formbook | fed743ba97ee8b48a3925816de1b2665d2a73bbf3bc75083fb9ade2855afc0ce

Analysis

max time kernel
158s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.2MB
MD5

23f22ab208306d5c6d9ad9e344c446c0
SHA1

8f4ce81c820d9b39b5930bdb8178e1e8d728378e
SHA256

fed743ba97ee8b48a3925816de1b2665d2a73bbf3bc75083fb9ade2855afc0ce
SHA512

631462e8699b9d248275ae2eaf62f9e23d930724d3164ab7e533d0e2b68b624185b4f4166628521dd52e85c418fbf2e24bdab7c8a8805b0ab6c1731c22dfe86f
SSDEEP

24576:gAOcZXQOQyB4o63Ia5tgKWPMgobTuj5HHeg/cbGOSMId:+HEfWdW8TO5HdYGOSMe

Score

10^/10

formbook ubpr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ubpr

Decoy

ptpVli2do9q89N0=

+CSLnNslIIErRTE3deUw4HXnuqwqG4+WpQ==

5IBw+rDmyajH6J9b0Gc0

ITivu/UzzGQKCQ==

qNw+VJ7Ni+WT3pA2e/8=

6VzmXNT+607aCN1UmHCt1CjO

a+xfszZjSqdZhCfX5fXnJkJFIsuN8Ns=

DLyp4MD0xUCL6olI

kysKo0J45suL6olI

oE/eN+zqkP2lyG6YYSalUA==

Rko77gUFcKTQFA==

cW14AsnTkUOf0N6ODWjpj7S6nRI=

M9yx/sTJbmx2vzUeWQ==

SQJdWnStlfaz6J0M04r3MN8=

FLhBiiYfyjfZFOdgHU1SfmVhAGgV

nKgaME1YHRs+cHTkn4oI3ibO

vuZIRIyKMaBGiUl9iaiZxNc=

UPnZdBQV1nzxKB1N

iARlleEZxTSL6olI

w5hz+KfftpWkwox0yH7vo0GrwW7RjWVk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 23 IoCs

pid	Process
3572	hmjqaxtrtt.exe
3984	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
2904	HMJQAX~1.EXE
1844	HMJQAX~1.EXE
2420	HMJQAX~1.EXE
4672	HMJQAX~1.EXE
2880	HMJQAX~1.EXE
2316	HMJQAX~1.EXE
828	HMJQAX~1.EXE
4924	HMJQAX~1.EXE
4896	HMJQAX~1.EXE
5100	HMJQAX~1.EXE
4300	HMJQAX~1.EXE
2704	HMJQAX~1.EXE
5060	HMJQAX~1.EXE
1392	HMJQAX~1.EXE
4888	HMJQAX~1.EXE
2880	HMJQAX~1.EXE
3720	HMJQAX~1.EXE
2608	HMJQAX~1.EXE
3216	HMJQAX~1.EXE
3164	HMJQAX~1.EXE

Checks computer location settings 2 TTPs 46 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	hmjqaxtrtt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HMJQAX~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	hmjqaxtrtt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hmjqaxtrtt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	HMJQAX~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\HMJQAX~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\2_74\\rpmht.foa"	HMJQAX~1.EXE

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 4696	3572	hmjqaxtrtt.exe	84
PID 4696 set thread context of 3032	4696	RegSvcs.exe	60
PID 3984 set thread context of 3508	3984	HMJQAX~1.EXE	91
PID 5104 set thread context of 3032	5104	mstsc.exe	60
PID 5044 set thread context of 3536	5044	HMJQAX~1.EXE	98
PID 2904 set thread context of 3936	2904	HMJQAX~1.EXE	103
PID 2904 set thread context of 4660	2904	HMJQAX~1.EXE	102
PID 1844 set thread context of 2272	1844	HMJQAX~1.EXE	109
PID 2420 set thread context of 3840	2420	HMJQAX~1.EXE	117
PID 4672 set thread context of 4632	4672	HMJQAX~1.EXE	121
PID 4672 set thread context of 2264	4672	HMJQAX~1.EXE	120
PID 2880 set thread context of 532	2880	HMJQAX~1.EXE	125
PID 2316 set thread context of 4284	2316	HMJQAX~1.EXE	129
PID 828 set thread context of 448	828	HMJQAX~1.EXE	133
PID 4924 set thread context of 4088	4924	HMJQAX~1.EXE	137
PID 4896 set thread context of 5108	4896	HMJQAX~1.EXE	141
PID 4896 set thread context of 3996	4896	HMJQAX~1.EXE	140
PID 5100 set thread context of 996	5100	HMJQAX~1.EXE	147
PID 5100 set thread context of 4948	5100	HMJQAX~1.EXE	146
PID 4300 set thread context of 1916	4300	HMJQAX~1.EXE	151
PID 2704 set thread context of 4024	2704	HMJQAX~1.EXE	155
PID 5060 set thread context of 4076	5060	HMJQAX~1.EXE	159
PID 5060 set thread context of 3672	5060	HMJQAX~1.EXE	158
PID 1392 set thread context of 4808	1392	HMJQAX~1.EXE	163
PID 4888 set thread context of 2292	4888	HMJQAX~1.EXE	167
PID 2880 set thread context of 5076	2880	HMJQAX~1.EXE	171
PID 3720 set thread context of 1184	3720	HMJQAX~1.EXE	175
PID 3720 set thread context of 3752	3720	HMJQAX~1.EXE	174
PID 2608 set thread context of 3508	2608	HMJQAX~1.EXE	179
PID 3216 set thread context of 4980	3216	HMJQAX~1.EXE	183

