glupteba | 64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

Target

toolspab2 (13).exe
Size

315KB
MD5

1d20e1f65938e837ef1b88f10f1bd6c3
SHA1

703d7098dbfc476d2181b7fc041cc23e49c368f1
SHA256

05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
SHA512

f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

Score

10^/10

glupteba gozi_rm3 metasploit redline smokeloader socelars 202106221 ytmaloy backdoor banker discovery dropper evasion infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

redline

Botnet

YTMaloy

87.251.71.125:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

82.202.161.37:26317

Extracted

Family

gozi_rm3

Attributes

build
300974

rsa_pubkey.plain

Extracted

Family

gozi_rm3

Botnet

202106221

https://alwaystampax.com

Attributes

build
300974
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral9/memory/336-188-0x00000000029B0000-0x00000000032D6000-memory.dmp	family_glupteba
behavioral9/memory/336-189-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral9/memory/1712-107-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral9/memory/1712-108-0x0000000000417E96-mapping.dmp	family_redline
behavioral9/memory/1712-110-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral9/memory/2468-262-0x0000000001EB0000-0x0000000001ECB000-memory.dmp	family_redline
behavioral9/memory/2468-263-0x0000000002000000-0x0000000002019000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	134 Vaporeondè_éçè_)))_.exe

Executes dropped EXE 36 IoCs

pid	Process
1492	4DD2.exe
540	5005.exe
560	58BC.exe
1272	5E87.exe
936	6829.exe
1712	6829.exe
540	1BCF.exe
860	U1PwSASbnJZ1Nt2.eXE
2016	1FE6.exe
2044	1FE6.tmp
336	2C84.exe
584	134 Vaporeondè_éçè_)))_.exe
1888	2C84.exe
1736	irecord.exe
980	irecord.tmp
1424	ZHivaegyhobe.exe
268	Fufaejuhaqe.exe
1888	I-Record.exe
2376	8E91.exe
2468	90B4.exe
2688	toolspab1.exe
3056	toolspab1.exe
2392	udfccub
2624	jrfccub
2120	259585975.exe
2552	jrfccub
2152	jrfccub
2452	udfccub
2148	jrfccub
2136	udfccub
2360	jrfccub
2736	jrfccub
2540	EEEC.exe
1528	F247.exe
1592	F785.exe
2188	0~NM~WIL.eXe

Deletes itself 1 IoCs

pid	Process
1220	Explorer.EXE

Loads dropped DLL 50 IoCs

pid	Process
1800	toolspab2 (13).exe
936	6829.exe
1272	5E87.exe
1384	cmd.exe
2016	1FE6.exe
2044	1FE6.tmp
2044	1FE6.tmp
2044	1FE6.tmp
1632	regsvr32.exe
2044	1FE6.tmp
1736	irecord.exe
980	irecord.tmp
980	irecord.tmp
980	irecord.tmp
980	irecord.tmp
980	irecord.tmp
1888	I-Record.exe
1888	I-Record.exe
1888	I-Record.exe
1888	I-Record.exe
1888	I-Record.exe
1888	I-Record.exe
1888	I-Record.exe
2688	toolspab1.exe
3056	toolspab1.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2120	259585975.exe
2552	jrfccub
2392	udfccub
2452	udfccub
2148	jrfccub
2736	jrfccub
2136	udfccub
2468	cmd.exe
2360	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft Office\\Hibamawimy.exe\""	134 Vaporeondè_éçè_)))_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
97	checkip.amazonaws.com

Program crash 2 IoCs

pid	pid_target	Process	procid_target
420	2396	WerFault.exe	110
1944	2580	WerFault.exe	145

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1632	regsvr32.exe
2360	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1800	1996	toolspab2 (13).exe	29
PID 936 set thread context of 1712	936	6829.exe	38
PID 2688 set thread context of 3056	2688	toolspab1.exe	94
PID 2624 set thread context of 2552	2624	jrfccub	104
PID 2152 set thread context of 2148	2152	jrfccub	117
PID 2360 set thread context of 2736	2360	jrfccub	126

