glupteba | eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
13-03-2022 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe
Size

9.2MB
MD5

46883c181cb780d26026a36ede0b7ac1
SHA1

8529b955b7a1a7c83a659e97fda0911f09988dd8
SHA256

eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525
SHA512

fced215480de81d88cdcb86f9c2e145176fe0ca814df44169833a7202a6edd86f90319ff1a51be93c14ec4c4f94467274d2dfc2b14a23d11a47d9e0044f287c4

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.8

Botnet

933

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1528-176-0x0000000005210000-0x0000000005B36000-memory.dmp	family_glupteba
behavioral2/memory/1528-178-0x0000000000400000-0x0000000003098000-memory.dmp	family_glupteba
behavioral2/memory/4072-239-0x0000000000400000-0x0000000003098000-memory.dmp	family_glupteba
behavioral2/memory/3404-251-0x0000000000400000-0x0000000003098000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 4500 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4500	rUNdlL32.eXe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3592-246-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/3592-248-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/3592-249-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4836 created 1528 4836 svchost.exe Info.exe
PID 4836 created 3404 4836 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

description	pid	process	target process
PID 4836 created 1528	4836	svchost.exe	Info.exe
PID 4836 created 3404	4836	svchost.exe	csrss.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4116-185-0x0000000003110000-0x00000000031AD000-memory.dmp	family_vidar
behavioral2/memory/4116-186-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar

Executes dropped EXE 18 IoCs

Processes:

Files.exeKRSetp.exeInstall.exejfiag3g_gg.exeFolder.exeFolder.exeInfo.execleanpro22.exepub2.exejamesdirect.exeLitever01.exeComplete.exemd9_1sjm.exejfiag3g_gg.exeInfo.execsrss.exejamesdirect.exeinjector.exe

pid	process
3916	Files.exe
3152	KRSetp.exe
1360	Install.exe
4236	jfiag3g_gg.exe
2364	Folder.exe
4744	Folder.exe
1528	Info.exe
5060	cleanpro22.exe
1672	pub2.exe
4136	jamesdirect.exe
4116	Litever01.exe
4632	Complete.exe
5080	md9_1sjm.exe
3568	jfiag3g_gg.exe
4072	Info.exe
3404	csrss.exe
3592	jamesdirect.exe
3208	injector.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/5080-173-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cleanpro22.exeeac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	cleanpro22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2856 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2856	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiddenMoon = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
19 ipinfo.io
20 ipinfo.io
26 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

jamesdirect.exe

description pid process target process

PID 4136 set thread context of 3592 4136 jamesdirect.exe jamesdirect.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
9	ip-api.com
19	ipinfo.io
20	ipinfo.io
26	ipinfo.io

description	pid	process	target process
PID 4136 set thread context of 3592	4136	jamesdirect.exe	jamesdirect.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\921ee97b-4563-4e48-937f-76f7b0ac36a9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220313125450.pma	setup.exe

Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2308	2856	WerFault.exe	rundll32.exe
1588	1528	WerFault.exe	Info.exe
1220	4072	WerFault.exe	Info.exe
1684	3592	WerFault.exe	jamesdirect.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3048 schtasks.exe

pid	process
3048	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4308 taskkill.exe

pid	process
4308	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Info.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Litever01.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Litever01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Litever01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
1672	pub2.exe
1672	pub2.exe
3568	jfiag3g_gg.exe
3568	jfiag3g_gg.exe
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1672 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

