djvu | 85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-09-2021 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
Size

211KB
MD5

8882b6953e5baa9d9c5ee854b2a09221
SHA1

3c6275fb6db792c9683a4e3918b95e6fea2f95ef
SHA256

85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7
SHA512

cc0eff42a4cdb73f41fd6eca2dda749227fa3dbb7859f1067a0a7c22b3eecfceade8c88b1682a9c963ed685981ed055827135f24163edcca605fbeb6a2b331fe

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

SewPalpadin

185.215.113.29:18087

Extracted

Family

redline

Botnet

100k

45.9.20.150:80

Extracted

Family

vidar

Version

40.8

Botnet

517

https://pavlovoler.tumblr.com/

Attributes

profile_id
517

Extracted

Family

raccoon

Botnet

6e76410dbdf2085ebcf2777560bd8cb0790329c9

Attributes

url4cnc
https://telete.in/bibiOutriggr1

rc4.plain

Extracted

Family

redline

Botnet

paladin

188.124.36.242:25802

Extracted

Family

vidar

Version

40.8

Botnet

828

https://pavlovoler.tumblr.com/

Attributes

profile_id
828

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-147-0x0000000002200000-0x000000000231B000-memory.dmp	family_djvu
behavioral1/memory/3948-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3948-149-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3948-160-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3440-176-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3440-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2072-123-0x0000000002440000-0x000000000245F000-memory.dmp	family_redline
behavioral1/memory/2072-125-0x0000000002700000-0x000000000271E000-memory.dmp	family_redline
behavioral1/memory/648-151-0x0000000000A20000-0x0000000000A3F000-memory.dmp	family_redline
behavioral1/memory/648-153-0x0000000002330000-0x000000000234E000-memory.dmp	family_redline
behavioral1/memory/316-223-0x0000000002420000-0x0000000002441000-memory.dmp	family_redline
behavioral1/memory/316-225-0x00000000025D0000-0x00000000025EF000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3984 created 392 3984 WerFault.exe Explorer.EXE
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 3984 created 392	3984	WerFault.exe	Explorer.EXE

Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2788-206-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral1/memory/2788-208-0x00000000004A033D-mapping.dmp	family_vidar
behavioral1/memory/2860-211-0x00000000009E0000-0x0000000000AB4000-memory.dmp	family_vidar
behavioral1/memory/2788-213-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral1/memory/3952-257-0x0000000000400000-0x000000000052E000-memory.dmp	family_vidar
behavioral1/memory/3952-256-0x0000000002150000-0x0000000002224000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

FB.exe28D7.exe36C3.exe28D7.exe28D7.exe5335.exe28D7.exebuild2.exe6EFB.exebuild2.exe79E9.exeA4F2.exe

pid	process
2072	FB.exe
1288	28D7.exe
648	36C3.exe
3948	28D7.exe
2620	28D7.exe
3464	5335.exe
3440	28D7.exe
2860	build2.exe
316	6EFB.exe
2788	build2.exe
1020	79E9.exe
3952	A4F2.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5335.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5335.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5335.exe

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

392 Explorer.EXE
Loads dropped DLL 4 IoCs

Processes:

build2.exeA4F2.exe

pid process

2788 build2.exe
2788 build2.exe
3952 A4F2.exe
3952 A4F2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2592 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
392	Explorer.EXE

pid	process
2788	build2.exe
2788	build2.exe
3952	A4F2.exe
3952	A4F2.exe

pid	process
2592	icacls.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5335.exe	themida
behavioral1/memory/3464-174-0x0000000000B80000-0x0000000000B81000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28D7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\78899e07-ede6-438b-af00-363e5a9b4ff1\\28D7.exe\" --AutoStart"	28D7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