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\i-record\is-M9NLP.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-0LTF3.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-5G04E.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-BMB7B.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\Microsoft Office\Hibamawimy.exe	134 Vaporeondè_éçè_)))_.exe
File created	C:\Program Files (x86)\Microsoft Office\Hibamawimy.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-7CO33.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-S8P35.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-F2KQN.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files\Windows Journal\XTDRCAXSXJ\irecord.exe.config	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-Q1VPJ.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-NA9U3.tmp	irecord.tmp
File created	C:\Program Files\Windows Journal\XTDRCAXSXJ\irecord.exe	134 Vaporeondè_éçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QUMT9.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-UNMGE.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-J69FF.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-Q09D1.tmp	irecord.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E87.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E87.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E87.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jrfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udfccub
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
432	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1628	taskkill.exe
2980	taskkill.exe
608	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "332604761"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa200000000020000000000106600000001000020000000b46da33cf7c5108a1fdcae4ff4de91461e5a69b97b2c72d77859bd41ea678529000000000e80000000020000200000003277d300f5612282e931a62db6bff4bcfd4f28c06c494fbee7afbeb74cd573f94001000043eb2040cfbb50b07767a8dff2805ee3285db2c350bdb71fe3c8fedde2b9af1f5bc1b3f44fdf25e3ca2349c2294583f96bce8eb51a168ca676639a96a86b9c01c7138a7a43d2ae6196032498c1b29a2d22f3126ce040ad471c5b0fb09a76305136a02c6a41695493e79e361c4bd68ee052088f93c79ad7640449d0b585c42f8672a4b85f3620eea4e78941166d2db581971cad8bddc487ab89d2ceb2ae65c1c565291d4853dd6e4cd7f6df76fab270da454fb0ac57e8f22de88788cf1d2f1804d62cea291e63b3e45b89b138b598c563247baad78f1725916370bb67a4a238e49db6aeba4db2dc0f6becfb4beb55e31b5969904f032ecd75043b5cce01c05aa1d6e0ff7e84885d6ec49c3a5f342f4d517f64b15f51929590c7ff78c3ebcf2cfbb33d15ac4b5fc456a5df10df41750524f7a0b5f9e446ad99e9055aad1c9ad2f9400000009a3bfae89d38ca0ff0a8fc128d434e84fdd32ea27c7a64bbd4f26069b6cd9ac113404fd1e5e1d8e070eaae1b86e0f1c1d9c2165a051a32a5e672b4631612ab79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d38921cc74d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa200000000020000000000106600000001000020000000721720a583a323e2e8d54eca0e7be943656a9d27b03f1759e12efd53e5b0fd3a000000000e8000000002000020000000d9378c1ab0aaca6a566bef293f6a08b73fc27269228dfada939e68157bde781e400100008755681809b6c2bd761e92d263e1a1543aae0ee8662f9e7ec4f5917db032fecc785d385c9c8397cdcd20482d127a7d2015fea350fb28d727c20df3d32a9800421f77ef923b4d4b85cbff0381324fddf754e032cb2800287950e5ba8f79c51d8aeba01f528a6c81df4a9ba95817930b168f7e75c91537385b0c51b6d32f5cf07d88d499659bb2539010bdfa61d4342a30f68ce537a3c13491058265d2f9e7b0467ea727df5a96ff8fc3606c7968e35fc294ed023c125cd7c7925e3a4a66073c9de691f703ffd33fa0c9b328b1d4849f7c967cbe98f35a3aa374893e8063561418d3f8e2a1665f570726069ea735fdaf860f67639c201948d9d29d019a0cc7536c72413c73ab630a43e8185bf9eda6fb490d4d0c632f02d6a1248620a35a0e70a1ebb01036e4f21c6198c25d89aa958c3e891ec62fe16ca137b73aae0a043b847f40000000d177fcfcd625d6fc7b80b45180307d1b7bf316c6dffd41ea1dd0f1fae1fce60aa7d050a3ddc1665dd0cfaf85bc9af14c9715cf8f2574363fe71efe045f5bf11f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa200000000020000000000106600000001000020000000bb658da4e540ce26867278c9dbab40bdde8e41de95b4673e91467a08e35a0c58000000000e8000000002000020000000fc5d0405428e85124d961843dd9f60035ee3252ba345b57b53181cb21ba62b294001000043fbf18e553df671b76f5d11b8e472d8dda0c18f6970b07e60d8522a663b7f46eb18110dc2269d8ad88