820 msedge.exe
820 msedge.exe
820 msedge.exe
820 msedge.exe

pid	process
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exe

description	pid	process
Token: SeCreateTokenPrivilege	1360	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1360	Install.exe
Token: SeLockMemoryPrivilege	1360	Install.exe
Token: SeIncreaseQuotaPrivilege	1360	Install.exe
Token: SeMachineAccountPrivilege	1360	Install.exe
Token: SeTcbPrivilege	1360	Install.exe
Token: SeSecurityPrivilege	1360	Install.exe
Token: SeTakeOwnershipPrivilege	1360	Install.exe
Token: SeLoadDriverPrivilege	1360	Install.exe
Token: SeSystemProfilePrivilege	1360	Install.exe
Token: SeSystemtimePrivilege	1360	Install.exe
Token: SeProfSingleProcessPrivilege	1360	Install.exe
Token: SeIncBasePriorityPrivilege	1360	Install.exe
Token: SeCreatePagefilePrivilege	1360	Install.exe
Token: SeCreatePermanentPrivilege	1360	Install.exe
Token: SeBackupPrivilege	1360	Install.exe
Token: SeRestorePrivilege	1360	Install.exe
Token: SeShutdownPrivilege	1360	Install.exe
Token: SeDebugPrivilege	1360	Install.exe
Token: SeAuditPrivilege	1360	Install.exe
Token: SeSystemEnvironmentPrivilege	1360	Install.exe
Token: SeChangeNotifyPrivilege	1360	Install.exe
Token: SeRemoteShutdownPrivilege	1360	Install.exe
Token: SeUndockPrivilege	1360	Install.exe
Token: SeSyncAgentPrivilege	1360	Install.exe
Token: SeEnableDelegationPrivilege	1360	Install.exe
Token: SeManageVolumePrivilege	1360	Install.exe
Token: SeImpersonatePrivilege	1360	Install.exe
Token: SeCreateGlobalPrivilege	1360	Install.exe
Token: 31	1360	Install.exe
Token: 32	1360	Install.exe
Token: 33	1360	Install.exe
Token: 34	1360	Install.exe
Token: 35	1360	Install.exe
Token: SeDebugPrivilege	3152	KRSetp.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeManageVolumePrivilege	5080	md9_1sjm.exe
Token: SeManageVolumePrivilege	5080	md9_1sjm.exe
Token: SeDebugPrivilege	1528	Info.exe
Token: SeImpersonatePrivilege	1528	Info.exe
Token: SeTcbPrivilege	4836	svchost.exe
Token: SeTcbPrivilege	4836	svchost.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeManageVolumePrivilege	5080	md9_1sjm.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

2776
2776
820 msedge.exe
2776
820 msedge.exe
2776
2776
2776
2776
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cleanpro22.exeComplete.exe

pid process

5060 cleanpro22.exe
4632 Complete.exe

pid	process
2776
2776
820	msedge.exe
2776
820	msedge.exe
2776
2776
2776
2776

pid	process
5060	cleanpro22.exe
4632	Complete.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exeFiles.exeInstall.exemsedge.execmd.exeFolder.exerUNdlL32.eXe

description	pid	process	target process
PID 4708 wrote to memory of 3916	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Files.exe
PID 4708 wrote to memory of 3916	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Files.exe
PID 4708 wrote to memory of 3916	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Files.exe
PID 4708 wrote to memory of 3152	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	KRSetp.exe
PID 4708 wrote to memory of 3152	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	KRSetp.exe
PID 4708 wrote to memory of 1360	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Install.exe
PID 4708 wrote to memory of 1360	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Install.exe
PID 4708 wrote to memory of 1360	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Install.exe
PID 3916 wrote to memory of 4236	3916	Files.exe	jfiag3g_gg.exe
PID 3916 wrote to memory of 4236	3916	Files.exe	jfiag3g_gg.exe
PID 3916 wrote to memory of 4236	3916	Files.exe	jfiag3g_gg.exe
PID 4708 wrote to memory of 820	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	msedge.exe
PID 4708 wrote to memory of 820	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	msedge.exe
PID 4708 wrote to memory of 2364	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Folder.exe
PID 4708 wrote to memory of 2364	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Folder.exe
PID 4708 wrote to memory of 2364	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Folder.exe
PID 1360 wrote to memory of 2468	1360	Install.exe	cmd.exe
PID 1360 wrote to memory of 2468	1360	Install.exe	cmd.exe
PID 1360 wrote to memory of 2468	1360	Install.exe	cmd.exe
PID 820 wrote to memory of 5084	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 5084	820	msedge.exe	msedge.exe
PID 2468 wrote to memory of 4308	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 4308	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 4308	2468	cmd.exe	taskkill.exe
PID 2364 wrote to memory of 4744	2364	Folder.exe	Folder.exe
PID 2364 wrote to memory of 4744	2364	Folder.exe	Folder.exe
PID 2364 wrote to memory of 4744	2364	Folder.exe	Folder.exe
PID 4708 wrote to memory of 1528	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Info.exe
PID 4708 wrote to memory of 1528	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Info.exe
PID 4708 wrote to memory of 1528	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Info.exe
PID 4708 wrote to memory of 5060	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	cleanpro22.exe
PID 4708 wrote to memory of 5060	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	cleanpro22.exe
PID 4708 wrote to memory of 5060	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	cleanpro22.exe
PID 4708 wrote to memory of 1672	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	pub2.exe
PID 4708 wrote to memory of 1672	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	pub2.exe
PID 4708 wrote to memory of 1672	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	pub2.exe
PID 4924 wrote to memory of 2856	4924	rUNdlL32.eXe	rundll32.exe
PID 4924 wrote to memory of 2856	4924	rUNdlL32.eXe	rundll32.exe
PID 4924 wrote to memory of 2856	4924	rUNdlL32.eXe	rundll32.exe
PID 4708 wrote to memory of 4136	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	jamesdirect.exe
PID 4708 wrote to memory of 4136	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	jamesdirect.exe
PID 4708 wrote to memory of 4136	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	jamesdirect.exe
PID 4708 wrote to memory of 4116	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Litever01.exe
PID 4708 wrote to memory of 4116	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Litever01.exe
PID 4708 wrote to memory of 4116	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Litever01.exe
PID 4708 wrote to memory of 4632	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Complete.exe
PID 4708 wrote to memory of 4632	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Complete.exe
PID 4708 wrote to memory of 4632	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	Complete.exe
PID 4708 wrote to memory of 5080	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	md9_1sjm.exe
PID 4708 wrote to memory of 5080	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	md9_1sjm.exe
PID 4708 wrote to memory of 5080	4708	eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe	md9_1sjm.exe
PID 3916 wrote to memory of 3568	3916	Files.exe	jfiag3g_gg.exe
PID 3916 wrote to memory of 3568	3916	Files.exe	jfiag3g_gg.exe
PID 3916 wrote to memory of 3568	3916	Files.exe	jfiag3g_gg.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe
PID 820 wrote to memory of 772	820	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe
"C:\Users\Admin\AppData\Local\Temp\eac6ec97c8727be7456888ace095fab5101e2b498020180d2b6003f984dca525.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4236

