amadey | d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2022 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
Size

296KB
MD5

ea0d0b9ace17fa512a03d29b7ced82d7
SHA1

2ecab91e33852b2dab10fb1fbb1645df04f2b17a
SHA256

d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9
SHA512

bae4ae5cb719ee48940939bc7eb333de766df54ab7c333f3dac3947f087af6d8ef697b181e2978d0da2c3a3de5527f7cab946b480a5f540c621a7117170ded28
SSDEEP

6144:NrBGL+DOwKJCng7zWpQMkDRx/6u82+EPRjEndTQ:NrY6DOwjg7zW2Myx/miZjUdT

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.fate
offline_id
5IRhyFuF3rXlXBvF6jAWjHEAnAb432icDCcvZyt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4wOUlYSwGo Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0603Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

45.15.156.37:110

Attributes

auth_value
19cd76dae6d01d9649fd29624fa61e51

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

vidar

Version

55.6

Botnet

517

https://t.me/seclab_new

https://mas.to/@ofadex

Attributes

profile_id
517

Extracted

Family

redline

Botnet

123

78.153.144.3:2510

Attributes

auth_value
cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

boy

77.73.134.241:4691

Attributes

auth_value
a91fa8cc2cfaefc42a23c03faef44bd3

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2548-298-0x0000000002600000-0x000000000271B000-memory.dmp	family_djvu
behavioral1/memory/3588-310-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3588-507-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3588-675-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-729-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4344-805-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-1245-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-140-0x0000000000A30000-0x0000000000A39000-memory.dmp	family_smokeloader
behavioral1/memory/2304-389-0x00000000009A0000-0x00000000009A9000-memory.dmp	family_smokeloader
behavioral1/memory/3556-461-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4908-577-0x000000000045ADEE-mapping.dmp	family_redline
behavioral1/memory/4908-627-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/1784-1463-0x0000000002520000-0x000000000255E000-memory.dmp	family_redline
behavioral1/memory/1784-1472-0x00000000026D0000-0x000000000270C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BB6B.exe

description pid process target process

PID 2988 created 2728 2988 BB6B.exe taskhostw.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

110 1808 rundll32.exe
129 1808 rundll32.exe
130 1808 rundll32.exe
Downloads MZ/PE file

description	pid	process	target process
PID 2988 created 2728	2988	BB6B.exe	taskhostw.exe

flow	pid	process
110	1808	rundll32.exe
129	1808	rundll32.exe
130	1808	rundll32.exe

Executes dropped EXE 26 IoCs

Processes:

CECE.exeDAA7.exeE1FB.exeE613.exeED19.exeDAA7.exeF344.exeDAA7.exeDAA7.exebuild2.exebuild3.exebuild2.exe98AD.exeB0E9.exeB688.exeBB6B.exeC167.exerovwer.exe45676.exesvchost.exemana.exerovwer.exemstsca.exelinda5.exe40K.exe14-11.exe

pid	process
3684	CECE.exe
2548	DAA7.exe
1200	E1FB.exe
2304	E613.exe
3556	ED19.exe
3588	DAA7.exe
3156	F344.exe
3640	DAA7.exe
4344	DAA7.exe
3880	build2.exe
3564	build3.exe
5076	build2.exe
1784	98AD.exe
2704	B0E9.exe
3284	B688.exe
2988	BB6B.exe
4804	C167.exe
388	rovwer.exe
2368	45676.exe
4816	svchost.exe
3476	mana.exe
3324	rovwer.exe
1268	mstsca.exe
2368	linda5.exe
1652	40K.exe
4908	14-11.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1000067000\45676.exe	upx
C:\Users\Admin\AppData\Roaming\1000067000\45676.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

3032
Loads dropped DLL 9 IoCs

Processes:

regsvr32.exebuild2.exerundll32.exeBB6B.exerundll32.exerundll32.exe

pid process

4944 regsvr32.exe
4944 regsvr32.exe
5076 build2.exe
5076 build2.exe
1808 rundll32.exe
1808 rundll32.exe
2988 BB6B.exe
1276 rundll32.exe
4560 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4704 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3032

pid	process
4944	regsvr32.exe
4944	regsvr32.exe
5076	build2.exe
5076	build2.exe
1808	rundll32.exe
1808	rundll32.exe
2988	BB6B.exe
1276	rundll32.exe
4560	rundll32.exe

pid	process
4704	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DAA7.exerovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bddb091f-ee38-46c2-a4f2-a38091c880cf\\DAA7.exe\" --AutoStart"	DAA7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\45676.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000067000\\45676.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mana.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000082001\\mana.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000085001\\linda5.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\40K.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000086001\\40K.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\14-11.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000087001\\14-11.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.2ip.ua
24 api.2ip.ua
10 api.2ip.ua

flow	ioc
11	api.2ip.ua
24	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 7 IoCs

