amadey | 315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-12-2021 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
Size

291KB
MD5

f3a0c75fd4ce6d043729140db694c509
SHA1

1b7f2aa0bdfff0927d65beb8da1c88154019a6f3
SHA256

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b
SHA512

ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Score

10^/10

amadey arkei neshta redline smokeloader tofsee 1 backdoor collection discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

Botnet

86.107.197.138:38133

Extracted

Family

tofsee

mubrikych.top

oxxyfix.xyz

Extracted

Family

amadey

Version

2.86

2.56.56.210/notAnoob/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei

Detect Neshta Payload 19 IoCs

Processes:

resource	yara_rule
C:\ProgramData\5954_1640339821_5793.exe	family_neshta
C:\ProgramData\5954_1640339821_5793.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

5954_1640339821_5793.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5954_1640339821_5793.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3568-123-0x0000000000160000-0x0000000000326000-memory.dmp	family_redline
behavioral1/memory/3568-124-0x0000000000160000-0x0000000000326000-memory.dmp	family_redline
behavioral1/memory/3568-130-0x0000000000160000-0x0000000000326000-memory.dmp	family_redline
behavioral1/memory/3568-128-0x0000000000160000-0x0000000000326000-memory.dmp	family_redline
behavioral1/memory/1428-218-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1428-219-0x000000000041931A-mapping.dmp	family_redline
behavioral1/memory/1428-222-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1428-223-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1796-216-0x0000000000400000-0x00000000004CA000-memory.dmp	family_arkei

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

BB4.exetrgdrjg153A.exetrgdrjg6D10.exe734B.exe81A3.exe856D.exe6D10.exe8A6F.exe8A6F.exevnmbpbbo.exeE571.exeF040.exemjlooy.exeFD31.exe214.exe85F.exe5954_1640339821_5793.exe5954_1640339821_5793.exesvchost.comtkools.exe214.exesvchost.comtaskhost.exemjlooy.exe

pid	process
3568	BB4.exe
580	trgdrjg
1604	153A.exe
956	trgdrjg
4092	6D10.exe
1280	734B.exe
1796	81A3.exe
1672	856D.exe
1552	6D10.exe
2640	8A6F.exe
1428	8A6F.exe
3944	vnmbpbbo.exe
3024	E571.exe
1068	F040.exe
2288	mjlooy.exe
1332	FD31.exe
1656	214.exe
3796	85F.exe
1468	5954_1640339821_5793.exe
2648	5954_1640339821_5793.exe
3412	svchost.com
1820	tkools.exe
736	214.exe
2092	svchost.com
1008	taskhost.exe
4288	mjlooy.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

3064
Loads dropped DLL 3 IoCs

Processes:

81A3.exe

pid process

1796 81A3.exe
1796 81A3.exe
1796 81A3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3064

pid	process
1796	81A3.exe
1796	81A3.exe
1796	81A3.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BB4.exe734B.exe

pid process

3568 BB4.exe
1280 734B.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exetrgdrjg6D10.exe8A6F.exevnmbpbbo.exe214.exetaskhost.exe

description	pid	process	target process
PID 3204 set thread context of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 580 set thread context of 956	580	trgdrjg	trgdrjg
PID 4092 set thread context of 1552	4092	6D10.exe	6D10.exe
PID 2640 set thread context of 1428	2640	8A6F.exe	8A6F.exe
PID 3944 set thread context of 2988	3944	vnmbpbbo.exe	svchost.exe
PID 1656 set thread context of 736	1656	214.exe	214.exe
PID 1008 set thread context of 3984	1008	taskhost.exe	cvtres.exe
PID 1008 set thread context of 1160	1008	taskhost.exe	cvtres.exe
PID 1008 set thread context of 4112	1008	taskhost.exe	cvtres.exe

Drops file in Program Files directory 64 IoCs

Processes:

5954_1640339821_5793.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	5954_1640339821_5793.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com

Drops file in Windows directory 10 IoCs

Processes:

5954_1640339821_5793.exesvchost.comsvchost.comexplorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	5954_1640339821_5793.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\rescache\_merged\4032412167\2701812693.pri	explorer.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\rescache\_merged\2717123927\1253081315.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2701812693.pri	ShellExperienceHost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

736 3984 WerFault.exe cvtres.exe
812 1160 WerFault.exe cvtres.exe
4232 4112 WerFault.exe cvtres.exe

pid	pid_target	process	target process
736	3984	WerFault.exe	cvtres.exe
812	1160	WerFault.exe	cvtres.exe
4232	4112	WerFault.exe	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 19 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6D10.exeexplorer.exe153A.exe315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D10.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	153A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	153A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	153A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6D10.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81A3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	81A3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	81A3.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2644 schtasks.exe
1588 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1624 timeout.exe
3780 timeout.exe

pid	process
2644	schtasks.exe
1588	schtasks.exe

pid	process
1624	timeout.exe
3780	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 34 IoCs