f8d932d30aa6808991c35f2c16bd721a30cdf41c48f1eda8a97a559632fa69c8c57c911d476ada5602ebe7bf78aa0ad7f46302b6b8e3059f0255338ac4057f0628de105cdd37b69d090c1f6685979901c1d1208c18530cfc189d93f6c8cc703e0bb9525ef9251c5d25bcd63f3d9aa9a07d5dba5eb2a989b5a87c459fc75bb59e405b92e90bdaa903173482e4264b91c7680331a44e722362009c77f9557d09526f79e7d80f9039ba47910d8648acfc6a6d7b6f5d67979fd94ec6d4b411bc9c1afa8ddab546aa97b543ea26746b6a0f96583a4f5b8fc5c4ece8d1ebb9e2694c4972f3c3555cc7b7ed0c812999d854652ee53c4ef9a2424a9ee6687ab0410b12336408e81e2b93b43be6ca15c899ba6371c570c76f72369400000006b67b8b1ec380b03f0bab569166513bdf4973442ff16e9525bd6f4fb2915ad950746c47e8362729eb1936129dddd6b9713d4f021135f9cced20ac23b6e41144f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa2000000000200000000001066000000010000200000004db0a8e1d591b7d826dd387b0c0726cc4c586699143df7cde152eb0fee3f5ab7000000000e80000000020000200000000c1089a05a608ece3ef5dafcd7cb7d091b70f992d74a98fb4ee7e8904d3e300a4001000045a864884542e7b6ad3ac75e57609d6776250ec23044fc5844ccb3d4553d011bd7936264a6fa73c4c89e4df303e28f41cb58b70b0604fbd00c5399a2e0f669be46e0c4f31ca3eccfb5ed209ef0fa40b3c92651f1bf7f81ec52fe0d2c7145af1d5a37caef610683c335e1926bd481743dd3d8668de2ced8a93a49c3e8a904d3f50bf0d90d9a2c0fa1079b2e5847841c32c714025d62497344c3ce68b09c93d4244dd542095c9514d7145098f1746447d2a42b27f6b176b4ae85b60295e4f8b8545dcc84603c3f0af3ae63bb4db1fa7b8490032854e5bc71e8d5e45f29e929783b3b598776b0e348e1efe639524953a1c966699f300dc02a9a8f542479e1ab37ea26a619a18e04101137eb2db1675ea91be9a76005b740b4ff5bf7458e4b78d6a60ce279942c641ac88593809b9834954b03104d20549f494043bf7b13ae818f5f40000000d9a31513038b848f84858706707786dd672d191c58e147992acc1cbb5e10f1ae1c084d3ca895e56b6d604290e1d17da15890fc2482ed633def325b4962092e0b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa200000000020000000000106600000001000020000000a75846e9edc13dd0b9f0a89a30af9dc7710253c564e3108676a1a5d1ee4e3530000000000e80000000020000200000000f403712b141e1662fc5821d2c4e10d116e8c87836484b45e2d8bcd759399b1f4001000067739d2eac4348e77e5631e2c47bcf25c8a6452e7a80bdaa2bf4e9d2ff13fb5896b9510e05ba42dbc4acd3f98d13611227d8d83c80a8bbe198f369ee9d1805b5c18ffc1f2d38aa9f1fe54a10db2f593e4f69c57b69dfa01a5a76520dafe8d426cffc4eca559c5f53115126610b3b57a4add8662bf424c4dc034d5a2f19e2d3da88fb3d3173450e1dceb49509ea83d8af8db249e67022142c4e53c85dd86b707a8c36b98322abdf05fbe439df1aa9c0086c9d98863f438c4a5f350e7591e8c5f71149b7756065742f3b3a3e19158abede9840b6684151e88454dd37feded3941851fa5d253b9cbffae7292ff61ce3059b09ffe295aebf0113d9693f9b27104f6c2871345a606245de5672f4906c8083bb98cfe36e17dcdec189f17feaad383588db30f3e8101bd950009387d741c82882a5ea9d1749482d0527e3243ac810ce7e40000000cdfe54f78aa11056fdad26efde734c00cc6de83639195467eb714c67ec7c219a378d0f31ce050db0892574f1950d9d5f3ae06cb1ecda76c3ba765bb6dfc13efb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffd9428faeb15a49bba7e35a1fc6dfa200000000020000000000106600000001000020000000083c8bb61f3a2eed519b11ac9e2ab6da8dfec96cad21424232c2cff1a53df789000000000e8000000002000020000000f8afade493578e4684ebc3c213a3c53518295b9ca14aab69761953ac436b59694001000006a51a89a6544e7e8cd61a836d76b957691785012c8243bdcfc12cb2d5823b29be51c7a5d4a282ef6b69bcbf2c4ab4ecaf2856c7f2ebf4deaa1e6f763e7c81adb6aa46e9f211fa793682827364cae4a4aebacd700da7ba480ab2f5d7b66e25ffbcb8ede3d59c82958e547047c57ee44faaf5d01d04d80b6485f3fdb8b3c628632c4c9cb4d7aedcc43f1d34fcabbe438eca76ae866bed96d1be27134950c496d03f6c951160ddba214627d8909b35d937d321904f8f4532b801c9cb210df0ac67615b077b66afeefd363a317d7ba22cdfd39adda67ebe69fe055b65c83621452c705367adb9e13d7a81640c4a33b99e657922611f152b4a8d50943cb100eda89c114b4c258890069490312c17524e23c450bb826e43eb25c33ca5dbc806f403d34e0353b6cadcf89d608e525e49687aafa1ae90524427298ecd3b90baf4437bf240000000dbf87ff8189d8381d68f555a4b6e17aa5e0db595330a2708155c3e498484e839a40a281dbf049f239af0ce648299f8dbca5774b40b14d20bb3a583173fc96c56	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	2C84.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	2C84.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	2C84.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fufaejuhaqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2C84.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2C84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	8E91.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	8E91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fufaejuhaqe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fufaejuhaqe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fufaejuhaqe.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2688	toolspab1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	toolspab2 (13).exe