Processes:

DAA7.exeCECE.exeDAA7.exebuild2.exeBB6B.exeB688.exerundll32.exe

description	pid	process	target process
PID 2548 set thread context of 3588	2548	DAA7.exe	DAA7.exe
PID 3684 set thread context of 4908	3684	CECE.exe	vbc.exe
PID 3640 set thread context of 4344	3640	DAA7.exe	DAA7.exe
PID 3880 set thread context of 5076	3880	build2.exe	build2.exe
PID 2988 set thread context of 2044	2988	BB6B.exe	ngentask.exe
PID 3284 set thread context of 2200	3284	B688.exe	RegSvcs.exe
PID 1808 set thread context of 3892	1808	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

196 2304 WerFault.exe E613.exe
2680 3556 WerFault.exe ED19.exe

pid	pid_target	process	target process
196	2304	WerFault.exe	E613.exe
2680	3556	WerFault.exe	ED19.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E1FB.exeF344.exed15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E1FB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E1FB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F344.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F344.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E1FB.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3480 schtasks.exe
4256 schtasks.exe
2600 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4628 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 150 Go-http-client/1.1

pid	process
3480	schtasks.exe
4256	schtasks.exe
2600	schtasks.exe

pid	process
4628	timeout.exe

description	flow	ioc
HTTP User-Agent header	150	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 36 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000006e558993100054656d7000003a0009000400efbe0c5553886e5589932e0000000000000000000000000000000000000000000000000099bf8d00540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe

pid	process
2664	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
2664	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exeE1FB.exeF344.exe

pid	process
2664	d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
3032
3032
3032
3032
1200	E1FB.exe
3156	F344.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vbc.exe98AD.exengentask.exemana.exe

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	4908	vbc.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	1784	98AD.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	2044	ngentask.exe
Token: SeDebugPrivilege	3476	mana.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3892 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3032
3032

pid	process
3892	rundll32.exe

pid	process
3032
3032

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeDAA7.exeCECE.exeDAA7.exeDAA7.exeDAA7.exe

description	pid	process	target process
PID 3032 wrote to memory of 3684	3032		CECE.exe
PID 3032 wrote to memory of 3684	3032		CECE.exe
PID 3032 wrote to memory of 3684	3032		CECE.exe
PID 3032 wrote to memory of 4688	3032		regsvr32.exe
PID 3032 wrote to memory of 4688	3032		regsvr32.exe
PID 3032 wrote to memory of 2548	3032		DAA7.exe
PID 3032 wrote to memory of 2548	3032		DAA7.exe
PID 3032 wrote to memory of 2548	3032		DAA7.exe
PID 4688 wrote to memory of 4944	4688	regsvr32.exe	regsvr32.exe
PID 4688 wrote to memory of 4944	4688	regsvr32.exe	regsvr32.exe
PID 4688 wrote to memory of 4944	4688	regsvr32.exe	regsvr32.exe
PID 3032 wrote to memory of 1200	3032		E1FB.exe
PID 3032 wrote to memory of 1200	3032		E1FB.exe
PID 3032 wrote to memory of 1200	3032		E1FB.exe
PID 3032 wrote to memory of 2304	3032		E613.exe
PID 3032 wrote to memory of 2304	3032		E613.exe
PID 3032 wrote to memory of 2304	3032		E613.exe
PID 3032 wrote to memory of 3556	3032		ED19.exe
PID 3032 wrote to memory of 3556	3032		ED19.exe
PID 3032 wrote to memory of 3556	3032		ED19.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 2548 wrote to memory of 3588	2548	DAA7.exe	DAA7.exe
PID 3032 wrote to memory of 3156	3032		F344.exe
PID 3032 wrote to memory of 3156	3032		F344.exe
PID 3032 wrote to memory of 3156	3032		F344.exe
PID 3032 wrote to memory of 3024	3032		explorer.exe
PID 3032 wrote to memory of 3024	3032		explorer.exe
PID 3032 wrote to memory of 3024	3032		explorer.exe
PID 3032 wrote to memory of 3024	3032		explorer.exe
PID 3032 wrote to memory of 4556	3032		explorer.exe
PID 3032 wrote to memory of 4556	3032		explorer.exe
PID 3032 wrote to memory of 4556	3032		explorer.exe
PID 3684 wrote to memory of 4908	3684	CECE.exe	vbc.exe
PID 3684 wrote to memory of 4908	3684	CECE.exe	vbc.exe
PID 3684 wrote to memory of 4908	3684	CECE.exe	vbc.exe
PID 3684 wrote to memory of 4908	3684	CECE.exe	vbc.exe
PID 3684 wrote to memory of 4908	3684	CECE.exe	vbc.exe
PID 3588 wrote to memory of 4704	3588	DAA7.exe	icacls.exe
PID 3588 wrote to memory of 4704	3588	DAA7.exe	icacls.exe
PID 3588 wrote to memory of 4704	3588	DAA7.exe	icacls.exe
PID 3588 wrote to memory of 3640	3588	DAA7.exe	DAA7.exe
PID 3588 wrote to memory of 3640	3588	DAA7.exe	DAA7.exe
PID 3588 wrote to memory of 3640	3588	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 3640 wrote to memory of 4344	3640	DAA7.exe	DAA7.exe
PID 4344 wrote to memory of 3880	4344	DAA7.exe	build2.exe
PID 4344 wrote to memory of 3880	4344	DAA7.exe	build2.exe
PID 4344 wrote to memory of 3880	4344	DAA7.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe
"C:\Users\Admin\AppData\Local\Temp\d15999dc72f59f76901e02af3b340b79148cf8d66deea9c399ccd0fd4a8464a9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Local\Temp\CECE.exe
C:\Users\Admin\AppData\Local\Temp\CECE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D5E4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D5E4.dll
2⤵
- Loads dropped DLL
PID:4944