Processes:

explorer.exeFD31.exeSearchUI.exe5954_1640339821_5793.exe5954_1640339821_5793.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070c004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000004c341a72b8f8d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070c004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000154bd071b8f8d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070c004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006f514f2747ecd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	FD31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	5954_1640339821_5793.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5954_1640339821_5793.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132834503240829740"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exe

pid process

832 explorer.exe
832 explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe

pid	process
2104	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
2104	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe153A.exe6D10.exe

pid process

2104 315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
1604 153A.exe
1552 6D10.exe
3064
3064
3064
3064

pid	process
3064

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BB4.exe8A6F.exe734B.exe8A6F.exe214.exe85F.exeFD31.exe214.exe

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	3568	BB4.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	2640	8A6F.exe
Token: SeDebugPrivilege	1280	734B.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	1428	8A6F.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	1656	214.exe
Token: SeDebugPrivilege	3796	85F.exe
Token: SeDebugPrivilege	1332	FD31.exe
Token: SeDebugPrivilege	736	214.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

explorer.exe

pid	process
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
3064
3064
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
3064
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
3064
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
3064

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exeexplorer.exe

pid process

3504 ShellExperienceHost.exe
4032 SearchUI.exe
3504 ShellExperienceHost.exe
832 explorer.exe
832 explorer.exe
832 explorer.exe
832 explorer.exe

pid	process
3504	ShellExperienceHost.exe
4032	SearchUI.exe
3504	ShellExperienceHost.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exetrgdrjg6D10.exe8A6F.exe856D.exe

description	pid	process	target process
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3204 wrote to memory of 2104	3204	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe	315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
PID 3064 wrote to memory of 3568	3064		BB4.exe
PID 3064 wrote to memory of 3568	3064		BB4.exe
PID 3064 wrote to memory of 3568	3064		BB4.exe
PID 3064 wrote to memory of 1604	3064		153A.exe
PID 3064 wrote to memory of 1604	3064		153A.exe
PID 3064 wrote to memory of 1604	3064		153A.exe
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 580 wrote to memory of 956	580	trgdrjg	trgdrjg
PID 3064 wrote to memory of 4092	3064		6D10.exe
PID 3064 wrote to memory of 4092	3064		6D10.exe
PID 3064 wrote to memory of 4092	3064		6D10.exe
PID 3064 wrote to memory of 1280	3064		734B.exe
PID 3064 wrote to memory of 1280	3064		734B.exe
PID 3064 wrote to memory of 1280	3064		734B.exe
PID 3064 wrote to memory of 1796	3064		81A3.exe
PID 3064 wrote to memory of 1796	3064		81A3.exe
PID 3064 wrote to memory of 1796	3064		81A3.exe
PID 3064 wrote to memory of 1672	3064		856D.exe
PID 3064 wrote to memory of 1672	3064		856D.exe
PID 3064 wrote to memory of 1672	3064		856D.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 4092 wrote to memory of 1552	4092	6D10.exe	6D10.exe
PID 3064 wrote to memory of 2640	3064		8A6F.exe
PID 3064 wrote to memory of 2640	3064		8A6F.exe
PID 3064 wrote to memory of 2640	3064		8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 2640 wrote to memory of 1428	2640	8A6F.exe	8A6F.exe
PID 1672 wrote to memory of 4004	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 4004	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 4004	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 3800	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 3800	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 3800	1672	856D.exe	cmd.exe
PID 1672 wrote to memory of 2644	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 2644	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 2644	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 3760	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 3760	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 3760	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 1976	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 1976	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 1976	1672	856D.exe	sc.exe
PID 1672 wrote to memory of 2600	1672	856D.exe	netsh.exe
PID 1672 wrote to memory of 2600	1672	856D.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
"C:\Users\Admin\AppData\Local\Temp\315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe
"C:\Users\Admin\AppData\Local\Temp\315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2104

C:\Users\Admin\AppData\Local\Temp\BB4.exe
C:\Users\Admin\AppData\Local\Temp\BB4.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Users\Admin\AppData\Roaming\trgdrjg
C:\Users\Admin\AppData\Roaming\trgdrjg
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Roaming\trgdrjg
C:\Users\Admin\AppData\Roaming\trgdrjg
2⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Local\Temp\153A.exe
C:\Users\Admin\AppData\Local\Temp\153A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1604

C:\Users\Admin\AppData\Local\Temp\6D10.exe
C:\Users\Admin\AppData\Local\Temp\6D10.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\6D10.exe
C:\Users\Admin\AppData\Local\Temp\6D10.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1552

