asyncrat | aa8c1cae00d0bfdced58e5b0386caa3a76aa602e6d4ec4c98c84e97fc7429d0d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnaRAT.exe
Size

6.0MB
MD5

b300d99faf11ac3c6d3609c34f39ad5b
SHA1

039310584b1e8fb43a08a865f3ab1b64610c8013
SHA256

b8af724789e01cb47a661d40a22a5ec93a2f1499d0ace4cd5e1d7d9fffa89246
SHA512

2158ca82f753258c4abee3bf425f91bd26a79fcf7c53cbb98fd5980a53d678613258367a5f10117547f3d900456d78a0e4a7c85b0f1806948e8e5b767ccb26d0
SSDEEP

49152:xqU/dfDJH/bKaPMNNteROzxRwF0UCLhCkpMn8HmWIos0/Noyos5rQLiMCPSsAm6o:x1dfDy

Malware Config

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

FFF

tibiaserver.ddns.net:2323

Mutex

64805e9b9efcd75e104b05fad0cb2a4c

Attributes

reg_key
64805e9b9efcd75e104b05fad0cb2a4c
splitter
boolLove

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2 MONEY

twart.myfirewall.org:14143

Mutex

udn3BZ1Fqt3jtiZx

Attributes

delay
30
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Extracted

Family

remcos

Botnet

GOLAZO

agosto14.con-ip.com:7772

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KKPQTN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/464-120-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral2/memory/464-121-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral2/memory/464-123-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-120-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral2/memory/464-121-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral2/memory/464-123-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe"	Client.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1476	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1476	schtasks.exe

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zzzz.exe	family_stormkitty
behavioral2/memory/5004-302-0x00000000004F0000-0x0000000000546000-memory.dmp	family_stormkitty

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/792-465-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2284-468-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4976-478-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2284-481-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2284-467-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4976-484-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/792-499-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2284-468-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2284-481-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2284-467-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/792-465-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/792-499-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2556 powershell.exe
1060 powershell.exe
1812 powershell.exe
2768 powershell.exe
792 powershell.exe
2600 powershell.exe
2508 powershell.exe
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4812 netsh.exe

pid	process
2556	powershell.exe
1060	powershell.exe
1812	powershell.exe
2768	powershell.exe
792	powershell.exe
2600	powershell.exe
2508	powershell.exe

pid	process
4812	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exesvchost.exe690c1b65a6267d6d0b201ba46089aabc.exeAnaRAT.exe150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exea6a1abaf12a28ea8f6553356c3bdcf57.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	690c1b65a6267d6d0b201ba46089aabc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	AnaRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe

Executes dropped EXE 26 IoCs

Processes:

0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe690c1b65a6267d6d0b201ba46089aabc.exe62264.exe73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe1231234.exeSCRIPT~1.EXE150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe651654794161616171771852588547475885414152526396369965885471452525258.exea6a1abaf12a28ea8f6553356c3bdcf57.exesvchost.exeClient.exeLauncher.exechargeable.exezzzz.exe690c1b65a6267d6d0b201ba46089aabc.exechargeable.exesvchost.exe651654794161616171771852588547475885414152526396369965885471452525258.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exedllhost.exe$77Microsoft To Do.exesvchost.exesvchost.exe

pid	process
464	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
2968	690c1b65a6267d6d0b201ba46089aabc.exe
4984	62264.exe
1672	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
4996	1231234.exe
440	SCRIPT~1.EXE
8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
368	651654794161616171771852588547475885414152526396369965885471452525258.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2152	svchost.exe
1332	Client.exe
3416	Launcher.exe
4144	chargeable.exe
5004	zzzz.exe
3948	690c1b65a6267d6d0b201ba46089aabc.exe
3236	chargeable.exe
2664	svchost.exe
1856	651654794161616171771852588547475885414152526396369965885471452525258.exe
792	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
2284	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
4976	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
4816	dllhost.exe
4928	$77Microsoft To Do.exe
1664	svchost.exe
4892	svchost.exe

Loads dropped DLL 7 IoCs

Processes:

timeout.exe$77Microsoft To Do.exe

pid process

3840
1920 timeout.exe
2240
4928 $77Microsoft To Do.exe
2672
2040
4664
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3840
1920	timeout.exe
2240
4928	$77Microsoft To Do.exe
2672
2040
4664