1800	toolspab2 (13).exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1220	Explorer.EXE
1896	iexplore.exe
420	WerFault.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1800	toolspab2 (13).exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1272	5E87.exe
1220	Explorer.EXE
1220	Explorer.EXE
1336	explorer.exe
1336	explorer.exe
1568	explorer.exe
1568	explorer.exe
1620	explorer.exe
1620	explorer.exe
1980	explorer.exe
1980	explorer.exe
1596	explorer.exe
1596	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
1808	explorer.exe
3056	toolspab1.exe
1980	explorer.exe
1980	explorer.exe
1596	explorer.exe
1596	explorer.exe
1980	explorer.exe
1980	explorer.exe
1596	explorer.exe
1596	explorer.exe
1808	explorer.exe
1808	explorer.exe
1596	explorer.exe
1596	explorer.exe
1980	explorer.exe
1980	explorer.exe
1808	explorer.exe
1808	explorer.exe
1596	explorer.exe
1596	explorer.exe
1980	explorer.exe
1980	explorer.exe
2552	jrfccub
1808	explorer.exe
1808	explorer.exe
2392	udfccub
2120	259585975.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	6829.exe
Token: SeDebugPrivilege	1712	6829.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	336	2C84.exe
Token: SeImpersonatePrivilege	336	2C84.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeCreateTokenPrivilege	2376	8E91.exe
Token: SeAssignPrimaryTokenPrivilege	2376	8E91.exe
Token: SeLockMemoryPrivilege	2376	8E91.exe
Token: SeIncreaseQuotaPrivilege	2376	8E91.exe
Token: SeMachineAccountPrivilege	2376	8E91.exe
Token: SeTcbPrivilege	2376	8E91.exe
Token: SeSecurityPrivilege	2376	8E91.exe
Token: SeTakeOwnershipPrivilege	2376	8E91.exe
Token: SeLoadDriverPrivilege	2376	8E91.exe
Token: SeSystemProfilePrivilege	2376	8E91.exe
Token: SeSystemtimePrivilege	2376	8E91.exe
Token: SeProfSingleProcessPrivilege	2376	8E91.exe
Token: SeIncBasePriorityPrivilege	2376	8E91.exe
Token: SeCreatePagefilePrivilege	2376	8E91.exe
Token: SeCreatePermanentPrivilege	2376	8E91.exe
Token: SeBackupPrivilege	2376	8E91.exe
Token: SeRestorePrivilege	2376	8E91.exe
Token: SeShutdownPrivilege	2376	8E91.exe
Token: SeDebugPrivilege	2376	8E91.exe
Token: SeAuditPrivilege	2376	8E91.exe
Token: SeSystemEnvironmentPrivilege	2376	8E91.exe
Token: SeChangeNotifyPrivilege	2376	8E91.exe
Token: SeRemoteShutdownPrivilege	2376	8E91.exe
Token: SeUndockPrivilege	2376	8E91.exe
Token: SeSyncAgentPrivilege	2376	8E91.exe
Token: SeEnableDelegationPrivilege	2376	8E91.exe
Token: SeManageVolumePrivilege	2376	8E91.exe
Token: SeImpersonatePrivilege	2376	8E91.exe
Token: SeCreateGlobalPrivilege	2376	8E91.exe
Token: 31	2376	8E91.exe
Token: 32	2376	8E91.exe
Token: 33	2376	8E91.exe
Token: 34	2376	8E91.exe
Token: 35	2376	8E91.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	268	Fufaejuhaqe.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	2468	90B4.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	420	WerFault.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
980	irecord.tmp
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1220	Explorer.EXE
1220	Explorer.EXE
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe
1896	iexplore.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1896	iexplore.exe
1896	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
1896	iexplore.exe
1896	iexplore.exe
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1996 wrote to memory of 1800	1996	toolspab2 (13).exe	29
PID 1220 wrote to memory of 1492	1220	Explorer.EXE	30
PID 1220 wrote to memory of 1492	1220	Explorer.EXE	30
PID 1220 wrote to memory of 1492	1220	Explorer.EXE	30
PID 1220 wrote to memory of 1492	1220	Explorer.EXE	30
PID 1220 wrote to memory of 540	1220	Explorer.EXE	31
PID 1220 wrote to memory of 540	1220	Explorer.EXE	31
PID 1220 wrote to memory of 540	1220	Explorer.EXE	31