C:\Users\Admin\AppData\Local\Temp\734B.exe
C:\Users\Admin\AppData\Local\Temp\734B.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\81A3.exe
C:\Users\Admin\AppData\Local\Temp\81A3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\81A3.exe" & exit
2⤵
PID:3392

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1624

C:\Users\Admin\AppData\Local\Temp\856D.exe
C:\Users\Admin\AppData\Local\Temp\856D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nolsxmm\
2⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vnmbpbbo.exe" C:\Windows\SysWOW64\nolsxmm\
2⤵
PID:3800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nolsxmm binPath= "C:\Windows\SysWOW64\nolsxmm\vnmbpbbo.exe /d\"C:\Users\Admin\AppData\Local\Temp\856D.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2644

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nolsxmm "wifi internet conection"
2⤵
PID:3760

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nolsxmm
2⤵
PID:1976

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\8A6F.exe
C:\Users\Admin\AppData\Local\Temp\8A6F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\8A6F.exe
C:\Users\Admin\AppData\Local\Temp\8A6F.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\nolsxmm\vnmbpbbo.exe
C:\Windows\SysWOW64\nolsxmm\vnmbpbbo.exe /d"C:\Users\Admin\AppData\Local\Temp\856D.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3944

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1452

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\E571.exe
C:\Users\Admin\AppData\Local\Temp\E571.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\F040.exe
C:\Users\Admin\AppData\Local\Temp\F040.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
"C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
3⤵
PID:588

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
4⤵
PID:1896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
3⤵
- Creates scheduled task(s)
PID:2644

C:\Users\Admin\AppData\Local\Temp\FD31.exe
C:\Users\Admin\AppData\Local\Temp\FD31.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "taskhost" /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"' & exit
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn taskhost /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"' & exit
3⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn taskhost /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"'
4⤵
- Creates scheduled task(s)
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B0A.tmp.bat""
2⤵
PID:2656

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3780

C:\Users\Admin\AppData\Roaming\taskhost.exe
"C:\Users\Admin\AppData\Roaming\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\system32\ctfmon.exe
ctfmon.exe
5⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
4⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 708
5⤵
- Program crash
PID:736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Modifies registry class
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
4⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 708
5⤵
- Program crash
PID:812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
- Modifies registry class
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
4⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
4⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 708
5⤵
- Program crash
PID:4232

C:\Users\Admin\AppData\Local\Temp\214.exe
C:\Users\Admin\AppData\Local\Temp\214.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\214.exe
C:\Users\Admin\AppData\Local\Temp\214.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Users\Admin\AppData\Local\Temp\85F.exe
C:\Users\Admin\AppData\Local\Temp\85F.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\ProgramData\5954_1640339821_5793.exe
"C:\ProgramData\5954_1640339821_5793.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1468

C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3412

C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
5⤵
- Executes dropped EXE
PID:1820

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
1⤵
- Executes dropped EXE
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe
MD5
8db8df5afb216d89fcb0bdf24662c9b5

SHA1
f0819d096526f02b0f7c50b56cebd7c521600897

SHA256
bc9c19ede72076a2c8cc18a4b2305cabc999244fb92d471c87036bb796d3f89f

SHA512
dc63a71b6b04e89ecf744bf890c74caa11cb3525aeccaede6dafa72fa3eebd40b8d352651d0bc8b1deb0768a38e5c2660200cac84eec48ddab01beaa8c9c0bea

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
MD5
2d3cc5612a414f556f925a3c1cb6a1d6

SHA1
0fee45317280ed326e941cc2d0df848c4e74e894

SHA256
fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

SHA512
cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
1533cd461da93c035e07338328a25a48

SHA1
c17a645ad8f7f80450b58f2237767527a28d43b9

SHA256
33f5a548c2edc528cfc4ccc53ee4f28fd231ed5187310b1e6bb68bc066352cb5

SHA512
6c34379fcd203abbc16045aac74a452d60cebe2361a8d0032d47527a4cba7826649e029c0645081db491c3723b03da519aca6fc7b1efa6f69a3a65fd424b7437

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
8e7b72380cc9ee9bf35c0de5fde4ab3a

SHA1
c19151c331ab274bbf5f6792ca707eb8a7017dba

SHA256
d82ca304cf64be3922b12111c962e09a6ddb2b8477e25b6c3f0400eddc38c80b

SHA512
acff1c08f9c8443d0b0589f5a7d7cab532462788406feba64825fdd2addf5b6cc8e773713e93c98991afbc7e364233fe7cf0659574cebe2200f8f7f818bfe927

Download Submit
C:\ProgramData\5954_1640339821_5793.exe
MD5
05ac7818089aaed02ed5320d50f47132