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	upx
behavioral2/memory/452-94-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/464-120-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral2/memory/464-121-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral2/memory/464-123-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral2/memory/464-118-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral2/memory/452-278-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/452-277-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/452-556-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/452-759-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/452-856-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

zzzz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe651654794161616171771852588547475885414152526396369965885471452525258.exeClient.exe62264.exe73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzzz.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cisco = "C:\\Users\\Admin\\Pictures\\Cisco\\VPNManager.exe"	651654794161616171771852588547475885414152526396369965885471452525258.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62264.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

Processes:

zzzz.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\Saved Pictures\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\Camera Roll\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\desktop.ini	zzzz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Documents\desktop.ini	zzzz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

92 discord.com
93 discord.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 ip-api.com
26 freegeoip.app
29 freegeoip.app
53 api.ipify.org
54 api.ipify.org

flow	ioc
92	discord.com
93	discord.com

flow	ioc
56	ip-api.com
26	freegeoip.app
29	freegeoip.app
53	api.ipify.org
54	api.ipify.org

Suspicious use of SetThreadContext 6 IoCs

Processes:

690c1b65a6267d6d0b201ba46089aabc.exechargeable.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exesvchost.exe

description	pid	process	target process
PID 2968 set thread context of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 4144 set thread context of 3236	4144	chargeable.exe	chargeable.exe
PID 452 set thread context of 792	452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 452 set thread context of 2284	452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 452 set thread context of 4976	452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 1664 set thread context of 4892	1664	svchost.exe	svchost.exe

Drops file in Program Files directory 7 IoCs

Processes:

a6a1abaf12a28ea8f6553356c3bdcf57.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\dllhost.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\36588f4d270d4c	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Drops file in Windows directory 3 IoCs

Processes:

a6a1abaf12a28ea8f6553356c3bdcf57.exeClient.exe

description	ioc	process
File created	C:\Windows\IME\de-DE\RuntimeBroker.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\IME\de-DE\9e8d7a4ca61bd9	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\xdwd.dll	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exechargeable.exesvchost.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exesvchost.exe690c1b65a6267d6d0b201ba46089aabc.exenetsh.exe0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe651654794161616171771852588547475885414152526396369965885471452525258.exechargeable.exe651654794161616171771852588547475885414152526396369965885471452525258.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.execmd.exetimeout.exesvchost.exeAnaRAT.exe73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exeSCRIPT~1.EXEzzzz.exe690c1b65a6267d6d0b201ba46089aabc.execmd.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnaRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCRIPT~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1620 PING.EXE

pid	process
1620	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zzzz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	zzzz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	zzzz.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2464 timeout.exe
1920 timeout.exe

pid	process
2464	timeout.exe
1920	timeout.exe

Modifies registry class 22 IoCs

Processes:

Launcher.exea6a1abaf12a28ea8f6553356c3bdcf57.exeSCRIPT~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	SCRIPT~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Launcher.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1620 PING.EXE

pid	process
1620	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3624	schtasks.exe
3136	schtasks.exe
3184	schtasks.exe
5088	schtasks.exe
3176	schtasks.exe
1856	schtasks.exe
5008	schtasks.exe
1372	schtasks.exe
4640	schtasks.exe
3992	schtasks.exe
2352	schtasks.exe
3176	schtasks.exe
3580	schtasks.exe
3120	schtasks.exe
4880	schtasks.exe
1356	schtasks.exe
4628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a6a1abaf12a28ea8f6553356c3bdcf57.exe

pid	process
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

4816 dllhost.exe

pid	process
4816	dllhost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

pid	process
452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
452	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a6a1abaf12a28ea8f6553356c3bdcf57.exepowershell.exe1231234.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeClient.exepowershell.exezzzz.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exedllhost.exesvchost.exechargeable.exe$77Microsoft To Do.exe690c1b65a6267d6d0b201ba46089aabc.exe0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	4996	1231234.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1332	Client.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	5004	zzzz.exe
Token: SeDebugPrivilege	4976	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Token: SeDebugPrivilege	4816	dllhost.exe
Token: SeDebugPrivilege	2664	svchost.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: SeDebugPrivilege	3236	chargeable.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: SeDebugPrivilege	4928	$77Microsoft To Do.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: SeDebugPrivilege	3948	690c1b65a6267d6d0b201ba46089aabc.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	464	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: SeIncBasePriorityPrivilege	464	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: SeDebugPrivilege	4892	svchost.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: 33	3236	chargeable.exe
Token: SeIncBasePriorityPrivilege	3236	chargeable.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Launcher.exe651654794161616171771852588547475885414152526396369965885471452525258.exe