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1700	2272	WerFault.exe	109
1492	5108	WerFault.exe	141

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	hmjqaxtrtt.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	HMJQAX~1.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
3572	hmjqaxtrtt.exe
5104	mstsc.exe
5104	mstsc.exe
5104	mstsc.exe
5104	mstsc.exe
3508	RegSvcs.exe
3508	RegSvcs.exe
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3984	HMJQAX~1.EXE
3536	RegSvcs.exe
3536	RegSvcs.exe
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5044	HMJQAX~1.EXE
5104	mstsc.exe
5104	mstsc.exe
3936	RegSvcs.exe
3936	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4696	RegSvcs.exe
4696	RegSvcs.exe
4696	RegSvcs.exe
5104	mstsc.exe
5104	mstsc.exe
5104	mstsc.exe
5104	mstsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	RegSvcs.exe
Token: SeDebugPrivilege	5104	mstsc.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3508	RegSvcs.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3536	RegSvcs.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3936	RegSvcs.exe
Token: SeDebugPrivilege	4660	RegSvcs.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3840	RegSvcs.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	4632	RegSvcs.exe
Token: SeDebugPrivilege	2264	RegSvcs.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	532	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 532	4916	tmp.exe	81
PID 4916 wrote to memory of 532	4916	tmp.exe	81
PID 4916 wrote to memory of 532	4916	tmp.exe	81
PID 532 wrote to memory of 3572	532	WScript.exe	82
PID 532 wrote to memory of 3572	532	WScript.exe	82
PID 532 wrote to memory of 3572	532	WScript.exe	82
PID 3572 wrote to memory of 3332	3572	hmjqaxtrtt.exe	83
PID 3572 wrote to memory of 3332	3572	hmjqaxtrtt.exe	83
PID 3572 wrote to memory of 3332	3572	hmjqaxtrtt.exe	83
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3572 wrote to memory of 4696	3572	hmjqaxtrtt.exe	84
PID 3032 wrote to memory of 5104	3032	Explorer.EXE	85
PID 3032 wrote to memory of 5104	3032	Explorer.EXE	85
PID 3032 wrote to memory of 5104	3032	Explorer.EXE	85
PID 3572 wrote to memory of 4812	3572	hmjqaxtrtt.exe	88
PID 3572 wrote to memory of 4812	3572	hmjqaxtrtt.exe	88
PID 3572 wrote to memory of 4812	3572	hmjqaxtrtt.exe	88
PID 4812 wrote to memory of 3984	4812	WScript.exe	89
PID 4812 wrote to memory of 3984	4812	WScript.exe	89
PID 4812 wrote to memory of 3984	4812	WScript.exe	89
PID 3984 wrote to memory of 3020	3984	HMJQAX~1.EXE	90
PID 3984 wrote to memory of 3020	3984	HMJQAX~1.EXE	90
PID 3984 wrote to memory of 3020	3984	HMJQAX~1.EXE	90
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 3508	3984	HMJQAX~1.EXE	91
PID 3984 wrote to memory of 4924	3984	HMJQAX~1.EXE	92
PID 3984 wrote to memory of 4924	3984	HMJQAX~1.EXE	92
PID 3984 wrote to memory of 4924	3984	HMJQAX~1.EXE	92
PID 4924 wrote to memory of 5044	4924	WScript.exe	93
PID 4924 wrote to memory of 5044	4924	WScript.exe	93
PID 4924 wrote to memory of 5044	4924	WScript.exe	93
PID 5044 wrote to memory of 5108	5044	HMJQAX~1.EXE	97
PID 5044 wrote to memory of 5108	5044	HMJQAX~1.EXE	97
PID 5044 wrote to memory of 5108	5044	HMJQAX~1.EXE	97
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 3536	5044	HMJQAX~1.EXE	98
PID 5044 wrote to memory of 4920	5044	HMJQAX~1.EXE	99
PID 5044 wrote to memory of 4920	5044	HMJQAX~1.EXE	99
PID 5044 wrote to memory of 4920	5044	HMJQAX~1.EXE	99
PID 4920 wrote to memory of 2904	4920	WScript.exe	100
PID 4920 wrote to memory of 2904	4920	WScript.exe	100
PID 4920 wrote to memory of 2904	4920	WScript.exe	100
PID 2904 wrote to memory of 4660	2904	HMJQAX~1.EXE	102
PID 2904 wrote to memory of 4660	2904	HMJQAX~1.EXE	102
PID 2904 wrote to memory of 4660	2904	HMJQAX~1.EXE	102
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 3936	2904	HMJQAX~1.EXE	103
PID 2904 wrote to memory of 4660	2904	HMJQAX~1.EXE	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_74\ndxkc.vbe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe
      "C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe" rpmht.foa
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:3332
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        9⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        13⤵
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        13⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 80
        14⤵
        Program crash
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        13⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        15⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        15⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        17⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        19⤵
        