5335.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5335.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.2ip.ua
27 api.2ip.ua
28 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5335.exe

pid process

3464 5335.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5335.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
39	api.2ip.ua
27	api.2ip.ua
28	api.2ip.ua

pid	process
3464	5335.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

28D7.exe28D7.exebuild2.exe

description	pid	process	target process
PID 1288 set thread context of 3948	1288	28D7.exe	28D7.exe
PID 2620 set thread context of 3440	2620	28D7.exe	28D7.exe
PID 2860 set thread context of 2788	2860	build2.exe	build2.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exeShellExperienceHost.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3984 392 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
3984	392	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A4F2.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A4F2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A4F2.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2752 timeout.exe
3972 timeout.exe

pid	process
2752	timeout.exe
3972	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3944 taskkill.exe
2644 taskkill.exe

pid	process
3944	taskkill.exe
2644	taskkill.exe

Modifies registry class 31 IoCs

Processes:

SearchUI.exeexplorer.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50709004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000008d6c857a99aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000009b82a7a99aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

28D7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	28D7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	28D7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exeExplorer.EXE

pid	process
2468	85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
2468	85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE
392	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

392 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe

pid process

2468 85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe

pid	process
392	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEFB.exe36C3.exe5335.exetaskkill.exe6EFB.exe

description	pid	process
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeDebugPrivilege	2072	FB.exe
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeDebugPrivilege	648	36C3.exe
Token: SeDebugPrivilege	3464	5335.exe
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	316	6EFB.exe
Token: SeShutdownPrivilege	392	Explorer.EXE
Token: SeCreatePagefilePrivilege	392	Explorer.EXE
Token: SeShutdownPrivilege	392	Explorer.EXE

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ShellExperienceHost.exe

pid process

2924 ShellExperienceHost.exe
2924 ShellExperienceHost.exe

pid	process
2924	ShellExperienceHost.exe
2924	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE28D7.exe28D7.exe28D7.exe28D7.exebuild2.exebuild2.execmd.exe

description	pid	process	target process
PID 392 wrote to memory of 2072	392	Explorer.EXE	FB.exe
PID 392 wrote to memory of 2072	392	Explorer.EXE	FB.exe
PID 392 wrote to memory of 2072	392	Explorer.EXE	FB.exe
PID 392 wrote to memory of 1288	392	Explorer.EXE	28D7.exe
PID 392 wrote to memory of 1288	392	Explorer.EXE	28D7.exe
PID 392 wrote to memory of 1288	392	Explorer.EXE	28D7.exe
PID 392 wrote to memory of 648	392	Explorer.EXE	36C3.exe
PID 392 wrote to memory of 648	392	Explorer.EXE	36C3.exe
PID 392 wrote to memory of 648	392	Explorer.EXE	36C3.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 1288 wrote to memory of 3948	1288	28D7.exe	28D7.exe
PID 3948 wrote to memory of 2592	3948	28D7.exe	icacls.exe
PID 3948 wrote to memory of 2592	3948	28D7.exe	icacls.exe
PID 3948 wrote to memory of 2592	3948	28D7.exe	icacls.exe
PID 3948 wrote to memory of 2620	3948	28D7.exe	28D7.exe
PID 3948 wrote to memory of 2620	3948	28D7.exe	28D7.exe
PID 3948 wrote to memory of 2620	3948	28D7.exe	28D7.exe
PID 392 wrote to memory of 3464	392	Explorer.EXE	5335.exe
PID 392 wrote to memory of 3464	392	Explorer.EXE	5335.exe
PID 392 wrote to memory of 3464	392	Explorer.EXE	5335.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 2620 wrote to memory of 3440	2620	28D7.exe	28D7.exe
PID 3440 wrote to memory of 2860	3440	28D7.exe	build2.exe
PID 3440 wrote to memory of 2860	3440	28D7.exe	build2.exe
PID 3440 wrote to memory of 2860	3440	28D7.exe	build2.exe
PID 392 wrote to memory of 316	392	Explorer.EXE	6EFB.exe
PID 392 wrote to memory of 316	392	Explorer.EXE	6EFB.exe
PID 392 wrote to memory of 316	392	Explorer.EXE	6EFB.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 2860 wrote to memory of 2788	2860	build2.exe	build2.exe
PID 392 wrote to memory of 1020	392	Explorer.EXE	79E9.exe
PID 392 wrote to memory of 1020	392	Explorer.EXE	79E9.exe
PID 392 wrote to memory of 1020	392	Explorer.EXE	79E9.exe
PID 2788 wrote to memory of 296	2788	build2.exe	cmd.exe
PID 2788 wrote to memory of 296	2788	build2.exe	cmd.exe
PID 2788 wrote to memory of 296	2788	build2.exe	cmd.exe
PID 296 wrote to memory of 3944	296	cmd.exe	taskkill.exe
PID 296 wrote to memory of 3944	296	cmd.exe	taskkill.exe
PID 296 wrote to memory of 3944	296	cmd.exe	taskkill.exe
PID 296 wrote to memory of 3972	296	cmd.exe	timeout.exe
PID 296 wrote to memory of 3972	296	cmd.exe	timeout.exe
PID 296 wrote to memory of 3972	296	cmd.exe	timeout.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe
"C:\Users\Admin\AppData\Local\Temp\85423497fc6f1b1dc93ef39cfab3f44795bd0b17af2fbf52cf7791e99913f7c7.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2468