SHA1
f9dfd169342637416bdc47d3d6ac6a31f062577f

SHA256
bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

SHA512
1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

Download Submit
C:\ProgramData\5954_1640339821_5793.exe
MD5
05ac7818089aaed02ed5320d50f47132

SHA1
f9dfd169342637416bdc47d3d6ac6a31f062577f

SHA256
bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

SHA512
1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
MD5
3bf259392097b2c212b621a52da03706

SHA1
c740b063803008e3d4bab51b8e2719c1f4027bf9

SHA256
79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160

SHA512
186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
32853955255a94fcd7587ca9cbfe2b60

SHA1
c33a88184c09e89598f0cabf68ce91c8d5791521

SHA256
64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

SHA512
8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
8e7b72380cc9ee9bf35c0de5fde4ab3a

SHA1
c19151c331ab274bbf5f6792ca707eb8a7017dba

SHA256
d82ca304cf64be3922b12111c962e09a6ddb2b8477e25b6c3f0400eddc38c80b

SHA512
acff1c08f9c8443d0b0589f5a7d7cab532462788406feba64825fdd2addf5b6cc8e773713e93c98991afbc7e364233fe7cf0659574cebe2200f8f7f818bfe927

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\214.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8A6F.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\153A.exe
MD5
8a2c303f89d770da74298403ff6532a0

SHA1
2ad5d1cd0e7c0519824c59eea29c96ad19bda2cd

SHA256
ad81a89306826903162221826864ecb231b6a76721d1592d2f56801112f6eccd

SHA512
031cdcb63b902748b13b7dd977cb9e61a32881d0d11c2fe2162072c48be3122e72fd818d2a91695a13a2f112553487e301e8ac28b2e6afc0369b892db587d5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\153A.exe
MD5
8a2c303f89d770da74298403ff6532a0

SHA1
2ad5d1cd0e7c0519824c59eea29c96ad19bda2cd

SHA256
ad81a89306826903162221826864ecb231b6a76721d1592d2f56801112f6eccd

SHA512
031cdcb63b902748b13b7dd977cb9e61a32881d0d11c2fe2162072c48be3122e72fd818d2a91695a13a2f112553487e301e8ac28b2e6afc0369b892db587d5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\214.exe
MD5
20c0e8c83cd3162b4ddb26b49ba9bbf4

SHA1
770a05c226d2afc6903852dd4f75de8dc877e074

SHA256
907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

SHA512
0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\214.exe
MD5
20c0e8c83cd3162b4ddb26b49ba9bbf4

SHA1
770a05c226d2afc6903852dd4f75de8dc877e074

SHA256
907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

SHA512
0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\214.exe
MD5
20c0e8c83cd3162b4ddb26b49ba9bbf4

SHA1
770a05c226d2afc6903852dd4f75de8dc877e074

SHA256
907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

SHA512
0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D10.exe
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D10.exe
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D10.exe
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\734B.exe
MD5
8338de0271b66e3b7645ca438bc7f5a8

SHA1
99d52c57a50f54b09aea454ce6076ce304c85616

SHA256
67903e33f989eeeffc38da6f4a1e510aa2078ffc058329b71d7af69ad26eda25

SHA512
0b380dd5b3f788d990a6992ce4222c8e2b4acca8e8ed78ba21a9339f7a2b38e27c60675d72c4ed29a7576eb9c06cc795e3e8aaf1bb494f6fd73a3d663ed0ae24

Download Submit
C:\Users\Admin\AppData\Local\Temp\734B.exe
MD5
8338de0271b66e3b7645ca438bc7f5a8

SHA1
99d52c57a50f54b09aea454ce6076ce304c85616

SHA256
67903e33f989eeeffc38da6f4a1e510aa2078ffc058329b71d7af69ad26eda25

SHA512
0b380dd5b3f788d990a6992ce4222c8e2b4acca8e8ed78ba21a9339f7a2b38e27c60675d72c4ed29a7576eb9c06cc795e3e8aaf1bb494f6fd73a3d663ed0ae24

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A3.exe
MD5
77bae35ae557f8cfbd638ea9ff95d035

SHA1
1d0c8606b2d03ab6276f8e4b4b95154639c01382

SHA256
28393a3d4006cfc940ddfc7fa4d85d5f289d1e5089a11d286db53637aa8ede5b

SHA512
d34c842d4e567e7e7a693d21b9537617784855e1176e66acfb8f730b609b0de6db994dad7e8ef81074d04cc6c1f8d0d8b495ce3d6c00fea79086340f5d4aa09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A3.exe
MD5
77bae35ae557f8cfbd638ea9ff95d035