C:\Users\Admin\AppData\Local\Temp\DAA7.exe
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\DAA7.exe
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\bddb091f-ee38-46c2-a4f2-a38091c880cf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4704

C:\Users\Admin\AppData\Local\Temp\DAA7.exe
"C:\Users\Admin\AppData\Local\Temp\DAA7.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\DAA7.exe
"C:\Users\Admin\AppData\Local\Temp\DAA7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe
"C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3880

C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe
"C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe" & exit
7⤵
PID:4456

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4628

C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build3.exe
"C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build3.exe"
5⤵
- Executes dropped EXE
PID:3564

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:3480

C:\Users\Admin\AppData\Local\Temp\E1FB.exe
C:\Users\Admin\AppData\Local\Temp\E1FB.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Users\Admin\AppData\Local\Temp\E613.exe
C:\Users\Admin\AppData\Local\Temp\E613.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 476
2⤵
- Program crash
PID:196

C:\Users\Admin\AppData\Local\Temp\ED19.exe
C:\Users\Admin\AppData\Local\Temp\ED19.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 476
2⤵
- Program crash
PID:2680

C:\Users\Admin\AppData\Local\Temp\F344.exe
C:\Users\Admin\AppData\Local\Temp\F344.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\98AD.exe
C:\Users\Admin\AppData\Local\Temp\98AD.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Local\Temp\B0E9.exe
C:\Users\Admin\AppData\Local\Temp\B0E9.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:1808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 16322
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3892

C:\Users\Admin\AppData\Local\Temp\B688.exe
C:\Users\Admin\AppData\Local\Temp\B688.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\BB6B.exe
C:\Users\Admin\AppData\Local\Temp\BB6B.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\C167.exe
C:\Users\Admin\AppData\Local\Temp\C167.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3132

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:4424

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:2228

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:1652

C:\Users\Admin\AppData\Roaming\1000067000\45676.exe
"C:\Users\Admin\AppData\Roaming\1000067000\45676.exe"
3⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\1000067000\45676.exe
4⤵
PID:3568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe
"C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\AppData\Local\Temp\1000085001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000085001\linda5.exe"
3⤵
- Executes dropped EXE
PID:2368

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\_1LEGh3.c
4⤵
PID:4336

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\_1LEGh3.c
5⤵
- Loads dropped DLL
PID:1276

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\_1LEGh3.c
6⤵
PID:5108

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\_1LEGh3.c
7⤵
- Loads dropped DLL
PID:4560