PID 1220 wrote to memory of 540	1220	Explorer.EXE	31
PID 1220 wrote to memory of 560	1220	Explorer.EXE	32
PID 1220 wrote to memory of 560	1220	Explorer.EXE	32
PID 1220 wrote to memory of 560	1220	Explorer.EXE	32
PID 1220 wrote to memory of 560	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1272	1220	Explorer.EXE	33
PID 1220 wrote to memory of 1272	1220	Explorer.EXE	33
PID 1220 wrote to memory of 1272	1220	Explorer.EXE	33
PID 1220 wrote to memory of 1272	1220	Explorer.EXE	33
PID 1220 wrote to memory of 936	1220	Explorer.EXE	34
PID 1220 wrote to memory of 936	1220	Explorer.EXE	34
PID 1220 wrote to memory of 936	1220	Explorer.EXE	34
PID 1220 wrote to memory of 936	1220	Explorer.EXE	34
PID 1220 wrote to memory of 816	1220	Explorer.EXE	35
PID 1220 wrote to memory of 816	1220	Explorer.EXE	35
PID 1220 wrote to memory of 816	1220	Explorer.EXE	35
PID 1220 wrote to memory of 816	1220	Explorer.EXE	35
PID 1220 wrote to memory of 816	1220	Explorer.EXE	35
PID 1220 wrote to memory of 1592	1220	Explorer.EXE	36
PID 1220 wrote to memory of 1592	1220	Explorer.EXE	36
PID 1220 wrote to memory of 1592	1220	Explorer.EXE	36
PID 1220 wrote to memory of 1592	1220	Explorer.EXE	36
PID 1220 wrote to memory of 1808	1220	Explorer.EXE	37
PID 1220 wrote to memory of 1808	1220	Explorer.EXE	37
PID 1220 wrote to memory of 1808	1220	Explorer.EXE	37
PID 1220 wrote to memory of 1808	1220	Explorer.EXE	37
PID 1220 wrote to memory of 1808	1220	Explorer.EXE	37
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 1220 wrote to memory of 1620	1220	Explorer.EXE	39
PID 1220 wrote to memory of 1620	1220	Explorer.EXE	39
PID 1220 wrote to memory of 1620	1220	Explorer.EXE	39
PID 1220 wrote to memory of 1620	1220	Explorer.EXE	39
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 936 wrote to memory of 1712	936	6829.exe	38
PID 1220 wrote to memory of 1980	1220	Explorer.EXE	40
PID 1220 wrote to memory of 1980	1220	Explorer.EXE	40
PID 1220 wrote to memory of 1980	1220	Explorer.EXE	40
PID 1220 wrote to memory of 1980	1220	Explorer.EXE	40
PID 1220 wrote to memory of 1980	1220	Explorer.EXE	40
PID 1220 wrote to memory of 1568	1220	Explorer.EXE	41
PID 1220 wrote to memory of 1568	1220	Explorer.EXE	41
PID 1220 wrote to memory of 1568	1220	Explorer.EXE	41
PID 1220 wrote to memory of 1568	1220	Explorer.EXE	41
PID 1220 wrote to memory of 1596	1220	Explorer.EXE	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe
  "C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe"
    3⤵
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1800
- C:\Users\Admin\AppData\Local\Temp\4DD2.exe
  C:\Users\Admin\AppData\Local\Temp\4DD2.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\5005.exe
  C:\Users\Admin\AppData\Local\Temp\5005.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Users\Admin\AppData\Local\Temp\58BC.exe
  C:\Users\Admin\AppData\Local\Temp\58BC.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Users\Admin\AppData\Local\Temp\5E87.exe
  C:\Users\Admin\AppData\Local\Temp\5E87.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\6829.exe
  C:\Users\Admin\AppData\Local\Temp\6829.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\6829.exe
    C:\Users\Admin\AppData\Local\Temp\6829.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:816
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1592
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1808
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1620
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1980
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1568
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1596
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:1336
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\1BCF.exe
  C:\Users\Admin\AppData\Local\Temp\1BCF.exe
  2⤵
  - Executes dropped EXE
  PID:540
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\1BCF.exe"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\1BCF.exe"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\1BCF.exe" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\1BCF.exe" ) do taskkill -iM "%~NxE" -f
      4⤵
      Loads dropped DLL
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE
        
        ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS
        5⤵
        Executes dropped EXE
        
        PID:860
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPt:CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ).Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ) do taskkill -iM ""%~NxE"" -f " , 0,TRuE ))
        6⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ..\U1PwSASbnJZ1Nt2.eXE&&StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "== "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ) do taskkill -iM "%~NxE" -f
        7⤵
        
        PID:960
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt:clOSe (CreATeobJECT ("WScRIpT.SHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = ""MZ"" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+ M0GT.7_ +XVLAANmN.HX ..\FRKN5p.zE & sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q * " , 0,TruE ) )
        6⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = "MZ" > P6JDQwUY.2& COPY /B /y P6JDQwUY.2 + JRtfD7.X +DYta.ASk + I6sjWDN.8+M0GT.7_+XVLAANmN.HX ..\FRKN5p.zE& sTArt regsvr32 /u ..\FRKN5P.zE /S&dEl /q *
        7⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "
        8⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>P6JDQwUY.2"
        8⤵
        
        PID:712
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u ..\FRKN5P.zE /S
        8⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:1632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "1BCF.exe" -f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
- C:\Users\Admin\AppData\Local\Temp\1FE6.exe
  C:\Users\Admin\AppData\Local\Temp\1FE6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\is-LG2LI.tmp\1FE6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LG2LI.tmp\1FE6.tmp" /SL5="$101D4,188175,104448,C:\Users\Admin\AppData\Local\Temp\1FE6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\is-T3V7H.tmp\134 Vaporeondè_éçè_)))_.exe
      "C:\Users\Admin\AppData\Local\Temp\is-T3V7H.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec7
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      PID:584
    - - C:\Program Files\Windows Journal\XTDRCAXSXJ\irecord.exe
        
        "C:\Program Files\Windows Journal\XTDRCAXSXJ\irecord.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\is-D9TMU.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D9TMU.tmp\irecord.tmp" /SL5="$7019E,5808768,66560,C:\Program Files\Windows Journal\XTDRCAXSXJ\irecord.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:980
        
        C:\Program Files (x86)\i-record\I-Record.exe
        
        "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\ca-a34d9-4c2-b2489-7c5de0c43774b\ZHivaegyhobe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca-a34d9-4c2-b2489-7c5de0c43774b\ZHivaegyhobe.exe"
        5⤵
        Executes dropped EXE
        
        PID:1424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        6⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:340994 /prefetch:2
        7⤵
        Loads dropped DLL
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\259585975.exe
        
        "C:\Users\Admin\AppData\Local\Temp\259585975.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2120
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:537606 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:799760 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:2896931 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:3552273 /prefetch:2
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 816
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:2700344 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:3945540 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        
        PID:1708
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:2503741 /prefetch:2
        7⤵
        
        PID:592
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:1717345 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1112
        8⤵
        Program crash
        
        PID:1944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        6⤵
        
        PID:2856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        6⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        6⤵
        
        PID:1172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
        6⤵
        
        PID:2332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
        6⤵
        
        PID:1560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
        6⤵
        
        PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\da-13769-0cc-54499-f40dcb4682fae\Fufaejuhaqe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\da-13769-0cc-54499-f40dcb4682fae\Fufaejuhaqe.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tps3vhmp.f1t\GcleanerEU.exe /eufive & exit
        6⤵
        