        PID:1872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        21⤵
        
        PID:5032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        21⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        23⤵
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        23⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        23⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        25⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        25⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        25⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        27⤵
        
        PID:3996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        27⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 80
        28⤵
        Program crash
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        27⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        29⤵
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        29⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        29⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        31⤵
        
        PID:1704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        31⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        31⤵
        Checks computer location settings
        Modifies registry class
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        33⤵
        
        PID:100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        33⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        33⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        35⤵
        
        PID:3672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        35⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        35⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        37⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        37⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        37⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        39⤵
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        39⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        41⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        41⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        41⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        42⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        43⤵
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        43⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        43⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        44⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        45⤵
        
        PID:4188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        45⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        45⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        46⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        47⤵
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        47⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs"
        47⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\2_74\HMJQAX~1.EXE" rpmht.foa
        48⤵
        Executes dropped EXE
        
        PID:3164
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 5108
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\hmjqaxtrtt.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\rpmht.foa

Filesize
92.3MB

MD5
21559b88639d239d3b1126cb4828db5f

SHA1
157329651262d4ec7bfa855d545e99530f170d82

SHA256
00b62289100f31e1f1dba64dc92c7bfd3349bb00d20c2f988a8fd5c5c972002c

SHA512
f38bca303918aaefd3840d3a175086798303d5ba012f0bbb4f0b8532d61a676b36946669740e511421373cdb591cc94e6893218fe93120ca960ab4deff66d3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\run.vbs

Filesize
129B

MD5
80b177fdd73393a9872894ad775f8160

SHA1
24be032f6f642d83b6343668ce92c6b3a8c71a79

SHA256
ab08794f35c5f119b34b255c6fd216199422ead40f9aecde717358934185eed2

SHA512
0a42189f7c23ee03e0a0a9e31ea1ca22bfd4797e9e6708bc30bfbc2d30e9ccafce4b5c0e59d0311d53686d197b12adc18c7b5d7797cbb4d18cf0389fdf5fddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\uktclleke.noh

Filesize
370KB

MD5
e7f20e8f470bd3aad55e0d72935b75ec

SHA1
aaba1e2284abb3c382e328422535cb67526f9c44

SHA256
bbd55dac46ddfc5a4d75afd7d05c550506dcfbb25a24a0ed4b4d26caa658c014

SHA512
0dafdaf771be9cccca1fdb2d0d932e66793cebcf35acd56dcff4da984975082774278340d8a2541df01057c43720b42ad1c380ffd6a8d3c4f5bc874221171ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_74\wbpu.txt

Filesize
60KB

MD5
59f07d0bd7ae8745c540236edb5862cf

SHA1
49ace25e7a804f5480396a410e215f0a8fd42074

SHA256
2bd32d54ecfbf7b183c7dbde866df318993e52379d9b7a87428b6c69f2e030eb

SHA512
b1991582f185d11ebd9237963dcf5bf371060708f27e890a6624aa99388821ba6e86161f02add408defaf01e52ccfe1f9528defb992c9d611fee02d122457bf6