C:\Users\Admin\AppData\Local\Temp\FB.exe
C:\Users\Admin\AppData\Local\Temp\FB.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\28D7.exe
C:\Users\Admin\AppData\Local\Temp\28D7.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\28D7.exe
C:\Users\Admin\AppData\Local\Temp\28D7.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\78899e07-ede6-438b-af00-363e5a9b4ff1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:2592

C:\Users\Admin\AppData\Local\Temp\28D7.exe
"C:\Users\Admin\AppData\Local\Temp\28D7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\28D7.exe
"C:\Users\Admin\AppData\Local\Temp\28D7.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe
"C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe
"C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe" & del C:\ProgramData\*.dll & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:3972

C:\Users\Admin\AppData\Local\Temp\36C3.exe
C:\Users\Admin\AppData\Local\Temp\36C3.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\AppData\Local\Temp\5335.exe
C:\Users\Admin\AppData\Local\Temp\5335.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Users\Admin\AppData\Local\Temp\6EFB.exe
C:\Users\Admin\AppData\Local\Temp\6EFB.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\AppData\Local\Temp\79E9.exe
C:\Users\Admin\AppData\Local\Temp\79E9.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Temp\A4F2.exe
C:\Users\Admin\AppData\Local\Temp\A4F2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im A4F2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A4F2.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:3944

C:\Windows\SysWOW64\taskkill.exe
taskkill /im A4F2.exe /f
4⤵
- Kills process with taskkill
PID:2644

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 392 -s 7404
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
fbb73dd41a90491d150c4f12549da5a5

SHA1
4396b402d8a05bac2bbc7190ca9e32782ff4af6f

SHA256
12686bacfe00b636476d9d8d326a972acae8108dc655cc61ed5a21acb03586fc

SHA512
ad786c4c99d3fb6aefc404ef6860f8ad4a97235a23a58ff417337370eabbd4d34ca12ad591ba5834a8c11f14a1d51b00e41a8d76c36007a70df80d30da4584fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
97f9fe2d3b32063d3321e7b921635d02

SHA1
bbd89fcd4d2ca88f980b9a54b0adfbc25485be23

SHA256
985589fe5c72659008dfb6e239eb942f4efbc98a4495ba1e56033606c33197af

SHA512
4d731bad606473db899938d4476decdfa4c7db4e628e42242af5ef810eb821fefb42b96bc4655306b570996770a03f0ff697411e7418914f601eef4afad58e7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D60690F7FEA5B18B88CB0D0627369D90
MD5
e7d84719471abbe118dba8d5f668c4c2