C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe
"C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe"
3⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\1000087001\14-11.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\14-11.exe"
3⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
b00f59ce59a95f5fe629aff007e982fa

SHA1
8eb54eb49c540b80dba22e0a863f8122b48df410

SHA256
d3559d4f89073b9bd7764d42e0fd258f78d98b5344af368056696f5fb6a87c46

SHA512
6317a36087f2166e5a77a5761d7ad662c76b2989840af4e89e8a93845c8c7f47e6a26341be77db39ca687aacb5e50ad3730a5ee4b6d76669637b676a31b0efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
8245d5e076774cc6f63bf77f4650bf3b

SHA1
2efdf2d5967e180eb13f9633094b617e4e1a8656

SHA256
b4247c5d4cedfc5c553005c58ea254e62b12ced6a28a183fcc3823e4d1cfbc53

SHA512
a2eb33bdb4f996bb67508b8add8f042bf26223f427caefa1ef1388cdecd6f15eecbc197d88a59e64f1a0f7e8a14983ab96bbe6463f2cadf39e6637679f34ad54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
a61288de2751ea3c5a978be0e50c2941

SHA1
7f574054ce9fdccf277b1d19b9f8f1523be0c75f

SHA256
dc418583c8dbc5297cfce6e89457de465516484e7582ee704a8260bc92a23f8d

SHA512
47ae44c581756e9e1475f2759751cef7ae6ffbe1347caabfc4fc0e83929b91c0c26c57ebf5456863b224d19ec442f7f914e53517fb475524a27cd8f126b3334c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
f01bef21a5b02fe4565e47e1357e623b

SHA1
7d2a79f4dd89dac9f5900de7c3603afc11cad796

SHA256
11a4ca0dac603ef8b0eb2a27bc7d5d94a5976e7fe3a73c84176bc9ccd097fec7

SHA512
695f9c7165b43cb9bb478646304440e9de80646aadb7303ed9491d52e5af9184c69d7f023b68b387de1d2774995bc446ca78a843d5d67dece6d913c5111e6a34

Download Submit
C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build2.exe
Filesize
301KB

MD5
9964dec7f63403963374ebae4ba27e44

SHA1
51c8d242bbbc34b9d0135bcdaa53b5e78449b73d

SHA256
0b98114cfbe3e32c681ebb5a4a867391da2d235b771227af97f46825b95de3f2

SHA512
41cc95c052b85997c47cceaa0665788607b577005e93ae08b48b54d10a3ead190f56219238d3579e45ce18601220474f8e860ad8efb1d22c475070d79c202937

Download Submit
C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\22bf5a00-75e5-4284-8850-e9b230c03fcf\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe
Filesize
137KB

MD5
e63d74cec6926b2d04e474b889d08af4

SHA1
a64a888ccfb4e82ade71f1a00a7ae681d29c7bcb

SHA256
a9ffffff38aca59d7d2f041fbdb253ca612c7ba2d597782b2e6a59a914f49b33

SHA512
fd59c0a1c613611002e52a309ee4baad626df8fbbd8c0c230bcb8e6fed4a3059296ab11b88a1d25a0f54c65f730a027f876629298120f7b4c251bf6d2aaed148

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mana.exe
Filesize
137KB

MD5
e63d74cec6926b2d04e474b889d08af4

SHA1
a64a888ccfb4e82ade71f1a00a7ae681d29c7bcb

SHA256
a9ffffff38aca59d7d2f041fbdb253ca612c7ba2d597782b2e6a59a914f49b33

SHA512
fd59c0a1c613611002e52a309ee4baad626df8fbbd8c0c230bcb8e6fed4a3059296ab11b88a1d25a0f54c65f730a027f876629298120f7b4c251bf6d2aaed148

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000085001\linda5.exe
Filesize
1.9MB

MD5
dd55fefe98445b68bb2934305e8923e4

SHA1
33eda9f3add50587be304110004fa4ced1efc361

SHA256
b1c497b889020b7ee60353ae8e54cc00e2abfb05a059401edb0745364b41470f

SHA512
02267b0558a21680e3fa21c6fa57229ce12af3893e2f7a316f213bc08606730a9ce69b51fb874ece37e53ffb6f03f0144d6441542b00eae88bb4735f8ab5d81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000085001\linda5.exe
Filesize
1.9MB