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3568

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffa34e946f8,0x7ffa34e94708,0x7ffa34e94718
3⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
3⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
3⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
3⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
3⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 /prefetch:8
3⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
3⤵
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
3⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
3⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff71e315460,0x7ff71e315470,0x7ff71e315480
4⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
3⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
3⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5252 /prefetch:2
3⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15447898655371979245,11696060765256334658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:8
3⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3532

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:3404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3048

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 936
4⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 604
3⤵
- Program crash
PID:1588

C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
"C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4136

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 500
4⤵
- Program crash
PID:1684

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4116

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 604
3⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2856 -ip 2856
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1528 -ip 1528
1⤵
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4072 -ip 4072
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3592 -ip 3592
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
c3f74d4537c5ac42e2b059af96142af4

SHA1
946e8a1c931dfc41f35cab21e2f3091c0fd5dbe9

SHA256
8b603ce68b4183f41778aff838cb0e6b3423a9eda77f550790df9c8160648976

SHA512
b80d96f94fa55d0c02cd53ac069bb30498444ef9ef656651f4aaf5e0490d5b0163a32f5056c0fec9c82c8e9dd88c851915a7af1cb11b85d26f40204fb9a42d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
111faf90ba0c1e1478d6f7b73232e99c

SHA1
6be4a7fd4cc9c70b5e9f7c93f18703e8197953e8

SHA256
a35fe3902bf0dceedf7c5c8e8ab28bb17c63274ea17b4cb2126e31904df87a05

SHA512
c6e7de7e3953a6d99380c7286836f45b524ea7bb9a82f65f4eaa15381930c017f39782e403ccd618d9a070bd702bdd28a3dc103975695103b0538a91479639a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
111faf90ba0c1e1478d6f7b73232e99c

SHA1
6be4a7fd4cc9c70b5e9f7c93f18703e8197953e8

SHA256
a35fe3902bf0dceedf7c5c8e8ab28bb17c63274ea17b4cb2126e31904df87a05

SHA512
c6e7de7e3953a6d99380c7286836f45b524ea7bb9a82f65f4eaa15381930c017f39782e403ccd618d9a070bd702bdd28a3dc103975695103b0538a91479639a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
111faf90ba0c1e1478d6f7b73232e99c

SHA1
6be4a7fd4cc9c70b5e9f7c93f18703e8197953e8

SHA256
a35fe3902bf0dceedf7c5c8e8ab28bb17c63274ea17b4cb2126e31904df87a05

SHA512
c6e7de7e3953a6d99380c7286836f45b524ea7bb9a82f65f4eaa15381930c017f39782e403ccd618d9a070bd702bdd28a3dc103975695103b0538a91479639a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ede600e17efa4a39582ebb079560ce33

