asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Resubmissions

12/12/2024, 18:20

241212-wy4dxsvkcp 10

12/12/2024, 18:03

241212-wnfvwatqgp 10

28/11/2024, 00:38

241128-ay5fbstmfp 10

Analysis

max time kernel
78s
max time network
81s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28/11/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat mercurialgrabber umbral default collection credential_access discovery evasion execution rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001900000002ab8c-32.dat	family_umbral
behavioral2/memory/1532-39-0x000001F942680000-0x000001F9426C0000-memory.dmp	family_umbral

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x001a00000002ab86-7.dat	family_asyncrat
behavioral2/files/0x001900000002ab8d-45.dat	family_asyncrat
behavioral2/files/0x001b00000002ab94-143.dat	family_asyncrat
behavioral2/files/0x001b00000002ab97-171.dat	family_asyncrat
behavioral2/files/0x001900000002abac-217.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unik.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
1256	powershell.exe
3228	powershell.exe
240	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saloader.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1352	chrome.exe
5960	chrome.exe
1656	chrome.exe
5776	chrome.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unik.exe

Executes dropped EXE 23 IoCs

pid	Process
3504	Loader.exe
4628	output.exe
1532	saloader.exe
2256	aidans.dont.run.exe
5200	handeltest.exe
2244	xs.exe
5828	Tutorial.exe
5780	aa.exe
2304	nobody.exe
1160	ataturk.exe
3652	start.exe
1808	windows.exe
4684	aspnet_regbrowsers.exe
3428	atat.exe
3832	System32.exe
4760	Winsvc.exe
1920	TPB-1.exe
3736	gvndxfghs.exe
3920	gvndxfghs.exe
2164	gvndxfghs.exe
1816	gvndxfghs.exe
4688	random.exe
6028	unik.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine	unik.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
3	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip4.seeip.org
3	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4688	random.exe
6028	unik.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5828 set thread context of 3712	5828	Tutorial.exe	106
PID 3736 set thread context of 2164	3736	gvndxfghs.exe	150
PID 3736 set thread context of 3920	3736	gvndxfghs.exe	151
PID 3736 set thread context of 1816	3736	gvndxfghs.exe	152

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000025b87-1541.dat	upx
behavioral2/memory/5304-1544-0x00007FF7EEB20000-0x00007FF7EF770000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5980	2164	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unik.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1420	cmd.exe
4816	PING.EXE