pid process

3416 Launcher.exe
1856 651654794161616171771852588547475885414152526396369965885471452525258.exe

pid	process
3416	Launcher.exe
1856	651654794161616171771852588547475885414152526396369965885471452525258.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnaRAT.exe62264.exe150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exea6a1abaf12a28ea8f6553356c3bdcf57.execmd.exe73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe690c1b65a6267d6d0b201ba46089aabc.exe

description	pid	process	target process
PID 1060 wrote to memory of 464	1060	AnaRAT.exe	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
PID 1060 wrote to memory of 464	1060	AnaRAT.exe	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
PID 1060 wrote to memory of 464	1060	AnaRAT.exe	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
PID 1060 wrote to memory of 2968	1060	AnaRAT.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 1060 wrote to memory of 2968	1060	AnaRAT.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 1060 wrote to memory of 2968	1060	AnaRAT.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 1060 wrote to memory of 4984	1060	AnaRAT.exe	62264.exe
PID 1060 wrote to memory of 4984	1060	AnaRAT.exe	62264.exe
PID 1060 wrote to memory of 1672	1060	AnaRAT.exe	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
PID 1060 wrote to memory of 1672	1060	AnaRAT.exe	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
PID 1060 wrote to memory of 1672	1060	AnaRAT.exe	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
PID 1060 wrote to memory of 4996	1060	AnaRAT.exe	1231234.exe
PID 1060 wrote to memory of 4996	1060	AnaRAT.exe	1231234.exe
PID 4984 wrote to memory of 440	4984	62264.exe	SCRIPT~1.EXE
PID 4984 wrote to memory of 440	4984	62264.exe	SCRIPT~1.EXE
PID 4984 wrote to memory of 440	4984	62264.exe	SCRIPT~1.EXE
PID 1060 wrote to memory of 8	1060	AnaRAT.exe	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
PID 1060 wrote to memory of 8	1060	AnaRAT.exe	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
PID 1060 wrote to memory of 452	1060	AnaRAT.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 1060 wrote to memory of 452	1060	AnaRAT.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 1060 wrote to memory of 452	1060	AnaRAT.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 1060 wrote to memory of 368	1060	AnaRAT.exe	651654794161616171771852588547475885414152526396369965885471452525258.exe
PID 1060 wrote to memory of 368	1060	AnaRAT.exe	651654794161616171771852588547475885414152526396369965885471452525258.exe
PID 1060 wrote to memory of 368	1060	AnaRAT.exe	651654794161616171771852588547475885414152526396369965885471452525258.exe
PID 1060 wrote to memory of 1612	1060	AnaRAT.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
PID 1060 wrote to memory of 1612	1060	AnaRAT.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
PID 8 wrote to memory of 2556	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	powershell.exe
PID 8 wrote to memory of 2556	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	powershell.exe
PID 1612 wrote to memory of 2600	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 2600	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 792	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 792	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 2768	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 2768	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 1812	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 1812	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 1060	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 1060	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	powershell.exe
PID 1612 wrote to memory of 404	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	cmd.exe
PID 1612 wrote to memory of 404	1612	a6a1abaf12a28ea8f6553356c3bdcf57.exe	cmd.exe
PID 4984 wrote to memory of 2152	4984	62264.exe	svchost.exe
PID 4984 wrote to memory of 2152	4984	62264.exe	svchost.exe
PID 4984 wrote to memory of 2152	4984	62264.exe	svchost.exe
PID 404 wrote to memory of 4224	404	cmd.exe	chcp.com
PID 404 wrote to memory of 4224	404	cmd.exe	chcp.com
PID 404 wrote to memory of 1620	404	cmd.exe	PING.EXE
PID 404 wrote to memory of 1620	404	cmd.exe	PING.EXE
PID 8 wrote to memory of 1332	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	Client.exe
PID 8 wrote to memory of 1332	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	Client.exe
PID 8 wrote to memory of 3416	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	Launcher.exe
PID 8 wrote to memory of 3416	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	Launcher.exe
PID 8 wrote to memory of 2508	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	powershell.exe
PID 8 wrote to memory of 2508	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	powershell.exe
PID 1672 wrote to memory of 4144	1672	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	chargeable.exe
PID 1672 wrote to memory of 4144	1672	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	chargeable.exe
PID 1672 wrote to memory of 4144	1672	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	chargeable.exe
PID 8 wrote to memory of 5004	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	zzzz.exe
PID 8 wrote to memory of 5004	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	zzzz.exe
PID 8 wrote to memory of 5004	8	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	zzzz.exe
PID 2968 wrote to memory of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 2968 wrote to memory of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 2968 wrote to memory of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 2968 wrote to memory of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe
PID 2968 wrote to memory of 3948	2968	690c1b65a6267d6d0b201ba46089aabc.exe	690c1b65a6267d6d0b201ba46089aabc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