MD5
dd55fefe98445b68bb2934305e8923e4

SHA1
33eda9f3add50587be304110004fa4ced1efc361

SHA256
b1c497b889020b7ee60353ae8e54cc00e2abfb05a059401edb0745364b41470f

SHA512
02267b0558a21680e3fa21c6fa57229ce12af3893e2f7a316f213bc08606730a9ce69b51fb874ece37e53ffb6f03f0144d6441542b00eae88bb4735f8ab5d81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe
Filesize
137KB

MD5
87ef06885fd221a86bba9e5b86a7ea7d

SHA1
6644db86f2d557167f442a5fe72a82de3fe943ba

SHA256
ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

SHA512
c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000086001\40K.exe
Filesize
137KB

MD5
87ef06885fd221a86bba9e5b86a7ea7d

SHA1
6644db86f2d557167f442a5fe72a82de3fe943ba

SHA256
ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

SHA512
c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\14-11.exe
Filesize
199KB

MD5
0385f088162ba40f42567b2547a50b2f

SHA1
253097adc89941518d5d40dc5ea0e2f954a323e2

SHA256
9959b77737dd53be31eabcb7333bde782dc4a53496d4e5c448b5aafdca4dce56

SHA512
89f39cb1919f070282a00c128a908c425d37e0c4c10757e65836189f1b215f6859bab6513d4aaac75119bb5d863e5a22c1fba622898c451bde5479449edc57eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\14-11.exe
Filesize
199KB

MD5
0385f088162ba40f42567b2547a50b2f

SHA1
253097adc89941518d5d40dc5ea0e2f954a323e2

SHA256
9959b77737dd53be31eabcb7333bde782dc4a53496d4e5c448b5aafdca4dce56

SHA512
89f39cb1919f070282a00c128a908c425d37e0c4c10757e65836189f1b215f6859bab6513d4aaac75119bb5d863e5a22c1fba622898c451bde5479449edc57eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\98AD.exe
Filesize
317KB

MD5
a010f68edf19cee144561a1588089b39

SHA1
699de7fa8e8b6b9568180fa5b6ddd700d9800020

SHA256
7f297b3930d265bda695ea3e1b3588711983aa80065acb88a80a409ac1de03ba

SHA512
ad91510f92d65e1d302b4f13b6ee8d277b8f75a7cff23d25a5e808cfb1036cb424fd12d37ba57938123e5ced62062442aa78f3e0a8fd5f880e91f49ef53df5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\98AD.exe
Filesize
317KB

MD5
a010f68edf19cee144561a1588089b39

SHA1
699de7fa8e8b6b9568180fa5b6ddd700d9800020

SHA256
7f297b3930d265bda695ea3e1b3588711983aa80065acb88a80a409ac1de03ba

SHA512
ad91510f92d65e1d302b4f13b6ee8d277b8f75a7cff23d25a5e808cfb1036cb424fd12d37ba57938123e5ced62062442aa78f3e0a8fd5f880e91f49ef53df5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
334KB

MD5
33c37d23c1c4976547996161dbb0ce80

SHA1
a181b5b06eae951a9130a5ad5ea9b95cb0c88b08

SHA256
898abe93fb73647ffeea58ba02632a8f694b8c954971a2b4f0368a331b4db623

SHA512
fcdf2e53c61eb7589213d7f53dac5068aabfcc83ddd944cda1e63389d7dd84cc979fc9f7d00dedaa4296d5df400f7d940ba5258778bbdc45b243f94f898be8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
334KB

MD5
33c37d23c1c4976547996161dbb0ce80

SHA1
a181b5b06eae951a9130a5ad5ea9b95cb0c88b08

SHA256
898abe93fb73647ffeea58ba02632a8f694b8c954971a2b4f0368a331b4db623

SHA512
fcdf2e53c61eb7589213d7f53dac5068aabfcc83ddd944cda1e63389d7dd84cc979fc9f7d00dedaa4296d5df400f7d940ba5258778bbdc45b243f94f898be8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
334KB

MD5
33c37d23c1c4976547996161dbb0ce80

SHA1
a181b5b06eae951a9130a5ad5ea9b95cb0c88b08

SHA256
898abe93fb73647ffeea58ba02632a8f694b8c954971a2b4f0368a331b4db623

SHA512
fcdf2e53c61eb7589213d7f53dac5068aabfcc83ddd944cda1e63389d7dd84cc979fc9f7d00dedaa4296d5df400f7d940ba5258778bbdc45b243f94f898be8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E9.exe
Filesize
3.0MB