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3620	timeout.exe
5440	timeout.exe
1984	timeout.exe
6084	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5700	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4816	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5696	schtasks.exe
5940	schtasks.exe
2648	schtasks.exe
3168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
404	powershell.exe
404	powershell.exe
3228	powershell.exe
3228	powershell.exe
240	powershell.exe
240	powershell.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
2256	aidans.dont.run.exe
3384	powershell.exe
3384	powershell.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
2244	xs.exe
5780	aa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5788	New Text Document mod.exe
Token: SeDebugPrivilege	4628	output.exe
Token: SeDebugPrivilege	1532	saloader.exe
Token: SeDebugPrivilege	3504	Loader.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	5828	Tutorial.exe
Token: SeDebugPrivilege	2256	aidans.dont.run.exe
Token: SeDebugPrivilege	5780	aa.exe
Token: SeDebugPrivilege	2256	aidans.dont.run.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	2304	nobody.exe
Token: SeDebugPrivilege	2244	xs.exe
Token: SeIncreaseQuotaPrivilege	2024	wmic.exe
Token: SeSecurityPrivilege	2024	wmic.exe
Token: SeTakeOwnershipPrivilege	2024	wmic.exe
Token: SeLoadDriverPrivilege	2024	wmic.exe
Token: SeSystemProfilePrivilege	2024	wmic.exe
Token: SeSystemtimePrivilege	2024	wmic.exe
Token: SeProfSingleProcessPrivilege	2024	wmic.exe
Token: SeIncBasePriorityPrivilege	2024	wmic.exe
Token: SeCreatePagefilePrivilege	2024	wmic.exe
Token: SeBackupPrivilege	2024	wmic.exe
Token: SeRestorePrivilege	2024	wmic.exe
Token: SeShutdownPrivilege	2024	wmic.exe
Token: SeDebugPrivilege	2024	wmic.exe
Token: SeSystemEnvironmentPrivilege	2024	wmic.exe
Token: SeRemoteShutdownPrivilege	2024	wmic.exe
Token: SeUndockPrivilege	2024	wmic.exe
Token: SeManageVolumePrivilege	2024	wmic.exe
Token: 33	2024	wmic.exe
Token: 34	2024	wmic.exe
Token: 35	2024	wmic.exe
Token: 36	2024	wmic.exe
Token: SeIncreaseQuotaPrivilege	2024	wmic.exe
Token: SeSecurityPrivilege	2024	wmic.exe
Token: SeTakeOwnershipPrivilege	2024	wmic.exe
Token: SeLoadDriverPrivilege	2024	wmic.exe
Token: SeSystemProfilePrivilege	2024	wmic.exe
Token: SeSystemtimePrivilege	2024	wmic.exe
Token: SeProfSingleProcessPrivilege	2024	wmic.exe
Token: SeIncBasePriorityPrivilege	2024	wmic.exe
Token: SeCreatePagefilePrivilege	2024	wmic.exe
Token: SeBackupPrivilege	2024	wmic.exe
Token: SeRestorePrivilege	2024	wmic.exe
Token: SeShutdownPrivilege	2024	wmic.exe
Token: SeDebugPrivilege	2024	wmic.exe
Token: SeSystemEnvironmentPrivilege	2024	wmic.exe
Token: SeRemoteShutdownPrivilege	2024	wmic.exe
Token: SeUndockPrivilege	2024	wmic.exe
Token: SeManageVolumePrivilege	2024	wmic.exe
Token: 33	2024	wmic.exe
Token: 34	2024	wmic.exe
Token: 35	2024	wmic.exe
Token: 36	2024	wmic.exe
Token: SeIncreaseQuotaPrivilege	3196	wmic.exe
Token: SeSecurityPrivilege	3196	wmic.exe
Token: SeTakeOwnershipPrivilege	3196	wmic.exe
Token: SeLoadDriverPrivilege	3196	wmic.exe
Token: SeSystemProfilePrivilege	3196	wmic.exe
Token: SeSystemtimePrivilege	3196	wmic.exe
Token: SeProfSingleProcessPrivilege	3196	wmic.exe
Token: SeIncBasePriorityPrivilege	3196	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	nobody.exe
3428	atat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5788 wrote to memory of 3504	5788	New Text Document mod.exe	79
PID 5788 wrote to memory of 3504	5788	New Text Document mod.exe	79
PID 5788 wrote to memory of 4628	5788	New Text Document mod.exe	80
PID 5788 wrote to memory of 4628	5788	New Text Document mod.exe	80
PID 5788 wrote to memory of 1532	5788	New Text Document mod.exe	82
PID 5788 wrote to memory of 1532	5788	New Text Document mod.exe	82
PID 1532 wrote to memory of 3060	1532	saloader.exe	83
PID 1532 wrote to memory of 3060	1532	saloader.exe	83
PID 5788 wrote to memory of 2256	5788	New Text Document mod.exe	85
PID 5788 wrote to memory of 2256	5788	New Text Document mod.exe	85
PID 1532 wrote to memory of 404	1532	saloader.exe	86
PID 1532 wrote to memory of 404	1532	saloader.exe	86
PID 1532 wrote to memory of 3228	1532	saloader.exe	88
PID 1532 wrote to memory of 3228	1532	saloader.exe	88
PID 5788 wrote to memory of 5200	5788	New Text Document mod.exe	90
PID 5788 wrote to memory of 5200	5788	New Text Document mod.exe	90
PID 5788 wrote to memory of 5200	5788	New Text Document mod.exe	90
PID 1532 wrote to memory of 240	1532	saloader.exe	91
PID 1532 wrote to memory of 240	1532	saloader.exe	91
PID 5788 wrote to memory of 2244	5788	New Text Document mod.exe	93
PID 5788 wrote to memory of 2244	5788	New Text Document mod.exe	93
PID 5788 wrote to memory of 5828	5788	New Text Document mod.exe	94
PID 5788 wrote to memory of 5828	5788	New Text Document mod.exe	94
PID 5788 wrote to memory of 5828	5788	New Text Document mod.exe	94
PID 5788 wrote to memory of 5780	5788	New Text Document mod.exe	95
PID 5788 wrote to memory of 5780	5788	New Text Document mod.exe	95
PID 2256 wrote to memory of 5588	2256	aidans.dont.run.exe	96