SHA1
1d0c8606b2d03ab6276f8e4b4b95154639c01382

SHA256
28393a3d4006cfc940ddfc7fa4d85d5f289d1e5089a11d286db53637aa8ede5b

SHA512
d34c842d4e567e7e7a693d21b9537617784855e1176e66acfb8f730b609b0de6db994dad7e8ef81074d04cc6c1f8d0d8b495ce3d6c00fea79086340f5d4aa09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
MD5
3540c2c6a3cc2fdc5b08130cf3a492bc

SHA1
9f4d9ed274b7aefb4461f846d474adba7df198a5

SHA256
e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

SHA512
8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
MD5
3540c2c6a3cc2fdc5b08130cf3a492bc

SHA1
9f4d9ed274b7aefb4461f846d474adba7df198a5

SHA256
e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

SHA512
8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\856D.exe
MD5
87932fa1d557c74300a77b71f8b09648

SHA1
86876d902ba2eff3cc526a20871b7cc84d8ffdc9

SHA256
691037d15e238c55e8284f57aadce1aeeb25009ce95a75617fdfa3734e4f4978

SHA512
663893eafa8a359532e665e3de1f8951ab1805ca5bd495ca1f92ca2becd50123a238d7a0dbe7e95dc79a04efd9a2bbbdb97127ae8cc652304be882b6e0ad3ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\856D.exe
MD5
87932fa1d557c74300a77b71f8b09648

SHA1
86876d902ba2eff3cc526a20871b7cc84d8ffdc9

SHA256
691037d15e238c55e8284f57aadce1aeeb25009ce95a75617fdfa3734e4f4978

SHA512
663893eafa8a359532e665e3de1f8951ab1805ca5bd495ca1f92ca2becd50123a238d7a0dbe7e95dc79a04efd9a2bbbdb97127ae8cc652304be882b6e0ad3ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\85F.exe
MD5
ac696ff26dae3d008a7f1a8a33a6c067

SHA1
0e450582db291be053ac6a4ccf722dc4441b1f2e

SHA256
44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

SHA512
1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\85F.exe
MD5
ac696ff26dae3d008a7f1a8a33a6c067

SHA1
0e450582db291be053ac6a4ccf722dc4441b1f2e

SHA256
44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

SHA512
1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A6F.exe
MD5
d37ada4c37879faaca26810efa63de83

SHA1
7f2c089d952985308eb0ce8ad26e9781ca7198d2

SHA256
4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

SHA512
439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A6F.exe
MD5
d37ada4c37879faaca26810efa63de83

SHA1
7f2c089d952985308eb0ce8ad26e9781ca7198d2

SHA256
4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

SHA512
439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A6F.exe
MD5
d37ada4c37879faaca26810efa63de83

SHA1
7f2c089d952985308eb0ce8ad26e9781ca7198d2

SHA256
4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

SHA512
439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB4.exe
MD5
53baf2b70a6c0c7d018a7b128b273af0

SHA1
a20c953b3b655490f676bae75659c1cc2699bcb3

SHA256
07d0d9dda1d97f20683b43c5e8c21c5cddd546232876394d60a64cf692a27ff6

SHA512
038b479faa5606ce9bfe891e7ed66271d8bd61d36d6946cc44503497d5ef5284d5bb4622a2f02bb89cf009dc2f8c62025bec3f62e6275dd15c6e469575791e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB4.exe
MD5
53baf2b70a6c0c7d018a7b128b273af0

SHA1
a20c953b3b655490f676bae75659c1cc2699bcb3

SHA256
07d0d9dda1d97f20683b43c5e8c21c5cddd546232876394d60a64cf692a27ff6

SHA512
038b479faa5606ce9bfe891e7ed66271d8bd61d36d6946cc44503497d5ef5284d5bb4622a2f02bb89cf009dc2f8c62025bec3f62e6275dd15c6e469575791e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E571.exe
MD5
c2840092e935583cce1e7b6d3a4b29f1

SHA1
992687dac9ced48e786796657bfa9f1017b7c2a1

SHA256
fd9df758b109ad226271791bbd507b9f058a7bad64c54d45486fc36df764cf12

SHA512
1cf4c6d06193e5a97129028eb2e9ae38f6305bb43124e2969f02be0bb3ef012129eb0944eec4431c8569ed6193cb0936737e753b017f4211bb7260851d51633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E571.exe
MD5
c2840092e935583cce1e7b6d3a4b29f1

SHA1
992687dac9ced48e786796657bfa9f1017b7c2a1

SHA256
fd9df758b109ad226271791bbd507b9f058a7bad64c54d45486fc36df764cf12

SHA512
1cf4c6d06193e5a97129028eb2e9ae38f6305bb43124e2969f02be0bb3ef012129eb0944eec4431c8569ed6193cb0936737e753b017f4211bb7260851d51633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F040.exe
MD5
3540c2c6a3cc2fdc5b08130cf3a492bc

