pony | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
447s
max time network
449s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magic_File_v3_keygen_by_KeygenNinja.exe

Score

10^/10

pony bootkit discovery evasion persistence rat rezer0 spyware stealer trojan upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1605720737643.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605720737643.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605720740956.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605720740956.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral15/memory/1864-65-0x0000000005310000-0x0000000005319000-memory.dmp	rezer0

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

21 3136 rundll32.exe

flow	pid	process
21	3136	rundll32.exe

Executes dropped EXE 17 IoCs

Processes:

keygen-pr.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exe1605720737643.exeBTRSetp.exe1605720740956.exeBTRSetp.exejuppp.exejfiag_gg.exejfiag_gg.exeid6.exelcx.exesetup_full.exewyfdggaa.exe

pid	process
4080	keygen-pr.exe
2076	keygen-step-3.exe
4424	keygen-step-4.exe
1572	key.exe
1968	Setup.exe
2172	key.exe
2872	1605720737643.exe
1864	BTRSetp.exe
5040	1605720740956.exe
3612	BTRSetp.exe
2632	juppp.exe
4824	jfiag_gg.exe
4412	jfiag_gg.exe
4532	id6.exe
4420	lcx.exe
1576	setup_full.exe
4464	wyfdggaa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

juppp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	juppp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup.exewyfdggaa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wyfdggaa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Setup.exerundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Setup.exe
File opened for modification \??\PhysicalDrive0 rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

1968 Setup.exe

flow	ioc
26	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

pid	process
1968	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

key.exeSetup.exerundll32.exeBTRSetp.exe

description	pid	process	target process
PID 1572 set thread context of 2172	1572	key.exe	key.exe
PID 1968 set thread context of 3136	1968	Setup.exe	rundll32.exe
PID 1968 set thread context of 3696	1968	Setup.exe	rundll32.exe
PID 1968 set thread context of 4508	1968	Setup.exe	rundll32.exe
PID 4508 set thread context of 708	4508	rundll32.exe	rundll32.exe
PID 1864 set thread context of 3612	1864	BTRSetp.exe	BTRSetp.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4896 3612 WerFault.exe BTRSetp.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3772 taskkill.exe
2996 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	pid_target	process	target process
4896	3612	WerFault.exe	BTRSetp.exe

pid	process
3772	taskkill.exe
2996	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d474e9df4690eec1f6c982c9f9780bbfdc57113a3af7cff4136513458937fb861d6c9dcc6dca59af78bb2b2b15b0952ae47c67b39697a62e2935	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdomai = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "v38k95l"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{CEF399DC-9C67-4466-B0CA-5456B603D955} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1468 PING.EXE
2972 PING.EXE
4756 PING.EXE

pid	process
1468	PING.EXE
2972	PING.EXE
4756	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

1605720737643.exe1605720740956.exekey.exeWerFault.exejfiag_gg.exe

pid	process
2872	1605720737643.exe
2872	1605720737643.exe
5040	1605720740956.exe
5040	1605720740956.exe
1572	key.exe
1572	key.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4412	jfiag_gg.exe
4412	jfiag_gg.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

1288 MicrosoftEdgeCP.exe
1288 MicrosoftEdgeCP.exe

pid	process
1288	MicrosoftEdgeCP.exe
1288	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

taskkill.exetaskkill.exekey.exeWerFault.exeMicrosoftEdge.exeMicrosoftEdgeCP.exewyfdggaa.exe

description	pid	process
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeRestorePrivilege	4896	WerFault.exe
Token: SeBackupPrivilege	4896	WerFault.exe
Token: SeDebugPrivilege	4896	WerFault.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeManageVolumePrivilege	4464	wyfdggaa.exe
Token: SeManageVolumePrivilege	4464	wyfdggaa.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

rundll32.exeid6.exeMicrosoftEdge.exewyfdggaa.exeMicrosoftEdgeCP.exe

pid	process
708	rundll32.exe
4532	id6.exe
4532	id6.exe
4160	MicrosoftEdge.exe
4464	wyfdggaa.exe
1288	MicrosoftEdgeCP.exe
1288	MicrosoftEdgeCP.exe
4464	wyfdggaa.exe
4464	wyfdggaa.exe
4464	wyfdggaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Magic_File_v3_keygen_by_KeygenNinja.execmd.exekeygen-step-3.execmd.exekeygen-pr.exekeygen-step-4.exekey.exeSetup.exerundll32.exe

