865c42e3ead86b8f63f4b9f3398b17b2407764442ebcb0602b3b8f9805de65727de42f6574e4f6a35da9b61bc7

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
241e285a974ae788d6b7cbe5a4cf2b95

SHA1
395920619cd383f0a89eee50a7d235d2249ebca5

SHA256
f5d106614347340e92a7e1b1581de65e7ca87b524f11fd63c43179bb6b8d3664

SHA512
a2480674c2c401440eca332d59384a3fe1eb1e6f3d5319bde022949432acfebfcf29004f5b756dbe45341e57d2d61a9c685839cd7c74e1c77cdd88a6a73f12bd

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
86fc85024618875f69c7d5fb06bf1100

SHA1
aa039bd6170ebaa650180e18abed59d80651ea5c

SHA256
f839fc7030ac44226bdde1c090f140c8f1b82d720bf8002734ff6ccc3294614d

SHA512
503de3350151fc1a233f82d620adcb5cc0f4b6514f83b2dd79773cd1b692f1a174446462090e8024d1261d7e829ac6cfe11e8ce2d5becc6f42c815150413db26

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
6d664a785a9f54ce116c762d32314749

SHA1
3cb11126f8effc985157d882c3eb21038d72283d

SHA256
7494fee41bca68cced7cffa4a5f9687c900e51229b29c40a9c2e0bef551f4108

SHA512
4902d3131b2c8733fc448c1284d36fc7f996d8e008fbcf3fe8a478a35eb365e79cb9f52076b5ccce7ac39dab1b5cf8be114b115037b2a8f869823ab6993724aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psiphon3-meek.exe

Filesize
1.6MB

MD5
b7247562191d524a10dcd7bdff873d9e

SHA1
22fac9e52f9f984c27c91035ba3b9e76d3c69611

SHA256
dfa8a812aace941ff2aa16311dbfb7b64b39959036a64ab631409455b8c68881

SHA512
62e0e0d61896303f73ef95f11fc3825a02b67b96e4d0a181f50772dfeb78023a1d80cf7f322d5420b8c2325c5cff716e586a4aa335e892e1280656d3d06853d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\psiphon3-plonk.exe

Filesize
374KB

MD5
d5c6f1a9e33a0751585520b988f4c0f0

SHA1
3eef9d6fd4d8b32316c773ddf1a69236508b62a7

SHA256
ba79afb1ac5c1af623640c8865fc3e6f631e42d37e80d5760b2633070597f942

SHA512
b5e928a1e23e430c255802ac3ad35d4e07f27babd9fb76d2520608571440e124b9ec174615f4219c0c1da389aa8a46bccb8c4f2a44a177ef4d78cd3a80cc94dd

Download Submit
memory/700-493-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/700-623-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/704-474-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/704-438-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/832-397-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/832-468-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/852-644-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/864-399-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/864-457-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/904-574-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1060-467-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1060-398-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1324-70-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1324-403-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1324-320-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1368-440-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1368-552-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1384-630-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1504-364-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1504-50-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1504-316-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1608-635-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1608-445-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1620-463-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1620-431-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1656-354-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1656-61-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1680-395-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1680-462-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1716-492-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1720-648-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1720-534-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1720-10-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1720-310-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1740-654-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1932-411-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1932-396-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2036-408-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2036-537-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2036-439-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2124-655-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2168-350-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2168-317-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2284-636-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2284-451-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2308-628-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2368-332-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2368-422-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2416-663-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2416-629-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2560-345-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2560-63-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2564-65-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2600-627-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2616-293-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2648-297-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2648-62-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2668-642-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2668-339-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2668-58-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2696-314-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2696-358-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2924-423-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2924-331-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3016-307-0x0000000004B70000-0x00000000051D1000-memory.dmp

Filesize
6.4MB

Download
memory/3016-319-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-441-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-434-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-444-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-436-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-437-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-435-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-60-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-392-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-393-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-486-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-489-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-485-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-484-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-483-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-394-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-400-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-337-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-334-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-479-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-330-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-321-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-426-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-548-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-318-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-647-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-312-0x0000000004B70000-0x00000000051D1000-memory.dmp

Filesize
6.4MB

Download
memory/3016-576-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-313-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-626-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-311-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-309-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-302-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-0-0x0000000000880000-0x0000000000CD2000-memory.dmp

Filesize
4.3MB

Download
memory/3016-9-0x0000000004B70000-0x00000000051D1000-memory.dmp

Filesize
6.4MB

Download
memory/3016-11-0x0000000004B70000-0x00000000051D1000-memory.dmp

Filesize
6.4MB

Download
memory/3016-641-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-47-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-643-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-48-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-59-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-646-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-49-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3016-53-0x0000000003FB0000-0x0000000004086000-memory.dmp

Filesize
856KB

Download
memory/3052-645-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3068-315-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3068-346-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download