MD5
a6809a0da3ac7da364c708f781161cf6

SHA1
e68f010ad14d7f00890c755a3ec5135027b355e4

SHA256
c40e7bef8854ab8d7f96917ca4650bc04915c68837b5459565c3bec26db45b84

SHA512
7eeb9fb194121b61259efe1f14b8471b06e8a1817ce7ca8ddb2101d6bbfcb327ecd384207c987e1e130a61a32be54198013e8a490bf61afd6d53d9f0b3e26dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E9.exe
Filesize
3.0MB

MD5
a6809a0da3ac7da364c708f781161cf6

SHA1
e68f010ad14d7f00890c755a3ec5135027b355e4

SHA256
c40e7bef8854ab8d7f96917ca4650bc04915c68837b5459565c3bec26db45b84

SHA512
7eeb9fb194121b61259efe1f14b8471b06e8a1817ce7ca8ddb2101d6bbfcb327ecd384207c987e1e130a61a32be54198013e8a490bf61afd6d53d9f0b3e26dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\B688.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B688.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB6B.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB6B.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C167.exe
Filesize
334KB

MD5
33c37d23c1c4976547996161dbb0ce80

SHA1
a181b5b06eae951a9130a5ad5ea9b95cb0c88b08

SHA256
898abe93fb73647ffeea58ba02632a8f694b8c954971a2b4f0368a331b4db623

SHA512
fcdf2e53c61eb7589213d7f53dac5068aabfcc83ddd944cda1e63389d7dd84cc979fc9f7d00dedaa4296d5df400f7d940ba5258778bbdc45b243f94f898be8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C167.exe
Filesize
334KB

MD5
33c37d23c1c4976547996161dbb0ce80

SHA1
a181b5b06eae951a9130a5ad5ea9b95cb0c88b08

SHA256
898abe93fb73647ffeea58ba02632a8f694b8c954971a2b4f0368a331b4db623

SHA512
fcdf2e53c61eb7589213d7f53dac5068aabfcc83ddd944cda1e63389d7dd84cc979fc9f7d00dedaa4296d5df400f7d940ba5258778bbdc45b243f94f898be8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CECE.exe
Filesize
443KB

MD5
6919c2fe93ba2c6955d984f060fac542

SHA1
cbe30ee22de7c11a10f9097fe604813950cc6a64

SHA256
269ed4f6918eb5df0b65f44e7e713fc618d220d716c6b7068c62c30f7ece332a

SHA512
2b3d29848d325e12d0ce65b4518bfb0370ffa2e56f4723d2b098534f7e3e0eaaf23caeef96ff9ce215b937c5d2ca506196e43c562ea022efcc875b0ca41f8315

Download Submit
C:\Users\Admin\AppData\Local\Temp\CECE.exe
Filesize
443KB

MD5
6919c2fe93ba2c6955d984f060fac542

SHA1
cbe30ee22de7c11a10f9097fe604813950cc6a64

SHA256
269ed4f6918eb5df0b65f44e7e713fc618d220d716c6b7068c62c30f7ece332a

SHA512
2b3d29848d325e12d0ce65b4518bfb0370ffa2e56f4723d2b098534f7e3e0eaaf23caeef96ff9ce215b937c5d2ca506196e43c562ea022efcc875b0ca41f8315

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5E4.dll
Filesize
2.4MB

MD5
0b2be34be0e0b244ec3d5d88512dd881

SHA1
4eae839ef8307766a57b0d1ccef3748000bc3612

SHA256
650c166ed7a20cd2d68cf96725625063c413f4b9028f63a975d6a62e0beaa8db

SHA512
89cf6a7c8391144daeafd79c8894567ef980ee4ca99d09f3b2e49150dbc6455aadcd94fd8a2abf1c8fe2c893fa30f1a126230ea3ac06e214d50105c19a708e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1FB.exe
Filesize
295KB

MD5
7682da736410490fe1f88d36a2a7179e

SHA1
0e1dd3a9d92b353aa3f7e45cb81edc50410e7304

SHA256
143d6361791f2863395bca7d9503a56423aa46a89619f1dabfbd215e9d667bf4

SHA512
9600c4a7025d3548e210c746f892e70e2801ddec9d7060331f70262235a82a365b0887a5b81bd07a66fc32f94eef896c1835f0f82001c5792d24f77cf8e0b404