SHA1
cdec34c39af60390276062e5fb1439eab396c970

SHA256
1a86caf071c5ea6fa3251b6f41089bc11a78440df3a7338d1e613b58130d7b77

SHA512
5d857653f1b5088358f645faec7f804a43a19db101a271e52a5bff88004fcc0812b0598b69955be076e18c237a2cb2a1a4c1769312a3d22e6c273f050e38996b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ede600e17efa4a39582ebb079560ce33

SHA1
cdec34c39af60390276062e5fb1439eab396c970

SHA256
1a86caf071c5ea6fa3251b6f41089bc11a78440df3a7338d1e613b58130d7b77

SHA512
5d857653f1b5088358f645faec7f804a43a19db101a271e52a5bff88004fcc0812b0598b69955be076e18c237a2cb2a1a4c1769312a3d22e6c273f050e38996b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
25909b1a642235931739c18e48859963

SHA1
87bda75bd4980b0de0b9a634fbbfd124426de988

SHA256
a4807bbdcc1874de8eafc41c5aabeaad4ddb0af194583ea3bf321b62af9930a4

SHA512
4481e6386a146f3603272f125326744a6904d623b49f23504b6ba19b463c957c07c45cdf92bad232b4d2928e277fdb4d2704f8dce8da4247a208040179acbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
25909b1a642235931739c18e48859963

SHA1
87bda75bd4980b0de0b9a634fbbfd124426de988

SHA256
a4807bbdcc1874de8eafc41c5aabeaad4ddb0af194583ea3bf321b62af9930a4

SHA512
4481e6386a146f3603272f125326744a6904d623b49f23504b6ba19b463c957c07c45cdf92bad232b4d2928e277fdb4d2704f8dce8da4247a208040179acbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_820_1379806637\c502e396-3183-40d0-bc8b-e6f0d4fa22da
MD5
6c337c4eaac9b4685fbd6ee53785e190

SHA1
af6c2a5c97a4da837e1546083593b5002fd3a4fb

SHA256
ca3a4f89d6a3eb5632a2e6b0a6b0f375c0a45a8dcde57b16ca0a56b932794f50

SHA512
caf0ad840d12c44be60de1abfb72373e4eef263a397cb3cc3d7ed3e0bbb2da4a72674d137a02c10f71b352270a48fe287fd5a8972d26234fb0da10acd16b1e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_820_1990396731\b22f5f18-f7ea-4290-929d-b13c03908334
MD5
a36d70bcd9333175811c53122f7d2c1d

SHA1
9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c

SHA256
26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00

SHA512
e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
622fba37304dd8de693e4a029fd97724

SHA1
de3f15351fda6734351d13f4ee5f5c532b01d700

SHA256
f1aff783390bb1006acc74fd0384a9e7162a1792041030c2f8b92557f53360c8

SHA512
99f03eb4a97c04bd7619afdc9daa1944f99081e0ebbb7d50d4ed0c82efc1cc5d8804a4db2d1673aa3c014d6aba6026312df9ab8ee5306abfc16b853f50aadd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f1c5830624b7c9b5a12a512b4d068588

SHA1
845a61713dc2e5719384cd3e386c55f15964af39

SHA256
6cd842ba79e3e1f17176c9a3b9d6eb92b1c5086a190a0a66da9dc7da1dbc60dc

SHA512
1590e56e4df7a15a35f237b68e952815c1eb502f9c827c8b8f441cf5cefe2f9b5d30cd30375a3452a765f2d617b63e343c84b51c1442ce22874f2ac60de1467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f1c5830624b7c9b5a12a512b4d068588

SHA1
845a61713dc2e5719384cd3e386c55f15964af39

SHA256
6cd842ba79e3e1f17176c9a3b9d6eb92b1c5086a190a0a66da9dc7da1dbc60dc

SHA512
1590e56e4df7a15a35f237b68e952815c1eb502f9c827c8b8f441cf5cefe2f9b5d30cd30375a3452a765f2d617b63e343c84b51c1442ce22874f2ac60de1467c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
f8bb5314140cece74caea2dca6b71ee2

SHA1
c0a3386aeaf96d3382fe791f3f9f76fa8b984bca

SHA256
f46ac928ee86bfcc8da558396c9cbf665f70726e2e392a02ffd158e6854bdf8e

SHA512
95682e3a237b17076be2f14ef1864de0dd82d4fa1ceebe9bf1633460d5bb93246fde02a5909e21d6bf9cad2e847975c5585a2ead295747c1954f4ddb0e867f8f

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
c179d2a7b566c56882bcc1a5b21b62d4