description	pid	process	target process
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	cmd.exe
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	cmd.exe
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	cmd.exe
PID 3220 wrote to memory of 4080	3220	cmd.exe	keygen-pr.exe
PID 3220 wrote to memory of 4080	3220	cmd.exe	keygen-pr.exe
PID 3220 wrote to memory of 4080	3220	cmd.exe	keygen-pr.exe
PID 3220 wrote to memory of 2076	3220	cmd.exe	keygen-step-3.exe
PID 3220 wrote to memory of 2076	3220	cmd.exe	keygen-step-3.exe
PID 3220 wrote to memory of 2076	3220	cmd.exe	keygen-step-3.exe
PID 3220 wrote to memory of 4424	3220	cmd.exe	keygen-step-4.exe
PID 3220 wrote to memory of 4424	3220	cmd.exe	keygen-step-4.exe
PID 3220 wrote to memory of 4424	3220	cmd.exe	keygen-step-4.exe
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	cmd.exe
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	cmd.exe
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	cmd.exe
PID 4512 wrote to memory of 1468	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 1468	4512	cmd.exe	PING.EXE
PID 4512 wrote to memory of 1468	4512	cmd.exe	PING.EXE
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	key.exe
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	key.exe
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	key.exe
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	Setup.exe
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	Setup.exe
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	Setup.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1572 wrote to memory of 2172	1572	key.exe	key.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3136	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 3696	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4508	1968	Setup.exe	rundll32.exe
PID 1968 wrote to memory of 4720	1968	Setup.exe	cmd.exe
PID 1968 wrote to memory of 4720	1968	Setup.exe	cmd.exe
PID 1968 wrote to memory of 4720	1968	Setup.exe	cmd.exe
PID 3696 wrote to memory of 4716	3696	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1468

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 001 install5
5⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
PID:3136

C:\Users\Admin\AppData\Roaming\1605720737643.exe
"C:\Users\Admin\AppData\Roaming\1605720737643.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720737643.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Users\Admin\AppData\Roaming\1605720740956.exe
"C:\Users\Admin\AppData\Roaming\1605720740956.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720740956.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 002 install5
5⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im firefox.exe
6⤵
PID:2640

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im firefox.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe 003 install5
5⤵
- Suspicious use of SetThreadContext
PID:4508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
PID:4720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:2972

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"{path}"
5⤵
- Executes dropped EXE
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1380
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2632

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Users\Admin\AppData\Local\Temp\RarSFX2\lcx.exe
lcx.exe version2.txt
5⤵
- Executes dropped EXE
PID:4420

C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe"
4⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe"
5⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat" "
4⤵
- Checks computer location settings
PID:816

C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\UM67DSA7.cookie

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Config.ini

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe

MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe

MD5
4daaeeeba9222078c92a61b2dabbe1d3

SHA1
0efc3cf265a697995a318eb2ac1ea2854af4d4cd

SHA256
a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

SHA512
2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\lcx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\lcx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\version2.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Roaming\1605720737643.exe

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605720737643.exe

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605720737643.txt

Download Submit
C:\Users\Admin\AppData\Roaming\1605720740956.exe

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605720740956.exe

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605720740956.txt

Download Submit
memory/708-64-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/708-63-0x0000000000E45FB0-mapping.dmp

Download
memory/816-301-0x0000000000000000-mapping.dmp

Download
memory/1468-15-0x0000000000000000-mapping.dmp

Download
memory/1572-16-0x0000000000000000-mapping.dmp

Download
memory/1576-297-0x0000000000000000-mapping.dmp

Download
memory/1864-47-0x00000000713C0000-0x0000000071AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-42-0x0000000000000000-mapping.dmp

Download
memory/1864-54-0x0000000004DA0000-0x0000000004DB7000-memory.dmp

Filesize
92KB

Download
memory/1864-55-0x0000000004DC0000-0x0000000004DCB000-memory.dmp

Filesize
44KB

Download
memory/1864-56-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1864-49-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1864-65-0x0000000005310000-0x0000000005319000-memory.dmp

Filesize
36KB

Download
memory/1864-66-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1864-53-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1968-28-0x0000000010000000-0x0000000010196000-memory.dmp

Filesize
1.6MB

Download
memory/1968-23-0x0000000075B50000-0x0000000075BE3000-memory.dmp

Filesize
588KB

Download
memory/1968-20-0x0000000000000000-mapping.dmp

Download
memory/2076-6-0x0000000000000000-mapping.dmp

Download
memory/2076-7-0x0000000000000000-mapping.dmp

Download
memory/2172-27-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2172-24-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2172-25-0x000000000066C0BC-mapping.dmp

Download
memory/2632-70-0x0000000000000000-mapping.dmp

Download
memory/2640-40-0x0000000000000000-mapping.dmp

Download
memory/2696-300-0x0000000000000000-mapping.dmp

Download
memory/2872-39-0x0000000000000000-mapping.dmp

Download
memory/2972-48-0x0000000000000000-mapping.dmp

Download
memory/2996-52-0x0000000000000000-mapping.dmp

Download
memory/3136-31-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/3136-34-0x00000000043F0000-0x00000000045E0000-memory.dmp