        PID:2616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\utyo0uzy.525\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:2696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kx2fkwen.fc2\google-game.exe & exit
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iddajf0j.b51\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:1608
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wukhh3es.5w4\toolspab1.exe & exit
        6⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\wukhh3es.5w4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\wukhh3es.5w4\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\wukhh3es.5w4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\wukhh3es.5w4\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:3056
- C:\Users\Admin\AppData\Local\Temp\2C84.exe
  C:\Users\Admin\AppData\Local\Temp\2C84.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\2C84.exe
    "C:\Users\Admin\AppData\Local\Temp\2C84.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\8E91.exe
  C:\Users\Admin\AppData\Local\Temp\8E91.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- C:\Users\Admin\AppData\Local\Temp\90B4.exe
  C:\Users\Admin\AppData\Local\Temp\90B4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\259585975.EXE"
  2⤵
  PID:1972
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:432
- C:\Users\Admin\AppData\Local\Temp\EEEC.exe
  C:\Users\Admin\AppData\Local\Temp\EEEC.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\F247.exe
  C:\Users\Admin\AppData\Local\Temp\F247.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\F247.exe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if """" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\F247.exe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\F247.exe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "" =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\F247.exe" ) do taskkill -F /IM "%~NXD"
      4⤵
      Loads dropped DLL
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe
        
        0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4
        5⤵
        Executes dropped EXE
        
        PID:2188
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll"). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if ""/pwIz2i2S0CJRBKmE4 "" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE))
        6⤵
        Modifies Internet Explorer settings
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" > 0~NM~WIL.eXe&&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "/pwIz2i2S0CJRBKmE4 " =="" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" ) do taskkill -F /IM "%~NXD"
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRiPT:CLosE ( cREATEObjECt( "WsCrIpT.ShElL" ). RUn ( "CmD /q /C EchO 90tQ%daTe%PSA> YAEF9Fv.MI & ECHo | seT /p = ""MZ"" > s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 + 1LIRC.u + SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u " ,0, TRue) )
        6⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C EchO 90tQÚTe%PSA> YAEF9Fv.MI & ECHo | seT /p = "MZ" >s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 +1LIRC.u +SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u
        7⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHo "
        8⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>s1S8NN.3F"
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe -s XN9IONS.VC /u
        8⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:2360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /IM "F247.exe"
        5⤵
        Kills process with taskkill
        
        PID:608
- C:\Users\Admin\AppData\Local\Temp\F785.exe
  C:\Users\Admin\AppData\Local\Temp\F785.exe
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Windows\system32\taskeng.exe
taskeng.exe {C46E4F87-B75A-4B4A-8D69-07C3DBD46D61} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2800
- C:\Users\Admin\AppData\Roaming\jrfccub
  C:\Users\Admin\AppData\Roaming\jrfccub
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2624
- - C:\Users\Admin\AppData\Roaming\jrfccub
    C:\Users\Admin\AppData\Roaming\jrfccub
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2552
- C:\Users\Admin\AppData\Roaming\udfccub
  C:\Users\Admin\AppData\Roaming\udfccub
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2392

C:\Windows\system32\taskeng.exe
taskeng.exe {D9E74FED-9E51-43E5-8B9D-DB8876D831AF} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:1292
- C:\Users\Admin\AppData\Roaming\jrfccub
  C:\Users\Admin\AppData\Roaming\jrfccub
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2152
- - C:\Users\Admin\AppData\Roaming\jrfccub
    C:\Users\Admin\AppData\Roaming\jrfccub
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:2148
- C:\Users\Admin\AppData\Roaming\udfccub
  C:\Users\Admin\AppData\Roaming\udfccub
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {4F355B97-E7F3-4486-B83A-F38BA3909D80} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:1816
- C:\Users\Admin\AppData\Roaming\udfccub
  C:\Users\Admin\AppData\Roaming\udfccub
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:2136
- C:\Users\Admin\AppData\Roaming\jrfccub
  C:\Users\Admin\AppData\Roaming\jrfccub
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2360
- - C:\Users\Admin\AppData\Roaming\jrfccub
    C:\Users\Admin\AppData\Roaming\jrfccub
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-222-0x000007FEECDA0000-0x000007FEEDE36000-memory.dmp

Filesize
16.6MB

Download
memory/268-256-0x000000001C910000-0x000000001CC0F000-memory.dmp

Filesize
3.0MB

Download
memory/268-221-0x0000000002020000-0x0000000002022000-memory.dmp

Filesize
8KB

Download
memory/268-257-0x0000000002026000-0x0000000002045000-memory.dmp

Filesize
124KB

Download
memory/336-188-0x00000000029B0000-0x00000000032D6000-memory.dmp

Filesize
9.1MB

Download
memory/336-189-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/584-194-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/584-196-0x000000001C720000-0x000000001CA1F000-memory.dmp