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1FB.exe
Filesize
295KB

MD5
7682da736410490fe1f88d36a2a7179e

SHA1
0e1dd3a9d92b353aa3f7e45cb81edc50410e7304

SHA256
143d6361791f2863395bca7d9503a56423aa46a89619f1dabfbd215e9d667bf4

SHA512
9600c4a7025d3548e210c746f892e70e2801ddec9d7060331f70262235a82a365b0887a5b81bd07a66fc32f94eef896c1835f0f82001c5792d24f77cf8e0b404

Download Submit
C:\Users\Admin\AppData\Local\Temp\E613.exe
Filesize
300KB

MD5
af635919dd56aa9284968c33a2791ec2

SHA1
69432aa6fd6a0c87cf45364ca23eca3b222697e3

SHA256
1f21061deb8e8f15b9cef07d3e180dc2286e6da0f862a7b8394bb90fd6ffffbd

SHA512
04df87f0544d6df997045e4e9897ff0db9d563a3381ded4cca877f3c879395b1a99e00bf783804a756651e49ee3bd75d3d675aa56fb52e09302be601a0438b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E613.exe
Filesize
300KB

MD5
af635919dd56aa9284968c33a2791ec2

SHA1
69432aa6fd6a0c87cf45364ca23eca3b222697e3

SHA256
1f21061deb8e8f15b9cef07d3e180dc2286e6da0f862a7b8394bb90fd6ffffbd

SHA512
04df87f0544d6df997045e4e9897ff0db9d563a3381ded4cca877f3c879395b1a99e00bf783804a756651e49ee3bd75d3d675aa56fb52e09302be601a0438b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED19.exe
Filesize
296KB

MD5
fd596259b197309cb619b8a9acd39073

SHA1
973ebca59e3b180b8e0904033d8ddde5bbf0214e

SHA256
e8cbb7bb52998706d688e560405e5b03673133fe20d8844ce6b7d6dce67add63

SHA512
44ab6d331bae55d437ddd860d832f833fa18743d28df573b1f407f0dbe3f7c883c779a26965f54f9575767aa1ee8676eaa88262fee59354c9cf0644cb535c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED19.exe
Filesize
296KB

MD5
fd596259b197309cb619b8a9acd39073

SHA1
973ebca59e3b180b8e0904033d8ddde5bbf0214e

SHA256
e8cbb7bb52998706d688e560405e5b03673133fe20d8844ce6b7d6dce67add63

SHA512
44ab6d331bae55d437ddd860d832f833fa18743d28df573b1f407f0dbe3f7c883c779a26965f54f9575767aa1ee8676eaa88262fee59354c9cf0644cb535c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\F344.exe
Filesize
308KB

MD5
f298d7d30544c0919a947633647c05c7

SHA1
515c28a649f221ff84aeff33432e93bf4c4d72cd

SHA256
be2145311dd98963363b01295b62a810ab1e37f18e9556c8cafba1e9f32787fe

SHA512
2c4799ef04aad9c149b08a3fc5d1c86d96da4f147a8cff6f8d291a532f17e3416ab7a81648d2891d4abd981503b3f3b55f2928ea17c9b30e8e313cf8282d970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F344.exe
Filesize
308KB

MD5
f298d7d30544c0919a947633647c05c7

SHA1
515c28a649f221ff84aeff33432e93bf4c4d72cd

SHA256
be2145311dd98963363b01295b62a810ab1e37f18e9556c8cafba1e9f32787fe

SHA512
2c4799ef04aad9c149b08a3fc5d1c86d96da4f147a8cff6f8d291a532f17e3416ab7a81648d2891d4abd981503b3f3b55f2928ea17c9b30e8e313cf8282d970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
8fd994a3c894cd76f088dfb89244b2f2

SHA1
1e48479da1f1166acfc377bb98c53c4c2de9a504

SHA256
7686f7ecee5b77bc14c79bbd052641cf256d47796a7a2a6b66a9fa2c61eb60b7

SHA512
2177a89fb8f3c451579829f1d75c613e5e59201b4104eeb8fdb9a208ae33cf7d0a9efb393f50e4c54d26229c14848290f5a42b4bb0b07a0b395d9bf82690f148