SHA1
525daac554752311c7a0157c5de873f457ec2a83

SHA256
fd93233adc6f0efcd8c2dd6f1ae6d7e4a581833e713e92336df0cfa887e6793e

SHA512
75f744b82702d1e24239f61843b78408324e99e4151b1709c7443540cbd940df641f61f11f3c72803c83f18fd25fb1286390c49572713153d61346e1896551aa

Download Submit
C:\Windows\rss\csrss.exe
MD5
111faf90ba0c1e1478d6f7b73232e99c

SHA1
6be4a7fd4cc9c70b5e9f7c93f18703e8197953e8

SHA256
a35fe3902bf0dceedf7c5c8e8ab28bb17c63274ea17b4cb2126e31904df87a05

SHA512
c6e7de7e3953a6d99380c7286836f45b524ea7bb9a82f65f4eaa15381930c017f39782e403ccd618d9a070bd702bdd28a3dc103975695103b0538a91479639a0

Download Submit
C:\Windows\rss\csrss.exe
MD5
111faf90ba0c1e1478d6f7b73232e99c

SHA1
6be4a7fd4cc9c70b5e9f7c93f18703e8197953e8

SHA256
a35fe3902bf0dceedf7c5c8e8ab28bb17c63274ea17b4cb2126e31904df87a05

SHA512
c6e7de7e3953a6d99380c7286836f45b524ea7bb9a82f65f4eaa15381930c017f39782e403ccd618d9a070bd702bdd28a3dc103975695103b0538a91479639a0

Download Submit
\??\pipe\LOCAL\crashpad_820_YXIJGQVVEZHBFBHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/772-181-0x00007FFA564B0000-0x00007FFA564B1000-memory.dmp

Filesize
4KB

Download
memory/1528-178-0x0000000000400000-0x0000000003098000-memory.dmp

Filesize
44.6MB

Download
memory/1528-176-0x0000000005210000-0x0000000005B36000-memory.dmp

Filesize
9.1MB

Download
memory/1528-175-0x0000000004DCC000-0x0000000005208000-memory.dmp

Filesize
4.2MB

Download
memory/1672-159-0x0000000002FA9000-0x0000000002FB1000-memory.dmp

Filesize
32KB

Download
memory/1672-154-0x0000000002FA9000-0x0000000002FB1000-memory.dmp

Filesize
32KB

Download
memory/1672-161-0x0000000002DB0000-0x0000000002DB9000-memory.dmp

Filesize
36KB

Download
memory/1672-160-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/1976-257-0x000001EEB5C80000-0x000001EEB5C84000-memory.dmp

Filesize
16KB

Download
memory/2776-223-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-196-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/2776-206-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-207-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-208-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-209-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-211-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-210-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-212-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-213-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-214-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-215-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-217-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-216-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-219-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-221-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-225-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-227-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-224-0x00000000089E0000-0x00000000089F0000-memory.dmp

Filesize
64KB

Download
memory/2776-226-0x00000000090A0000-0x00000000090B0000-memory.dmp

Filesize
64KB

Download
memory/3152-140-0x00000000006A0000-0x00000000006DA000-memory.dmp

Filesize
232KB

Download
memory/3152-143-0x00007FFA38460000-0x00007FFA38F21000-memory.dmp

Filesize
10.8MB

Download
memory/3152-149-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/3404-251-0x0000000000400000-0x0000000003098000-memory.dmp

Filesize
44.6MB

Download
memory/3404-250-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/3592-246-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3592-248-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3592-249-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4072-239-0x0000000000400000-0x0000000003098000-memory.dmp

Filesize
44.6MB

Download
memory/4072-238-0x0000000004C27000-0x0000000005063000-memory.dmp

Filesize
4.2MB

Download
memory/4116-185-0x0000000003110000-0x00000000031AD000-memory.dmp

Filesize
628KB

Download
memory/4116-184-0x0000000001788000-0x00000000017ED000-memory.dmp

Filesize
404KB

Download
memory/4116-165-0x0000000001788000-0x00000000017ED000-memory.dmp

Filesize
404KB

Download
memory/4116-186-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/4136-179-0x0000000073250000-0x0000000073A00000-memory.dmp

Filesize
7.7MB

Download
memory/4136-177-0x0000000000020000-0x00000000000AA000-memory.dmp

Filesize
552KB

Download
memory/4136-193-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/5080-197-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/5080-173-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/5080-187-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/5080-204-0x00000000038E0000-0x00000000038F0000-memory.dmp

Filesize
64KB

Download