SHA1
9f4d9ed274b7aefb4461f846d474adba7df198a5

SHA256
e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

SHA512
8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F040.exe
MD5
3540c2c6a3cc2fdc5b08130cf3a492bc

SHA1
9f4d9ed274b7aefb4461f846d474adba7df198a5

SHA256
e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

SHA512
8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD31.exe
MD5
4d59d86cb3926ff9362b0ea8669fbe2b

SHA1
03eaf04fe47afa81a8f066035fafea30467c1b24

SHA256
e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

SHA512
b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD31.exe
MD5
4d59d86cb3926ff9362b0ea8669fbe2b

SHA1
03eaf04fe47afa81a8f066035fafea30467c1b24

SHA256
e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

SHA512
b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B0A.tmp.bat
MD5
18359093dbade069a6cf6371481186f6

SHA1
3b58731a9409b3802d6bc03b3cf78a55c324951f

SHA256
bcce77a10c09e522c6df2599071e4dbf41e819797d3dfc47a3d03f5bd1f4ef74

SHA512
f4faf45c5b7b72d8006222d775bbbaa66c982d5bc3f0452761bfc68ae68f024f62bea4fd3a9126ee2a6b69845d78f82109e374acdc39547f1949e96dcc42e30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnmbpbbo.exe
MD5
a07cd993564d86e8806b5c075cbff0be

SHA1
55c298cbf9b182b203eca0fcc989c10d8cdc34c3

SHA256
9f4809f53d4b12af8bf95b8bdc8ccdc0fa9256b587dfe59d7cf6291472aabc67

SHA512
8ddfddb7fde68a1acbb72f8846749846c0f31f471a95ecc65b2b386b4c7b033d5aa34ad99759a9447ba6d628f1a8c3019f971374774bd2ce343a2d097ebf9a31

Download Submit
C:\Users\Admin\AppData\Roaming\trgdrjg
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Users\Admin\AppData\Roaming\trgdrjg
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Users\Admin\AppData\Roaming\trgdrjg
MD5
f3a0c75fd4ce6d043729140db694c509

SHA1
1b7f2aa0bdfff0927d65beb8da1c88154019a6f3

SHA256
315b37aa7260dc7c5698da6353b2005a5d0bb5252ed52c7a005f0eaf1c649e3b

SHA512
ecd01f8639a1fefac4a7905873b2656933bffa1a46e29fbf8b520b0c58c050fbc7555c36f8d3c9323f4135e904209102d2515121a71377cc5dbb755a08abce45

Download Submit
C:\Windows\SysWOW64\nolsxmm\vnmbpbbo.exe
MD5
a07cd993564d86e8806b5c075cbff0be

SHA1
55c298cbf9b182b203eca0fcc989c10d8cdc34c3

SHA256
9f4809f53d4b12af8bf95b8bdc8ccdc0fa9256b587dfe59d7cf6291472aabc67

SHA512
8ddfddb7fde68a1acbb72f8846749846c0f31f471a95ecc65b2b386b4c7b033d5aa34ad99759a9447ba6d628f1a8c3019f971374774bd2ce343a2d097ebf9a31

Download Submit
C:\Windows\directx.sys
MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/588-288-0x0000000000000000-mapping.dmp

Download
memory/736-324-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/736-325-0x00000000004191CE-mapping.dmp

Download
memory/832-387-0x0000000000000000-mapping.dmp

Download
memory/832-400-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/956-151-0x0000000000402F47-mapping.dmp

Download
memory/1008-374-0x0000000000000000-mapping.dmp

Download
memory/1068-269-0x0000000000000000-mapping.dmp

Download
memory/1160-409-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1160-404-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1160-406-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1160-405-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1160-403-0x00000000006BAE86-mapping.dmp

Download
memory/1280-183-0x0000000005640000-0x000000000568B000-memory.dmp

Filesize
300KB

Download
memory/1280-212-0x00000000076E0000-0x0000000007C0C000-memory.dmp

Filesize
5.2MB

Download
memory/1280-177-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/1280-173-0x0000000000920000-0x0000000000AD2000-memory.dmp

Filesize
1.7MB

Download
memory/1280-164-0x0000000000000000-mapping.dmp

Download
memory/1280-172-0x0000000000920000-0x0000000000AD2000-memory.dmp

Filesize
1.7MB

Download
memory/1280-176-0x0000000003580000-0x0000000003592000-memory.dmp

Filesize
72KB

Download
memory/1280-174-0x0000000071BF0000-0x0000000071C70000-memory.dmp

Filesize
512KB

Download
memory/1280-206-0x0000000005960000-0x00000000059D6000-memory.dmp

Filesize
472KB

Download
memory/1280-205-0x0000000006810000-0x0000000006D0E000-memory.dmp

Filesize
5.0MB

Download
memory/1280-207-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/1280-209-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/1280-181-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1280-210-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/1280-211-0x0000000006FE0000-0x00000000071A2000-memory.dmp