Filesize
3.0MB

Download
memory/816-88-0x0000000000170000-0x00000000001E4000-memory.dmp

Filesize
464KB

Download
memory/816-89-0x0000000000100000-0x000000000016B000-memory.dmp

Filesize
428KB

Download
memory/816-85-0x0000000073A61000-0x0000000073A63000-memory.dmp

Filesize
8KB

Download
memory/936-84-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/936-90-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/936-96-0x0000000000840000-0x0000000000873000-memory.dmp

Filesize
204KB

Download
memory/972-134-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/972-133-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/980-214-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1220-132-0x0000000002900000-0x0000000002916000-memory.dmp

Filesize
88KB

Download
memory/1220-297-0x00000000041E0000-0x00000000041F7000-memory.dmp

Filesize
92KB

Download
memory/1220-300-0x0000000004460000-0x0000000004476000-memory.dmp

Filesize
88KB

Download
memory/1220-282-0x0000000004190000-0x00000000041A7000-memory.dmp

Filesize
92KB

Download
memory/1220-65-0x00000000039D0000-0x00000000039E7000-memory.dmp

Filesize
92KB

Download
memory/1220-305-0x00000000039B0000-0x00000000039C0000-memory.dmp

Filesize
64KB

Download
memory/1272-105-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1272-106-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1336-127-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1336-128-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1424-233-0x000000001CA20000-0x000000001CD1F000-memory.dmp

Filesize
3.0MB

Download
memory/1424-215-0x0000000002190000-0x0000000002192000-memory.dmp

Filesize
8KB

Download
memory/1492-75-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1492-74-0x00000000004A0000-0x0000000000531000-memory.dmp

Filesize
580KB

Download
memory/1568-120-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1568-119-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1592-92-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1592-91-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1596-125-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1596-124-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1620-103-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/1620-104-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1632-180-0x00000000030D0000-0x0000000003185000-memory.dmp

Filesize
724KB

Download
memory/1632-177-0x0000000001FD0000-0x0000000002125000-memory.dmp

Filesize
1.3MB

Download
memory/1632-183-0x00000000003A0000-0x000000000044E000-memory.dmp

Filesize
696KB

Download
memory/1632-178-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1632-179-0x0000000002F20000-0x0000000003010000-memory.dmp

Filesize
960KB

Download
memory/1632-184-0x0000000000710000-0x00000000007AB000-memory.dmp

Filesize
620KB

Download
memory/1712-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1712-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1712-115-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1736-213-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1800-62-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1800-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1808-98-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1808-97-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1808-95-0x0000000070E21000-0x0000000070E23000-memory.dmp

Filesize
8KB

Download
memory/1888-259-0x0000000000C37000-0x0000000000C48000-memory.dmp

Filesize
68KB

Download
memory/1888-244-0x00000000004E0000-0x0000000000531000-memory.dmp

Filesize
324KB

Download
memory/1888-237-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1888-246-0x0000000065EC0000-0x0000000067271000-memory.dmp

Filesize
19.7MB

Download
memory/1888-247-0x000000006A960000-0x000000006AE2E000-memory.dmp

Filesize
4.8MB

Download
memory/1888-248-0x00000000004E1000-0x0000000000523000-memory.dmp

Filesize
264KB

Download
memory/1888-258-0x0000000000C32000-0x0000000000C33000-memory.dmp

Filesize
4KB

Download
memory/1888-250-0x0000000000C31000-0x0000000000C32000-memory.dmp

Filesize
4KB

Download
memory/1892-325-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1896-249-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1896-245-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1896-252-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/1896-251-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1980-116-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1980-117-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1996-64-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2016-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-162-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2120-292-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2120-288-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2120-286-0x0000000001000000-0x000000000382B000-memory.dmp

Filesize
40.2MB

Download
memory/2120-285-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/2120-301-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2392-299-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2396-317-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2468-266-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2468-262-0x0000000001EB0000-0x0000000001ECB000-memory.dmp

Filesize
108KB

Download
memory/2468-270-0x00000000047B3000-0x00000000047B4000-memory.dmp

Filesize
4KB

Download
memory/2468-271-0x00000000047B4000-0x00000000047B6000-memory.dmp

Filesize
8KB

Download
memory/2468-269-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/2468-268-0x00000000047B1000-0x00000000047B2000-memory.dmp

Filesize
4KB

Download
memory/2468-263-0x0000000002000000-0x0000000002019000-memory.dmp

Filesize
100KB

Download
memory/2468-267-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download