zzzz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

outlook_win_path 1 IoCs

Processes:

zzzz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
  "C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
  "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
    "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B07.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
- C:\Users\Admin\AppData\Local\62264.exe
  "C:\Users\Admin\AppData\Local\62264.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
  "C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4144
  - - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3236
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4812
- C:\Users\Admin\AppData\Local\1231234.exe
  "C:\Users\Admin\AppData\Local\1231234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp51E4.tmp.bat""
    3⤵
    PID:432
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Loads dropped DLL
      Delays execution with timeout.exe
      PID:1920
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4928
- C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
  "C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
      4⤵
      PID:1204
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3176
- - C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\zzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:5004
- C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:452
- - C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
    C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\yemhvifbxohdhu"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:792
- - C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
    C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\ahrawaqulwzikizpz"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
    C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbxkxtawzfrnuontjjco"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
  "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:368
- - C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
    "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1856
- C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
  "C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\de-DE\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7qjYWRE28c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4224
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1620
  - - C:\Program Files\Windows Multimedia Platform\dllhost.exe
      "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6516547941616161717718525885474758854141525263963699658854714525252586" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "651654794161616171771852588547475885414152526396369965885471452525258" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6516547941616161717718525885474758854141525263963699658854714525252586" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
122B

MD5
f040c2e1e39e3cf539df1a32c8f1af5a

SHA1
e9da9fb5c7fe1e5d79be0da6d817b76745c732b6

SHA256
65e5724c50cc82729eb00f4ceac09875681e42f15971e2f9be4aed48009d10aa

SHA512
56ca0562177620406ada99dff0d102cd88483c1d2d9238ff0e7e8621661ad3e3e5ba6cfb0deb6d1fba9ba85fda3b7197020ab36c401339d64122695a5cdc58a5

Download Submit
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe

Filesize
446KB

MD5
385585748cd6feff767a913bd76c2457

SHA1
1bedac2bc0da78c4dbaaf3914816d84f5c08f005

SHA256
0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5

SHA512
80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880

Download Submit
C:\Users\Admin\AppData\Local\1231234.exe

Filesize
37KB

MD5
8f00376c7ee9fb1653dc2ae09afa5589

SHA1
0005d278c062b496628e9c2a27043e87fc05689e

SHA256
6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18

SHA512
2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9

Download Submit
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe

Filesize
227KB

MD5
1a83a244d9e90a4865aac14bc0e27052

SHA1
d2b65e7aed7657c9915f90f03d46902087479753

SHA256
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

SHA512
f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

Download Submit
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\62264.exe

Filesize
198KB

MD5
f30e9ff8706f3ec72c82a74ee6328db9

SHA1
b526d52d22600b28892f898a717eb25779ef3044

SHA256
d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489

SHA512
a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6

Download Submit
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe

Filesize
1.6MB

MD5
e2100d88aca7c0a44ba9bb988ccd3916

SHA1
ddaf17adbc769556037bb4fbf4bce7065bf57ef3

SHA256
75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688

SHA512
5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5

Download Submit
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe

Filesize
608KB

MD5
690c1b65a6267d6d0b201ba46089aabc

SHA1
9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39

SHA256
244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f

SHA512
cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a

Download Submit
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

Filesize
110KB

MD5
0dcc21bdebe05957ca2922be486abe22

SHA1
8bcbd8a839a58e0050c17221e6a1cc775f07586b

SHA256
73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3

SHA512
0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\690c1b65a6267d6d0b201ba46089aabc.exe.log