Filesize
1.8MB

Download
memory/1280-180-0x00000000766F0000-0x0000000076C74000-memory.dmp

Filesize
5.5MB

Download
memory/1280-214-0x0000000006F80000-0x0000000006FD0000-memory.dmp

Filesize
320KB

Download
memory/1280-175-0x0000000005D00000-0x0000000006306000-memory.dmp

Filesize
6.0MB

Download
memory/1280-184-0x000000006FE40000-0x000000006FE8B000-memory.dmp

Filesize
300KB

Download
memory/1280-182-0x0000000074110000-0x0000000075458000-memory.dmp

Filesize
19.3MB

Download
memory/1280-178-0x0000000005600000-0x000000000563E000-memory.dmp

Filesize
248KB

Download
memory/1280-171-0x0000000075BF0000-0x0000000075CE1000-memory.dmp

Filesize
964KB

Download
memory/1280-179-0x00000000029C0000-0x0000000002A05000-memory.dmp

Filesize
276KB

Download
memory/1280-167-0x0000000000920000-0x0000000000AD2000-memory.dmp

Filesize
1.7MB

Download
memory/1280-168-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1280-169-0x0000000000920000-0x0000000000AD2000-memory.dmp

Filesize
1.7MB

Download
memory/1280-170-0x0000000075D80000-0x0000000075F42000-memory.dmp

Filesize
1.8MB

Download
memory/1332-281-0x0000000000000000-mapping.dmp

Download
memory/1356-369-0x0000000000000000-mapping.dmp

Download
memory/1428-227-0x0000000004D70000-0x0000000004DAE000-memory.dmp

Filesize
248KB

Download
memory/1428-228-0x0000000004DD0000-0x0000000004E1B000-memory.dmp

Filesize
300KB

Download
memory/1428-226-0x0000000004E40000-0x0000000004F4A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-223-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1428-219-0x000000000041931A-mapping.dmp

Download
memory/1428-233-0x0000000004CB0000-0x00000000052B6000-memory.dmp

Filesize
6.0MB

Download
memory/1428-225-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/1428-224-0x00000000052C0000-0x00000000058C6000-memory.dmp

Filesize
6.0MB

Download
memory/1428-218-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1428-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-241-0x0000000000000000-mapping.dmp

Download
memory/1452-243-0x0000000002C00000-0x0000000002C74000-memory.dmp

Filesize
464KB

Download
memory/1452-244-0x0000000002930000-0x000000000299B000-memory.dmp

Filesize
428KB

Download
memory/1468-311-0x0000000000000000-mapping.dmp

Download
memory/1468-242-0x0000000000000000-mapping.dmp

Download
memory/1468-245-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/1468-246-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/1552-193-0x0000000000402F47-mapping.dmp

Download
memory/1588-372-0x0000000000000000-mapping.dmp

Download
memory/1604-147-0x0000000000820000-0x00000000008CE000-memory.dmp

Filesize
696KB

Download
memory/1604-148-0x0000000000400000-0x0000000000812000-memory.dmp

Filesize
4.1MB

Download
memory/1604-146-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1604-141-0x0000000000000000-mapping.dmp

Download
memory/1624-265-0x0000000000000000-mapping.dmp

Download
memory/1656-297-0x0000000000000000-mapping.dmp

Download
memory/1672-188-0x0000000000000000-mapping.dmp

Download
memory/1672-232-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1672-231-0x0000000000650000-0x0000000000663000-memory.dmp

Filesize
76KB

Download
memory/1796-185-0x0000000000000000-mapping.dmp

Download
memory/1796-215-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/1796-216-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1820-321-0x0000000000000000-mapping.dmp

Download
memory/1896-290-0x0000000000000000-mapping.dmp

Download
memory/1976-238-0x0000000000000000-mapping.dmp

Download
memory/2092-366-0x0000000000000000-mapping.dmp

Download
memory/2104-117-0x0000000000402F47-mapping.dmp

Download
memory/2104-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2288-272-0x0000000000000000-mapping.dmp

Download
memory/2548-388-0x0000000000000000-mapping.dmp

Download
memory/2600-240-0x0000000000000000-mapping.dmp

Download
memory/2640-203-0x0000000005180000-0x000000000519E000-memory.dmp

Filesize
120KB

Download
memory/2640-196-0x0000000000000000-mapping.dmp

Download
memory/2640-200-0x0000000000930000-0x00000000009BC000-memory.dmp

Filesize
560KB

Download
memory/2640-199-0x0000000000930000-0x00000000009BC000-memory.dmp

Filesize
560KB

Download
memory/2640-201-0x0000000005250000-0x00000000052C6000-memory.dmp

Filesize
472KB

Download
memory/2640-202-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2640-204-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2640-208-0x0000000005A50000-0x0000000005F4E000-memory.dmp