SHA1
49719231411dfc077ba64c4d05118b112e190be8

SHA256
15ea83ba54bc3d78ab50da6e361c93d452feffe4da9441f395c32231633b4060

SHA512
4f4321940e42b873d381ed12b1449f3bd0eabc5c53ef0237e097e827399698160a08eac84fd753f431b62d294b9d6a62c299b5fb9472da03e5659537f565b3c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
a782e74daf02130372634a7bc03bc71c

SHA1
4987e564d68dabba8cb4270d0f8f8725b012cc25

SHA256
033d595463e94bab764437f2e64947274375cf3195d86677ab81057c3c32a6f5

SHA512
32ff4b925b22238f868ebd18c10156a802f2436f8f87ba5d098f7cda65f145faaa886a38988668b1f531d1dd433bd7cdb37de863fc056e6bb6f92370b4b3f30b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
058c7086d68bce715aebd9c915e22a07

SHA1
e06dd9a6f0232dc2f7445db853ba2cedc88f2ecd

SHA256
5475fa6d244a54e4a299563dbdbaed63cce3cdba2bd037b68bb0aa56e56a0829

SHA512
095212224e4e9be96f8fdc8fb4904c1ba2b59ef9eb3aba0bf1d53257d7677b0ee0d780ab3e97c583d1226ca2108c842c031357a5727d6f22f141bc3c8aa8f1b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D60690F7FEA5B18B88CB0D0627369D90
MD5
b14a93d0fc349ed47433c376081d1012

SHA1
8137133b00c2b6de7d4cbaf100c68ec14983976d

SHA256
d6b6949b8b502eb59a6cf7a16f37fa9efe0335768e3b7e171503d89e6282ed0f

SHA512
e4900db8e7a29083b26bda059f4ffda92e6dd7ba08910d0cf98f09d41b287ab3826136eb92d0b57f8d964f2a9e110f958c90e0c59e674f44cdace5df21c19769

Download Submit
C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe
MD5
99ffad8d2db48bceab72b8c1d4eed212

SHA1
2d50c99b1046dffc92c69e5b85304f4c24b1dd13

SHA256
9f14c876d28ff18fb861ba384647ba9b08171e6efa2ac9ed33d836ed855c91ba

SHA512
d043e32adcf8ae4aab361b5fad471eb44a93f03301eec964a69aa91c4ec38eade218596be53ea997f239e4f1d42c75972e664d711a87dcc0460dff13a5f875e1

Download Submit
C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe
MD5
99ffad8d2db48bceab72b8c1d4eed212

SHA1
2d50c99b1046dffc92c69e5b85304f4c24b1dd13

SHA256
9f14c876d28ff18fb861ba384647ba9b08171e6efa2ac9ed33d836ed855c91ba

SHA512
d043e32adcf8ae4aab361b5fad471eb44a93f03301eec964a69aa91c4ec38eade218596be53ea997f239e4f1d42c75972e664d711a87dcc0460dff13a5f875e1

Download Submit
C:\Users\Admin\AppData\Local\43981c7d-1116-4b0a-b8e3-c22a9c1c8b10\build2.exe
MD5
99ffad8d2db48bceab72b8c1d4eed212

SHA1
2d50c99b1046dffc92c69e5b85304f4c24b1dd13

SHA256
9f14c876d28ff18fb861ba384647ba9b08171e6efa2ac9ed33d836ed855c91ba

SHA512
d043e32adcf8ae4aab361b5fad471eb44a93f03301eec964a69aa91c4ec38eade218596be53ea997f239e4f1d42c75972e664d711a87dcc0460dff13a5f875e1

Download Submit
C:\Users\Admin\AppData\Local\78899e07-ede6-438b-af00-363e5a9b4ff1\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
MD5
0b535c2194dbc73a73754e36a4441b74