Download Submit
C:\Users\Admin\AppData\Local\temp\2_74\ndxkc.vbe

Filesize
34KB

MD5
eb0365a999ebf87ea0e4f333c64e4fc0

SHA1
0c69075a0735397d04f4edaf87417717843b654b

SHA256
5588b7703715326570ce06cd63c8fc4b8e1717199238eadf2fe298fdacc27212

SHA512
f41da699c1e3e9172244dd0bf2acf3d0dc19c74ca49d131998dc74b21f164dca849a31004080df50a1925835bcc485a12a50ceff5e7b15d833024d986821933d

Download Submit
memory/448-231-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/532-216-0x0000000001320000-0x000000000166A000-memory.dmp

Filesize
3.3MB

Download
memory/996-259-0x0000000001390000-0x00000000016DA000-memory.dmp

Filesize
3.3MB

Download
memory/1184-314-0x00000000017A0000-0x0000000001AEA000-memory.dmp

Filesize
3.3MB

Download
memory/1916-268-0x0000000000FF0000-0x000000000133A000-memory.dmp

Filesize
3.3MB

Download
memory/2264-223-0x0000000000400000-0x00000000008B3000-memory.dmp

Filesize
4.7MB

Download
memory/2264-204-0x0000000000400000-0x00000000008B3000-memory.dmp

Filesize
4.7MB

Download
memory/2264-208-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download
memory/2264-209-0x0000000000400000-0x00000000008B3000-memory.dmp

Filesize
4.7MB

Download
memory/2292-300-0x0000000001160000-0x00000000014AA000-memory.dmp

Filesize
3.3MB

Download
memory/3032-167-0x0000000008240000-0x000000000839B000-memory.dmp

Filesize
1.4MB

Download
memory/3032-188-0x0000000008240000-0x000000000839B000-memory.dmp

Filesize
1.4MB

Download
memory/3032-148-0x0000000008100000-0x0000000008237000-memory.dmp

Filesize
1.2MB

Download
memory/3508-162-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download
memory/3508-320-0x0000000000EE0000-0x000000000122A000-memory.dmp

Filesize
3.3MB

Download
memory/3536-171-0x0000000000F00000-0x000000000124A000-memory.dmp

Filesize
3.3MB

Download
memory/3672-283-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/3672-286-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/3752-315-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/3752-316-0x0000000001620000-0x000000000196A000-memory.dmp

Filesize
3.3MB

Download
memory/3752-312-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/3840-197-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/3936-182-0x00000000017F0000-0x0000000001B3A000-memory.dmp

Filesize
3.3MB

Download
memory/3996-248-0x00000000018E0000-0x0000000001C2A000-memory.dmp

Filesize
3.3MB

Download
memory/3996-247-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/3996-244-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/4024-275-0x0000000001980000-0x0000000001CCA000-memory.dmp

Filesize
3.3MB

Download
memory/4076-285-0x0000000001970000-0x0000000001CBA000-memory.dmp

Filesize
3.3MB

Download
memory/4088-258-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/4088-238-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/4284-224-0x0000000000C00000-0x0000000000F4A000-memory.dmp

Filesize
3.3MB

Download
memory/4632-207-0x0000000001160000-0x00000000014AA000-memory.dmp

Filesize
3.3MB

Download
memory/4660-179-0x0000000000400000-0x0000000000AE9000-memory.dmp

Filesize
6.9MB

Download
memory/4660-183-0x0000000000400000-0x0000000000AE9000-memory.dmp

Filesize
6.9MB

Download
memory/4660-184-0x00000000010C0000-0x000000000140A000-memory.dmp

Filesize
3.3MB

Download
memory/4696-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4696-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-144-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4696-147-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/4696-146-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/4808-293-0x00000000014B0000-0x00000000017FA000-memory.dmp

Filesize
3.3MB

Download
memory/4948-261-0x00000000015D0000-0x000000000191A000-memory.dmp

Filesize
3.3MB

Download
memory/4948-260-0x0000000000400000-0x0000000000ADA000-memory.dmp

Filesize
6.9MB

Download
memory/4948-255-0x0000000000400000-0x0000000000ADA000-memory.dmp

Filesize
6.9MB

Download
memory/4980-324-0x0000000000F90000-0x00000000012DA000-memory.dmp

Filesize
3.3MB

Download
memory/5076-307-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/5104-154-0x0000000000ED0000-0x000000000100A000-memory.dmp

Filesize
1.2MB

Download
memory/5104-166-0x0000000000E00000-0x0000000000E8F000-memory.dmp

Filesize
572KB

Download
memory/5104-156-0x00000000025D0000-0x000000000291A000-memory.dmp

Filesize
3.3MB

Download
memory/5104-173-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/5104-155-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download