Filesize
5.0MB

Download
memory/2644-236-0x0000000000000000-mapping.dmp

Download
memory/2644-289-0x0000000000000000-mapping.dmp

Download
memory/2648-314-0x0000000000000000-mapping.dmp

Download
memory/2656-370-0x0000000000000000-mapping.dmp

Download
memory/2988-256-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2988-255-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2988-253-0x0000000000560000-0x0000000000575000-memory.dmp

Filesize
84KB

Download
memory/2988-254-0x0000000000569A6B-mapping.dmp

Download
memory/3024-287-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/3024-266-0x0000000000000000-mapping.dmp

Download
memory/3064-230-0x0000000004440000-0x0000000004456000-memory.dmp

Filesize
88KB

Download
memory/3064-160-0x0000000002740000-0x0000000002756000-memory.dmp

Filesize
88KB

Download
memory/3064-119-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/3204-118-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3388-413-0x0000000000000000-mapping.dmp

Download
memory/3392-264-0x0000000000000000-mapping.dmp

Download
memory/3412-317-0x0000000000000000-mapping.dmp

Download
memory/3568-134-0x0000000005E10000-0x0000000006416000-memory.dmp

Filesize
6.0MB

Download
memory/3568-137-0x0000000005780000-0x00000000057BE000-memory.dmp

Filesize
248KB

Download
memory/3568-124-0x0000000000160000-0x0000000000326000-memory.dmp

Filesize
1.8MB

Download
memory/3568-159-0x00000000078F0000-0x0000000007E1C000-memory.dmp

Filesize
5.2MB

Download
memory/3568-158-0x00000000071F0000-0x00000000073B2000-memory.dmp

Filesize
1.8MB

Download
memory/3568-157-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/3568-156-0x00000000067C0000-0x0000000006852000-memory.dmp

Filesize
584KB

Download
memory/3568-155-0x00000000066A0000-0x0000000006716000-memory.dmp

Filesize
472KB

Download
memory/3568-154-0x0000000006A20000-0x0000000006F1E000-memory.dmp

Filesize
5.0MB

Download
memory/3568-153-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3568-145-0x000000006FD90000-0x000000006FDDB000-memory.dmp

Filesize
300KB

Download
memory/3568-144-0x0000000005800000-0x000000000584B000-memory.dmp

Filesize
300KB

Download
memory/3568-140-0x0000000074110000-0x0000000075458000-memory.dmp

Filesize
19.3MB

Download
memory/3568-139-0x00000000766F0000-0x0000000076C74000-memory.dmp

Filesize
5.5MB

Download
memory/3568-138-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3568-123-0x0000000000160000-0x0000000000326000-memory.dmp

Filesize
1.8MB

Download
memory/3568-136-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/3568-135-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/3568-120-0x0000000000000000-mapping.dmp

Download
memory/3568-125-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3568-131-0x0000000071BF0000-0x0000000071C70000-memory.dmp

Filesize
512KB

Download
memory/3568-128-0x0000000000160000-0x0000000000326000-memory.dmp

Filesize
1.8MB

Download
memory/3568-130-0x0000000000160000-0x0000000000326000-memory.dmp

Filesize
1.8MB

Download
memory/3568-126-0x0000000075D80000-0x0000000075F42000-memory.dmp

Filesize
1.8MB

Download
memory/3568-129-0x0000000002CB0000-0x0000000002CF5000-memory.dmp

Filesize
276KB

Download
memory/3568-127-0x0000000075BF0000-0x0000000075CE1000-memory.dmp

Filesize
964KB

Download
memory/3704-401-0x0000000000000000-mapping.dmp

Download
memory/3760-237-0x0000000000000000-mapping.dmp

Download
memory/3780-373-0x0000000000000000-mapping.dmp

Download
memory/3796-304-0x0000000000000000-mapping.dmp

Download
memory/3800-234-0x0000000000000000-mapping.dmp

Download
memory/3944-252-0x0000000000571000-0x0000000000581000-memory.dmp

Filesize
64KB

Download
memory/3984-393-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3984-396-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3984-392-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3984-391-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3984-390-0x00000000006BAE86-mapping.dmp

Download
memory/3984-389-0x0000000000400000-0x00000000006C0000-memory.dmp

Filesize
2.8MB

Download
memory/4004-229-0x0000000000000000-mapping.dmp

Download
memory/4092-195-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/4092-161-0x0000000000000000-mapping.dmp

Download
memory/4112-415-0x00000000006BAE86-mapping.dmp

Download
memory/4112-416-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4112-417-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4112-418-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4112-421-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download