SHA1
47c555ac6c5b76c53fcafcece95983c71f22c1fc

SHA256
55964c7418bdb09e1e69648228a0dbe9a8095116924c33700119ad55398561ec

SHA512
844e8c34d583d1dce3c33854676ee154b37d93f49b240d765337a1bdaa1f1ebe927aacbd7158e6aac494a8f253e5695df08b5d9cf157fbfa6fd37c8dbd966ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\58CO2Y0O\nss3[1].dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\mozglue[1].dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\vcruntime140[1].dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OY8D4S7I\msvcp140[1].dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\freebl3[1].dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\softokn3[1].dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D7.exe
MD5
3bf20f256815e32284166cb8e37cdaec

SHA1
02655b6bf017c7fa6060459300726eb266571ffa

SHA256
73ac9a72fd4437aa3acf829fdd01e474113d8409485c85e771209f1264858206

SHA512
d8d8c645406d69d6a673e9e424feaed3cfd2064d8881dfe5e8dbcdb28bda062eda1fafabcb24b5976bc0e9ab95349bf3141994504447bf0a6d18d76b7c4d2935

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C3.exe
MD5
36d829ee692003eb866e1eae1dc0b383

SHA1
37a4d28b401bda1de141774aaee7926edb79e3eb

SHA256
c8271ae19815ff7a7ed4e10d2d1c512af919190bfdda1dc2f2778a87df313dfd

SHA512
a6a8512498e2f957ede741a2d765154bbf86599ebe57b17b519cb6a143d648beb1fffc84dc23912eeaacdaf7a7fc9bf5cb19dcd53d80f122c69b9ee58f0bb245

Download Submit
C:\Users\Admin\AppData\Local\Temp\36C3.exe
MD5
36d829ee692003eb866e1eae1dc0b383

SHA1
37a4d28b401bda1de141774aaee7926edb79e3eb

SHA256
c8271ae19815ff7a7ed4e10d2d1c512af919190bfdda1dc2f2778a87df313dfd

SHA512
a6a8512498e2f957ede741a2d765154bbf86599ebe57b17b519cb6a143d648beb1fffc84dc23912eeaacdaf7a7fc9bf5cb19dcd53d80f122c69b9ee58f0bb245

Download Submit
C:\Users\Admin\AppData\Local\Temp\5335.exe
MD5
128d7a204f6a35c6c1fb022b89da4d49

SHA1
c97e6f0c8966f8fa15efdcb91d96a795ac9fd8bb

SHA256
e2ace55d41f15f1cfaea0912f852ca34805061aa98863639e796e101fb79197b

SHA512
4eb2562a1d613e8e74ffe5f7055c6c665f0a96463dcbaef3c3ca300a58b9d36e93f2a9076d14bb2ab958236dbc8f817ce11e0baedca78538f2ddebd4d4615589

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EFB.exe
MD5
de4b8ec29ea8842a6ce8fe2f066ae17f

SHA1
1ff3267fb3ec7affdc04b985e4de1eb1ba7e579b

SHA256
ddae431c6fec6b228e2ade50f8ad1a2ffe7faad908d68642c6b4b9f3daec110a

SHA512
6960e5ab54ee98f99e3bb4cbd921cec40f64a218d77079053b1640fa6e1c1caa4f7324c231f3f4f99dff7cfa4f620b8f44ba7680c3cf8ac08e6e1cd197ccef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EFB.exe
MD5
de4b8ec29ea8842a6ce8fe2f066ae17f

SHA1
1ff3267fb3ec7affdc04b985e4de1eb1ba7e579b

SHA256
ddae431c6fec6b228e2ade50f8ad1a2ffe7faad908d68642c6b4b9f3daec110a

SHA512
6960e5ab54ee98f99e3bb4cbd921cec40f64a218d77079053b1640fa6e1c1caa4f7324c231f3f4f99dff7cfa4f620b8f44ba7680c3cf8ac08e6e1cd197ccef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\79E9.exe
MD5
ba785eeac548b2dc1ff2911ef18c4c59