PID 2256 wrote to memory of 5588	2256	aidans.dont.run.exe	96
PID 2256 wrote to memory of 5592	2256	aidans.dont.run.exe	98
PID 2256 wrote to memory of 5592	2256	aidans.dont.run.exe	98
PID 5592 wrote to memory of 1984	5592	cmd.exe	100
PID 5592 wrote to memory of 1984	5592	cmd.exe	100
PID 1532 wrote to memory of 3384	1532	saloader.exe	101
PID 1532 wrote to memory of 3384	1532	saloader.exe	101
PID 5588 wrote to memory of 5696	5588	cmd.exe	103
PID 5588 wrote to memory of 5696	5588	cmd.exe	103
PID 5788 wrote to memory of 2304	5788	New Text Document mod.exe	104
PID 5788 wrote to memory of 2304	5788	New Text Document mod.exe	104
PID 5788 wrote to memory of 1160	5788	New Text Document mod.exe	105
PID 5788 wrote to memory of 1160	5788	New Text Document mod.exe	105
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 5828 wrote to memory of 3712	5828	Tutorial.exe	106
PID 1532 wrote to memory of 2024	1532	saloader.exe	107
PID 1532 wrote to memory of 2024	1532	saloader.exe	107
PID 2244 wrote to memory of 8	2244	xs.exe	109
PID 2244 wrote to memory of 8	2244	xs.exe	109
PID 2244 wrote to memory of 1804	2244	xs.exe	110
PID 2244 wrote to memory of 1804	2244	xs.exe	110
PID 5788 wrote to memory of 3652	5788	New Text Document mod.exe	113
PID 5788 wrote to memory of 3652	5788	New Text Document mod.exe	113
PID 5788 wrote to memory of 3652	5788	New Text Document mod.exe	113
PID 8 wrote to memory of 5940	8	cmd.exe	114
PID 8 wrote to memory of 5940	8	cmd.exe	114
PID 1804 wrote to memory of 6084	1804	cmd.exe	115
PID 1804 wrote to memory of 6084	1804	cmd.exe	115
PID 1532 wrote to memory of 3196	1532	saloader.exe	117
PID 1532 wrote to memory of 3196	1532	saloader.exe	117
PID 1532 wrote to memory of 3804	1532	saloader.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3060	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5788
- C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\a\output.exe
  "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
    3⤵
    - Views/modifies file attributes
    PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1256
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1420
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4816
- C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5588
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE03.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5592
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1984
  - - C:\Users\Admin\AppData\Roaming\windows.exe
      "C:\Users\Admin\AppData\Roaming\windows.exe"
      4⤵
      Executes dropped EXE
      PID:1808
- C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
  "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5200
- C:\Users\Admin\AppData\Local\Temp\a\xs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB2C5.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6084
  - - C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
      "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
      4⤵
      Executes dropped EXE
      PID:4684
- C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- C:\Users\Admin\AppData\Local\Temp\a\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
    3⤵
    PID:1176
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp.bat""
    3⤵
    PID:1700
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3620
  - - C:\Users\Admin\AppData\Roaming\atat.exe
      "C:\Users\Admin\AppData\Roaming\atat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3428
- C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\a\start.exe
  "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6088
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC41B.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5212
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5440
  - - C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3832
- C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    PID:1352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb01acc40,0x7fffb01acc4c,0x7fffb01acc58
      4⤵
      PID:5808
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
      4⤵
      PID:2416
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
      4⤵
      PID:404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2356 /prefetch:8
      4⤵
      PID:1204
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5960
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,1576147435104737800,3703121132429914726,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5776
- C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    3⤵
    - Executes dropped EXE
    PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 28
      4⤵
      Program crash
      PID:5980
- - C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - outlook_office_path
    - outlook_win_path
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\a\unik.exe
  "C:\Users\Admin\AppData\Local\Temp\a\unik.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
  2⤵
  PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2164 -ip 2164
1⤵
PID:2088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
8703a0087f1c85d153ad423e72fb287b