Filesize
1KB

MD5
7cad59aef5a93f093b6ba494f13f796f

SHA1
3cef97b77939bfc06dfd3946fc1a8cd159f67100

SHA256
1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55

SHA512
8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HH6KfBvI8

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bDPnfeBYs

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7qjYWRE28c.bat

Filesize
184B

MD5
368e377e5f12ec82959cbea43e28ad3b

SHA1
493b18dfae336e65419b0bc53a4c5db1e3fffb37

SHA256
80719acc858f473c0c4692e4243f2d68e7708b93218c41a10b0a0cfb1f251ab1

SHA512
e600cd875e4be0186f6f815f53a5d09aa504f108122bcf2abafdea418705671d08f51ed11ad83fd22d4f52e76a5e24af36a80dc7c72b28d12978aec4235ecb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE

Filesize
210KB

MD5
4ca15a71a92f90c56b53d9d03da17657

SHA1
3d610aee0423eea84ad9dc0df7865e1bed982327

SHA256
ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1

SHA512
e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.xml

Filesize
19B

MD5
fdb26e74f4d6ca3a02af55b15fcca7f2

SHA1
7d990a1a4062fc3f0ae117dc72f47bcb3ef66425

SHA256
49704e6fd30fc98988f40be963296c81b95662d7f3af605c372cd0344ab78e1b

SHA512
36a82624ee8173bacffdf978e00f9c5ffe96bd6b27ba1230f2891a11bc301908ed6ea790c75669219c7445489806f00ba67eda2ea7346396ca3304e02c6fec7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.zip

Filesize
308B

MD5
b3609673caf3522ae50fe7b2f69b46f2

SHA1
c14f39aa78398030b84ab6b3d36014483b97a520

SHA256
c2423419d653bf31077eb40ad665590445b5baac4f82948822c8ed55fc009c4d

SHA512
be15ca57e7b80049c35a37f216fb1387b89d68440494c81e7e8b21644dbab8ab161119a37475ad873d144ceae105ec2c61097f0c115f078cde961bc38e6f28b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
152KB

MD5
4b6d4727ca3c277e5af47092ec9e3ef1

SHA1
8faea131181960c1f43ccee6a2b7bcdaa23fcd81

SHA256
5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4

SHA512
8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
22KB

MD5
4c8f3a1e15f370ca8afe2992902a6e98

SHA1
dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

SHA256
dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

SHA512
b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizFN6Ayux

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojiyt3tq.gyb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51E4.tmp.bat

Filesize
173B

MD5
018e9071319ab280a5a8dcc2a3f0bb28

SHA1
c0fec2daaaf3cca3b0f217f37e097a0e33308bb4

SHA256
cae2ad934a7a8027cbb568e1aa648a6cf35e614ef66ffc67551bb26426176ab6

SHA512
6ed3768d547ffd0dd905a637b8b663ab53952bdbff0101f4452f68edad241393825ac3034c4fd2879195cdc964abbc8171d75dc215345575f371805b81cf8fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B07.tmp.bat

Filesize
154B

MD5
9854f2a1b79aa8788276d39c646c8522

SHA1
219c5bb8f962c77e9c84b0b8cf8c87d0eb65adbc

SHA256
52d1d4a9bf16e854c78ed6a1785fae0ae4feab57199c21da9432b7a405cd2cd5

SHA512
e7303967de54652bb4a7ea562733c196c47f6a24b07580d28a70269aef5121951d82a19516d86837b8c27d1782635ab63afc2d63a63a45c0c3f48a385e9c9b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yemhvifbxohdhu

Filesize
4KB

MD5
2538ec9e8425a905937573069b77d4c2

SHA1
ad0c2b7aff4382e23444d26adac96d9697b849f3

SHA256
29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e

SHA512
a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzzz.exe

Filesize
320KB

MD5
de4824c195cf1b2bb498511ef461e49b

SHA1
f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

SHA256
51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

SHA512
b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

Download Submit
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\SetHide.svg

Filesize
447KB

MD5
e057ed31b7e3101373411e490f144ff5

SHA1
117a086748ae282fc6295c81b5756f9910fe236f

SHA256
807d57fca560d1827d50d591c4caf5048cee4f701baec0b37c0d952cb13e2bed

SHA512
db6e5c8e7ceda32a0d6fd23cd2e19f5a79c1e07c75d73296c383c6ce0d9fc7269cba0f6dd288d1390261b6405e9d95c8257f5d6a6d0ffd1263fa9bc9e48fd3bf

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Documents\InitializeExpand.xls