SHA1
8c02bae6f0767f846c4103cd439b70804033407f

SHA256
81591058e5bba5cc0cc0eabf671441d0618311e9915acd6e89be88eb02764ca8

SHA512
9beb10d0414725ed992975c9efc5dc83cf3a06dacf0f14d068b4850f29393710e64e3e1c869fc1d79aa719c9aa6bed698c75c7e389ec5a14aa468a5d714d02f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\79E9.exe
MD5
ba785eeac548b2dc1ff2911ef18c4c59

SHA1
8c02bae6f0767f846c4103cd439b70804033407f

SHA256
81591058e5bba5cc0cc0eabf671441d0618311e9915acd6e89be88eb02764ca8

SHA512
9beb10d0414725ed992975c9efc5dc83cf3a06dacf0f14d068b4850f29393710e64e3e1c869fc1d79aa719c9aa6bed698c75c7e389ec5a14aa468a5d714d02f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4F2.exe
MD5
3ff625f9dd7b3961a7fadac04b169817

SHA1
e94ca3bff1b3f9b28a239d4baa37e1250954b326

SHA256
c7fe3d672279fb53c660baa242a3b135051fdc0b46ebbfb10de212a1e7ea59a8

SHA512
b2b991276ca5bbb2e13ed5654f44b85c15d5defaacfb3eae7ca628e4b479ad46b7a172f7cd4e5fb58424c7649c3d0c6afa006d3fc72d9856539303b8c2bbbe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4F2.exe
MD5
3ff625f9dd7b3961a7fadac04b169817

SHA1
e94ca3bff1b3f9b28a239d4baa37e1250954b326

SHA256
c7fe3d672279fb53c660baa242a3b135051fdc0b46ebbfb10de212a1e7ea59a8

SHA512
b2b991276ca5bbb2e13ed5654f44b85c15d5defaacfb3eae7ca628e4b479ad46b7a172f7cd4e5fb58424c7649c3d0c6afa006d3fc72d9856539303b8c2bbbe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB.exe
MD5
cfb9b9d9638b902b2c03059dc024755c

SHA1
d55b51cfac4f84199042f205b2eb70b2cef1c965

SHA256
11f424c27204483a062306b96257296bb8dea2283c9e6f7269a7bd46ca01adfa

SHA512
c3875d6ae28a96db55c57f9a765e0a27e50a0245bd51f8af5e0115e43f0f65cf1b2079c95fc6391796435a74aa0d0e19740833b0cc86debe1b519b1e7a12b8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB.exe
MD5
cfb9b9d9638b902b2c03059dc024755c

SHA1
d55b51cfac4f84199042f205b2eb70b2cef1c965

SHA256
11f424c27204483a062306b96257296bb8dea2283c9e6f7269a7bd46ca01adfa

SHA512
c3875d6ae28a96db55c57f9a765e0a27e50a0245bd51f8af5e0115e43f0f65cf1b2079c95fc6391796435a74aa0d0e19740833b0cc86debe1b519b1e7a12b8cf

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/296-237-0x0000000000000000-mapping.dmp

Download
memory/316-236-0x0000000004C84000-0x0000000004C86000-memory.dmp

Filesize
8KB

Download
memory/316-223-0x0000000002420000-0x0000000002441000-memory.dmp

Filesize
132KB

Download
memory/316-225-0x00000000025D0000-0x00000000025EF000-memory.dmp

Filesize
124KB

Download
memory/316-231-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/316-235-0x0000000004C83000-0x0000000004C84000-memory.dmp

Filesize
4KB

Download
memory/316-232-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/316-233-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/316-234-0x0000000004C82000-0x0000000004C83000-memory.dmp

Filesize
4KB

Download
memory/316-202-0x0000000000000000-mapping.dmp

Download
memory/392-117-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/648-153-0x0000000002330000-0x000000000234E000-memory.dmp

Filesize
120KB

Download
memory/648-161-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/648-196-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/648-165-0x0000000004BE3000-0x0000000004BE4000-memory.dmp