SHA1
948144e534fcc75636012475b923c665cb323bb1

SHA256
c7052a96c823a77b96b8081fcbd4f701614b2484f26ec846ac883edb2b1129cc

SHA512
f76f4927113edcdf56fa457b8d56ab997182b7bdbb921f0b6de0f17acc4338d544b8c167f1194d667d864e88ecf9950200933ccef17d6a6fe9508cf891814fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9402c815c24778d14ceb8f13bff17188

SHA1
73fe123e5546ab00211dd0a0eed5a639c9bf60bf

SHA256
e6cbc21e42e21db1d8cf2b9333af227772bd94be3611e5e689a578eb4ad19d46

SHA512
a5ce6180e902c2f486c2f1c334ed47bf9f77c569a00279447b20fa5fb6b0f0b4d55dbf82e0e81ac1c8e2d2a9dbedb65dbdfbb4006f500373371f14df37d2ac9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0kwy4y5.qzh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
234KB

MD5
718d9132e5472578611c8a24939d152d

SHA1
8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

SHA256
09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

SHA512
6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

Filesize
63KB

MD5
56c640c4191b4b95ba344032afd14e77

SHA1
c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

SHA256
ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

SHA512
617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
409KB

MD5
2d79aec368236c7741a6904e9adff58f

SHA1
c0b6133df7148de54f876473ba1c64cb630108c1

SHA256
b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

SHA512
022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe

Filesize
2.1MB

MD5
169a647d79cf1b25db151feb8d470fc7

SHA1
86ee9ba772982c039b070862d6583bcfed764b2c

SHA256
e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

SHA512
efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aa.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe

Filesize
63KB

MD5
9efaf6b98fdde9df4532d1236b60619f

SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1

SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe

Filesize
56KB

MD5
a7b36da8acc804d5dd40f9500277fea9

SHA1
5c80776335618c4ad99d1796f72ebeb53a12a40b

SHA256
b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

SHA512
ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe

Filesize
320KB

MD5
3050c0cddc68a35f296ba436c4726db4

SHA1
199706ee121c23702f2e7e41827be3e58d1605ea

SHA256
6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

SHA512
b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nobody.exe

Filesize
74KB

MD5
4b1b45bb55ccdd4b078459ade3763e6d

SHA1
049344853c902e22e70ae231c669bf0751185716

SHA256
1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

SHA512
b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
1.9MB

MD5
50a2b1ed762a07b62770d1532a5c0e57

SHA1
3e89b640f5bc1cfd6da2dded0f6aea947a7f6353

SHA256
859fca2ff16a4c2e55accf995c415e046c4d4150fb3b50064ee26acbb02cb853

SHA512
207ad9f0a03fbb9bd58087fb49bd84c71493e4e840a367b0732b8dc836184845c4c0b9f873a9c068ca3295786a283d2bd936aa01cc87e9a3f1e26e2cfcabf7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\saloader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\unik.exe

Filesize
1.9MB

MD5
8d4744784b89bf2c1affb083790fdc88

SHA1
d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

SHA256
d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

SHA512
b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe

Filesize
2.6MB

MD5
a57888cae0e3537111917acb350d610c

SHA1
e800606ca221d31e3fcd9797c4c5636e6c79e43c

SHA256
a6266ad9f9941db9ed5f3cf037a0ed996d8863439b12a8710c947bf104747e3e

SHA512
90c62f78a78f3e91c901d31840adbc70661ec01fa3215c13ee224963ca170d9a9f52d9c3351ba1d01d4fc0518e7542b0964d584ddd42adb859100dd31296eab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xs.exe

Filesize
56KB

MD5
717f7ee9f178509f07ace113f47bb6d1

SHA1
6ce32babec7538b702d38483ac6031c18a209f96

SHA256
50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

SHA512
5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE03.tmp.bat

Filesize
151B

MD5
4828e1a26f04011a2b64e91e8c5a7685

SHA1
fbd36f6f276855863ab85e23d110a08c6c41af4e

SHA256
c161e0182d491e9c78f3bf27274f7a331f47210e483036d485cc7c6adf12fec6

SHA512
029251c092c526397e5951a872d601c0cbb27345338800e49808c50e29d5f152b06d0ceccdf6e6cd4ad2b1611e6ec96524706d44091c300cdd883cc019238de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2C5.tmp.bat

Filesize
162B

MD5
90dde58692f9266ef5ecc6cfc70d9d08

SHA1
e1f3de56c2c516990df93950e96d5d51704f40bd

SHA256
bb264018b8fcc5cc42c13e2c2702c7d98bbfb9ffc9639c4a855a5fcf0a3587be

SHA512
d21a2b52a60dc902c4145327417519237ee12f9bd07f47543c1b2244a09c1a7f63cd7364fbca7f7b68dcc557a354bbac04b9154035ef56c95fd9dfce4a599f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp.bat

Filesize
148B

MD5
96ae2e56f7d018cf86ce222c1c242a06

SHA1
4989fb461eb8c7d166206bb42c92165a4311c06e

SHA256
0cbaaa0dc3c29b3d6593813fe36e078606d99ccd32d7192594f2a1ec27adb867

SHA512
17353381fa6994b76cea9f9e709738840b576c5978bfd4527cdbd5c447d9dd24f6e620ffd3b97bf4f1553a1dd210e7394580945abc4d6c5dc47c38366f23a1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC41B.tmp.bat