Filesize
2.4MB

MD5
1412ffd779e3da8d51f54513e9c36c20

SHA1
37c4d77375b15efde019da449af84297aaf1a606

SHA256
00e0687c49e300b4706f45b9c56062eb78e014bb5e0a3155f81c54f99164d4eb

SHA512
27a56e491b8e7cdf576aa605502e867c132b8eedc551216732b4d9b955ed770f186efb20356c3f3b3388b38f6698f3197a05ac033f3392e4cba99e30c5ee5d8d

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\ApproveWait.pdf

Filesize
173KB

MD5
d9017a2bca1cf31c8dbc0409b390b347

SHA1
549ee867d1b3318d72de74323e77947addbb462e

SHA256
43b8423f1ba9bdb7612c9786e842acf9aacece7770971c1dcb10b3f96615108d

SHA512
0623aa6ebe8f025f313ebbdbfe034668933e144d5553a41813e1abd06f1fd1f443347ed64d1ebdd0db7b67d13f92fa830360f27b32da9e0480c97419373b97ef

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\ConvertClose.bmp

Filesize
302KB

MD5
718508db054938242805bb5df366079c

SHA1
9783aa3fc8e466892aab37417e68a67edbadfbcd

SHA256
2254bb532d090f9c8a1a97b24a4cba87fe20fe59828e0dd3ce753ac0da0ea428

SHA512
f10bedaed3a62a57e4d52f111d3a90d06771a221e995ce7c601af67860d88d88806eab4916d6a1c48e6b4109dd40c9ffc19114c11252714997060a0744028661

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\DenySync.docx

Filesize
197KB

MD5
bc532f5dbe143f172fd3b75a7ef4cf9f

SHA1
7d16dff0aebf1a61f4e9bf40536716937ed692d2

SHA256
76ef178c405e705a183fd93a3e4abbe7dccb5c40d08ad6861e0e36092b63d512

SHA512
2b419557524f046c28f3de7f427466b0de9a23f45496fdbe40ce1431854a4bb9a1e4af4c5bd2b7499dabecb2792cd452ecdfdaa543ede1d7392b5ef115dab07a

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\SkipFind.sql

Filesize
222KB

MD5
c0d2b7235228439bc56fd1a77fec6e83

SHA1
1f3ceb3dbc26ced66731a3b947c17f24e038afb0

SHA256
2f1ffa1196e82e87d81ebdca8b10b9c0cb5a8f6c8be3f48a8d09136b476f9c98

SHA512
266c2710fc57e7a31bddbd43652806049bb009fc06ead46637f0cf28d6e2a1e12a74fc5b6a3ea8f643f5c39c774312037488f2a444df53ba704abb89aa0929f7

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\SplitPop.xlsx

Filesize
327KB

MD5
7cf663d96e4f1b4cf90038b05b48afd2

SHA1
f740e1da5ae2f566db66cea1f24ea066e313b736

SHA256
816b5f2b1f79a98040e4263d080af875a1e999490fce985a9fb97f7452e479e1

SHA512
2318732304c9ad227edcc9e4f3bdf31ef4a937f1515b50a6b479dd3c3507b1f01ec90956212b5ead66fd727a86d0a76d355a9a269a9237a4d3d2d46a75d21fa4

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\GetSet.png

Filesize
366KB

MD5
b10b25b044631095c621ad0b81923c4c

SHA1
e2b8a591e13c3b67a6231b86667d2c7a88fa3937

SHA256
406e200a8f6849de7ce3e643a102074e3a884cdf34ea99572078ae639317f8ff

SHA512
70086da4ef9117c25fc05c3b577ba2e421c25faf4637ce65a4d87162040a82ff722c45a1dedac19bcf8de5f7fb5891eff24088b5a90f49877fa66607f680eb26

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\ReceivePop.jpg

Filesize
238KB

MD5
9d7e681eb783c922aea2900e08a968ea

SHA1
402e7e46fe3ff1af372a4b720529ffdb12d0092d

SHA256
ef4457d1030493f82185f52e3e3223708dc1c79d68857f1e26a0f65f03a934b3

SHA512
3ddfb81e0b8165c58e6acbfac26e12ccaf26a088fcc6f1d6b4571f771adcce3b1e88eafdc5c38b6d98d18be13c70c01b1ae3e3ff8944e7fd5d14fb0ccb1138ef