Filesize
4KB

Download
memory/648-144-0x0000000000000000-mapping.dmp

Download
memory/648-164-0x0000000004BE2000-0x0000000004BE3000-memory.dmp

Filesize
4KB

Download
memory/648-151-0x0000000000A20000-0x0000000000A3F000-memory.dmp

Filesize
124KB

Download
memory/648-166-0x0000000004BE4000-0x0000000004BE6000-memory.dmp

Filesize
8KB

Download
memory/648-162-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/648-163-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1020-221-0x0000000000800000-0x000000000088F000-memory.dmp

Filesize
572KB

Download
memory/1020-222-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1020-216-0x0000000000000000-mapping.dmp

Download
memory/1288-147-0x0000000002200000-0x000000000231B000-memory.dmp

Filesize
1.1MB

Download
memory/1288-135-0x0000000000000000-mapping.dmp

Download
memory/1656-279-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-274-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1656-295-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-294-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-293-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-292-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-291-0x000000000A1F0000-0x000000000A200000-memory.dmp

Filesize
64KB

Download
memory/1656-290-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-289-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-287-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-288-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-286-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-285-0x000000000A1F0000-0x000000000A200000-memory.dmp

Filesize
64KB

Download
memory/1656-284-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-283-0x000000000A170000-0x000000000A180000-memory.dmp

Filesize
64KB

Download
memory/1656-282-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-281-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-280-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-276-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-278-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/1656-277-0x00000000095D0000-0x00000000095E0000-memory.dmp

Filesize
64KB

Download
memory/1656-275-0x00000000094C0000-0x00000000094D0000-memory.dmp

Filesize
64KB

Download
memory/2072-127-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2072-129-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/2072-138-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/2072-143-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/2072-118-0x0000000000000000-mapping.dmp

Download
memory/2072-121-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download
memory/2072-134-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2072-132-0x00000000022C3000-0x00000000022C4000-memory.dmp

Filesize
4KB

Download
memory/2072-133-0x00000000022C4000-0x00000000022C6000-memory.dmp

Filesize
8KB

Download
memory/2072-131-0x00000000022C2000-0x00000000022C3000-memory.dmp

Filesize
4KB

Download
memory/2072-130-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2072-142-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/2072-128-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2072-122-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2072-126-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2072-123-0x0000000002440000-0x000000000245F000-memory.dmp

Filesize
124KB

Download
memory/2072-124-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2072-139-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-125-0x0000000002700000-0x000000000271E000-memory.dmp

Filesize
120KB

Download
memory/2072-140-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/2072-141-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/2468-115-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2468-116-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2592-159-0x0000000000000000-mapping.dmp

Download
memory/2620-168-0x0000000000000000-mapping.dmp

Download
memory/2644-269-0x0000000000000000-mapping.dmp

Download
memory/2752-270-0x0000000000000000-mapping.dmp

Download
memory/2788-213-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2788-208-0x00000000004A033D-mapping.dmp

Download
memory/2788-206-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2860-211-0x00000000009E0000-0x0000000000AB4000-memory.dmp

Filesize
848KB

Download
memory/2860-197-0x0000000000000000-mapping.dmp

Download
memory/3440-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3440-176-0x0000000000424141-mapping.dmp

Download
memory/3464-170-0x0000000000000000-mapping.dmp

Download
memory/3464-192-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/3464-190-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3464-174-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3944-268-0x0000000000000000-mapping.dmp

Download
memory/3944-238-0x0000000000000000-mapping.dmp

Download
memory/3948-160-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3948-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3948-149-0x0000000000424141-mapping.dmp

Download
memory/3952-247-0x0000000000000000-mapping.dmp

Download
memory/3952-256-0x0000000002150000-0x0000000002224000-memory.dmp

Filesize
848KB

Download
memory/3952-257-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3972-239-0x0000000000000000-mapping.dmp

Download