Filesize
152B

MD5
44b50d37e1e885f01c0cdb72bd6e5389

SHA1
e90d3c5a4d34a9852f6942d2cf3daef7204c0e9b

SHA256
40d435d9b9dee51ecc250b7bd2ecff0a88415770153fe19205ff74b64102ccf3

SHA512
8aff6210c6b88ee6ddaf096e059e3d9546f8d54fb8329b3f4282cfc8327acdc6690ab70f586632a150e9368bc50a0cb770496fcb03e0b6f56e6276997616c330

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/404-54-0x0000021C50160000-0x0000021C50182000-memory.dmp

Filesize
136KB

Download
memory/1160-201-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/1532-185-0x000001F95CB80000-0x000001F95CB8A000-memory.dmp

Filesize
40KB

Download
memory/1532-88-0x000001F95CE40000-0x000001F95CEB6000-memory.dmp

Filesize
472KB

Download
memory/1532-186-0x000001F95CEC0000-0x000001F95CED2000-memory.dmp

Filesize
72KB

Download
memory/1532-89-0x000001F95CF40000-0x000001F95CF90000-memory.dmp

Filesize
320KB

Download
memory/1532-39-0x000001F942680000-0x000001F9426C0000-memory.dmp

Filesize
256KB

Download
memory/1532-92-0x000001F95CBA0000-0x000001F95CBBE000-memory.dmp

Filesize
120KB

Download
memory/1920-527-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2244-107-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2256-51-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2304-178-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/3504-258-0x00007FFFB4830000-0x00007FFFB52F2000-memory.dmp

Filesize
10.8MB

Download
memory/3504-15-0x00007FFFB4830000-0x00007FFFB52F2000-memory.dmp

Filesize
10.8MB

Download
memory/3504-14-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/3652-219-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/3712-202-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3736-1110-0x0000000005620000-0x0000000005626000-memory.dmp

Filesize
24KB

Download
memory/3736-1018-0x0000000005080000-0x00000000050E2000-memory.dmp

Filesize
392KB

Download
memory/3736-896-0x0000000003050000-0x0000000003056000-memory.dmp

Filesize
24KB

Download
memory/3736-790-0x0000000000DC0000-0x0000000000E16000-memory.dmp

Filesize
344KB

Download
memory/4628-27-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/4688-1503-0x0000000000400000-0x00000000008B9000-memory.dmp

Filesize
4.7MB

Download
memory/4760-312-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-338-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-296-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-342-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-340-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-348-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-346-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-344-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-336-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-334-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-332-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-1505-0x000002182E0F0000-0x000002182E13C000-memory.dmp

Filesize
304KB

Download
memory/4760-1504-0x0000021846D30000-0x0000021846E3E000-memory.dmp

Filesize
1.1MB

Download
memory/4760-326-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-322-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-320-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-318-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-316-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-314-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-286-0x0000021846A90000-0x0000021846C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-310-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-300-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-298-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-294-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-292-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-290-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-330-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-328-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-324-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-308-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-306-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-304-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-302-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-288-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-287-0x0000021846A90000-0x0000021846C28000-memory.dmp

Filesize
1.6MB

Download
memory/4760-285-0x000002182C0B0000-0x000002182C2CC000-memory.dmp

Filesize
2.1MB

Download
memory/5200-101-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/5200-87-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/5200-90-0x0000000005470000-0x0000000005A16000-memory.dmp

Filesize
5.6MB

Download
memory/5200-91-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/5304-1544-0x00007FF7EEB20000-0x00007FF7EF770000-memory.dmp

Filesize
12.3MB

Download
memory/5780-150-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/5788-2-0x00007FFFB4830000-0x00007FFFB52F2000-memory.dmp

Filesize
10.8MB

Download
memory/5788-0-0x00007FFFB4833000-0x00007FFFB4835000-memory.dmp

Filesize
8KB

Download
memory/5788-245-0x00007FFFB4830000-0x00007FFFB52F2000-memory.dmp

Filesize
10.8MB

Download
memory/5788-236-0x00007FFFB4833000-0x00007FFFB4835000-memory.dmp

Filesize
8KB

Download
memory/5788-1-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/5828-137-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/5828-195-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/5828-196-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/6028-1517-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download