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\UnlockRemove.jpg

Filesize
334KB

MD5
c6eda28ab66c3a2c1bd4c96872368e97

SHA1
560affbb12872fcd0234e1e3936cd220a01b08a3

SHA256
10df9f0f68713506743c03c59c737a3de996c84b33f4ec6f85efa479e91e2d95

SHA512
0c912018ba9a10e49ec9483a30691f94e25ef9af4f0511689883bcb36ed9eb3358b7f79b005d58ccd6b40e1b83ca7a0d1d172b32935e789635648a79d4c18cf4

Download Submit
C:\Users\Admin\AppData\Roaming\DSEYXUOD\Process.txt

Filesize
4KB

MD5
69cb685b31a66ede9de355744a6e7ee7

SHA1
ccadcc2a0dce5b5e415b701b5cdd932406d8572f

SHA256
1264acc71eb1b8a3b10c15c1d2db985e1176b3f13d990a1bbd9be4bc686bc0e8

SHA512
0c3aaee7d23c07c23eb70ed64335c82aec6b069f714db5c75a0dde5b3c4cfcf954fa79253cdb9a3a8cf074e22b066c618f5e8ffc289ff5664c47659a219cecb2

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
110KB

MD5
cb46ba61effbdd59efb0a9a83d65ab64

SHA1
bcb0d85b0f98fdb473115e0fdfcf9cb757ac5ca5

SHA256
9ea12d40d73546ddc087cec87954ab07de5dfe8ff8226242a2c3dabb9355011e

SHA512
1d2f3ad76c6480f4a193347e37dfc291e66eebb11e973fce219b174e13c0dc0953121dea8f1523fb68f8da90cb677367f6927c99d875f2f40f1005247f72d9dd

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/8-97-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/368-433-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/368-438-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/452-556-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/452-502-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/452-759-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/452-505-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/452-278-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/452-277-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/452-506-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/452-856-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/452-94-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/464-118-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/464-123-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/464-121-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/464-120-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/792-499-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-465-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-462-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-459-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1060-114-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1060-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1060-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1060-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/1332-253-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/1612-135-0x000000001AD10000-0x000000001AD60000-memory.dmp

Filesize
320KB

Download
memory/1612-147-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/1612-115-0x0000000000040000-0x000000000011C000-memory.dmp

Filesize
880KB

Download
memory/1612-116-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/1612-122-0x000000001B090000-0x000000001B214000-memory.dmp

Filesize
1.5MB

Download
memory/1612-124-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/1612-132-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/1612-137-0x00000000023D0000-0x00000000023E8000-memory.dmp

Filesize
96KB

Download
memory/1612-134-0x00000000021D0000-0x00000000021EC000-memory.dmp

Filesize
112KB

Download
memory/1612-139-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download
memory/1612-143-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/1612-141-0x00000000021C0000-0x00000000021CE000-memory.dmp

Filesize
56KB

Download
memory/1612-145-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/1856-855-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-563-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-1068-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-442-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-1040-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-1038-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-985-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-984-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-955-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-826-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-520-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-718-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-546-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-671-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-561-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-445-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-447-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-954-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-857-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-436-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-827-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1856-440-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/2152-211-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2152-232-0x0000000005750000-0x000000000575C000-memory.dmp

Filesize
48KB

Download
memory/2284-468-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2284-463-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2284-466-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2284-479-0x0000000000470000-0x0000000000539000-memory.dmp

Filesize
804KB

Download
memory/2284-481-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2284-467-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2556-157-0x000001EF5CAA0000-0x000001EF5CAC2000-memory.dmp

Filesize
136KB

Download
memory/2968-95-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/2968-82-0x0000000000820000-0x00000000008BA000-memory.dmp

Filesize
616KB

Download
memory/2968-117-0x0000000006F30000-0x0000000006F4E000-memory.dmp

Filesize
120KB

Download
memory/2968-334-0x0000000006740000-0x0000000006756000-memory.dmp

Filesize
88KB

Download
memory/2968-109-0x0000000005DA0000-0x0000000005E3C000-memory.dmp

Filesize
624KB

Download
memory/2968-335-0x00000000093C0000-0x0000000009414000-memory.dmp

Filesize
336KB

Download
memory/2968-96-0x0000000005270000-0x00000000055C4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-84-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/2968-108-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/3236-379-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3948-338-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4976-472-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4976-477-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4976-484-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4976-478-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4996-61-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/5004-344-0x00000000065D0000-0x0000000006636000-memory.dmp

Filesize
408KB

Download
memory/5004-302-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download