Filesize
1.9MB

Download
memory/3136-29-0x0000000000E45FB0-mapping.dmp

Download
memory/3220-0-0x0000000000000000-mapping.dmp

Download
memory/3612-296-0x0000000000401A01-mapping.dmp

Download
memory/3612-217-0x0000000000401A01-mapping.dmp

Download
memory/3612-82-0x0000000000401A01-mapping.dmp

Download
memory/3612-81-0x0000000000401A01-mapping.dmp

Download
memory/3612-83-0x0000000000401A01-mapping.dmp

Download
memory/3612-84-0x0000000000401A01-mapping.dmp

Download
memory/3612-85-0x0000000000401A01-mapping.dmp

Download
memory/3612-86-0x0000000000401A01-mapping.dmp

Download
memory/3612-87-0x0000000000401A01-mapping.dmp

Download
memory/3612-226-0x0000000000401A01-mapping.dmp

Download
memory/3612-225-0x0000000000401A01-mapping.dmp

Download
memory/3612-224-0x0000000000401A01-mapping.dmp

Download
memory/3612-295-0x0000000000401A01-mapping.dmp

Download
memory/3612-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3612-80-0x0000000000401A01-mapping.dmp

Download
memory/3612-294-0x0000000000401A01-mapping.dmp

Download
memory/3612-78-0x0000000000401A01-mapping.dmp

Download
memory/3612-292-0x0000000000401A01-mapping.dmp

Download
memory/3612-288-0x0000000000401A01-mapping.dmp

Download
memory/3612-293-0x0000000000401A01-mapping.dmp

Download
memory/3612-223-0x0000000000401A01-mapping.dmp

Download
memory/3612-71-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3612-68-0x0000000000401A01-mapping.dmp

Download
memory/3612-222-0x0000000000401A01-mapping.dmp

Download
memory/3612-220-0x0000000000401A01-mapping.dmp

Download
memory/3612-290-0x0000000000401A01-mapping.dmp

Download
memory/3612-291-0x0000000000401A01-mapping.dmp

Download
memory/3612-289-0x0000000000401A01-mapping.dmp

Download
memory/3612-79-0x0000000000401A01-mapping.dmp

Download
memory/3612-218-0x0000000000401A01-mapping.dmp

Download
memory/3612-219-0x0000000000401A01-mapping.dmp

Download
memory/3612-221-0x0000000000401A01-mapping.dmp

Download
memory/3696-30-0x0000000000E45FB0-mapping.dmp

Download
memory/3696-35-0x0000000005220000-0x0000000005410000-memory.dmp

Filesize
1.9MB

Download
memory/3772-51-0x0000000000000000-mapping.dmp

Download
memory/4080-3-0x0000000000000000-mapping.dmp

Download
memory/4080-2-0x0000000000000000-mapping.dmp

Download
memory/4412-90-0x0000000000000000-mapping.dmp

Download
memory/4420-115-0x0000000000000000-mapping.dmp

Download
memory/4420-307-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/4424-10-0x0000000000000000-mapping.dmp

Download
memory/4424-12-0x0000000000000000-mapping.dmp

Download
memory/4464-304-0x0000000000000000-mapping.dmp

Download
memory/4508-41-0x0000000004500000-0x00000000046F0000-memory.dmp

Filesize
1.9MB

Download
memory/4508-33-0x0000000000E45FB0-mapping.dmp

Download
memory/4512-11-0x0000000000000000-mapping.dmp

Download
memory/4532-103-0x0000000000000000-mapping.dmp

Download
memory/4716-37-0x0000000000000000-mapping.dmp

Download
memory/4720-36-0x0000000000000000-mapping.dmp

Download
memory/4756-302-0x0000000000000000-mapping.dmp

Download
memory/4824-74-0x0000000000000000-mapping.dmp

Download
memory/4896-261-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-268-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-236-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-239-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-240-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-241-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-242-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-243-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-238-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-245-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-244-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-246-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-247-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-248-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-249-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-250-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-252-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-253-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-251-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-254-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-255-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-257-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-258-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-259-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-260-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-256-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-262-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-263-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-235-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-264-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-266-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-265-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-267-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-237-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-269-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-270-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-271-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-273-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-274-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-275-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-276-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-277-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-278-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-272-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-279-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-281-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-282-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-280-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-283-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-284-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-285-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-227-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-169-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-144-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-136-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-98-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-95-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-93-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-234-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-233-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-231-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-232-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-230-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-229-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-228-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/4896-89-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-77-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5040-58-0x0000000000000000-mapping.dmp

Download