Download Submit
C:\Users\Admin\AppData\Local\Temp\_1LEGh3.c
Filesize
2.1MB

MD5
d292463230412cdabcb148c43eddc64b

SHA1
c44d73fb177296b62b9717ce70dd1b42e7cb67eb

SHA256
b1edb2e21bbe119152debc401cc4c692488125a81d95ec1ba76b3eccde696c15

SHA512
700e4153bef9d0055ae8aff4d0f18f38bf3b3d8dd9424234e605b72a122185bf92cbf4c6c21bf9e13f0c90b50687f44f99340e8b59e7fff391ac3e7e18741346

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
422KB

MD5
6a88864e46a99fc80ed605a8674aea68

SHA1
5290388ef67f658c31f5a99f4bbd9ca557bc3ab7

SHA256
f292fb7fefcd5c7815955ea5a691fd91160884e2a79ebe3ff6458fe7fea79448

SHA512
c2cd9b9bbbe7661e9ec7c235f1dde9976ee79c02a5fd049b043b4a048e05692d16b53dd1206537a192199d829a4e4622758edb12ac46c14475edeea897fccdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.0MB

MD5
7ec1bacdf3a5c0a88cd4c9eda3897530

SHA1
ea904b3216abf9cd814e1c13507a543cf362ef01

SHA256
999cb113f2d60760cdeba5d537ced0d305dfff7e527edf5ff441f147371c92a3

SHA512
11cc364492540c501ae2af50f3a9ef0ebc92f8cd917fa89a69335fb550df8625d1047e6ef2f0a98735195e268cf398521a1a94efcbe1f7e4a3049d9c461905a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.0MB

MD5
7ec1bacdf3a5c0a88cd4c9eda3897530

SHA1
ea904b3216abf9cd814e1c13507a543cf362ef01

SHA256
999cb113f2d60760cdeba5d537ced0d305dfff7e527edf5ff441f147371c92a3

SHA512
11cc364492540c501ae2af50f3a9ef0ebc92f8cd917fa89a69335fb550df8625d1047e6ef2f0a98735195e268cf398521a1a94efcbe1f7e4a3049d9c461905a3

Download Submit
C:\Users\Admin\AppData\Local\bddb091f-ee38-46c2-a4f2-a38091c880cf\DAA7.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Roaming\1000067000\45676.exe
Filesize
4.3MB

MD5
30be8d7ef914a7baf9a3796cb892aa02

SHA1
ee79a60ddf9f578404e697564e694fe5d09706d9

SHA256
a2385d07f033b36d08d4ceb976820d2db8ca7b29339cb72ff3f74a4a90806c54

SHA512
985c3a3c404c590403cd0c46f88b912bb9d4994ae0f7c921176a1b3180d8f96e3be86f74e1cc672a6598fc6ccbbce6ece5e8567635f594f173bce8f968cf56f9

Download Submit
C:\Users\Admin\AppData\Roaming\1000067000\45676.exe
Filesize
4.3MB

MD5
30be8d7ef914a7baf9a3796cb892aa02

SHA1
ee79a60ddf9f578404e697564e694fe5d09706d9

SHA256
a2385d07f033b36d08d4ceb976820d2db8ca7b29339cb72ff3f74a4a90806c54

SHA512
985c3a3c404c590403cd0c46f88b912bb9d4994ae0f7c921176a1b3180d8f96e3be86f74e1cc672a6598fc6ccbbce6ece5e8567635f594f173bce8f968cf56f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\D5E4.dll
Filesize
2.4MB

MD5
0b2be34be0e0b244ec3d5d88512dd881

SHA1
4eae839ef8307766a57b0d1ccef3748000bc3612

SHA256
650c166ed7a20cd2d68cf96725625063c413f4b9028f63a975d6a62e0beaa8db

SHA512
89cf6a7c8391144daeafd79c8894567ef980ee4ca99d09f3b2e49150dbc6455aadcd94fd8a2abf1c8fe2c893fa30f1a126230ea3ac06e214d50105c19a708e63

Download Submit
\Users\Admin\AppData\Local\Temp\D5E4.dll
Filesize
2.4MB

MD5
0b2be34be0e0b244ec3d5d88512dd881

SHA1
4eae839ef8307766a57b0d1ccef3748000bc3612

SHA256
650c166ed7a20cd2d68cf96725625063c413f4b9028f63a975d6a62e0beaa8db

SHA512
89cf6a7c8391144daeafd79c8894567ef980ee4ca99d09f3b2e49150dbc6455aadcd94fd8a2abf1c8fe2c893fa30f1a126230ea3ac06e214d50105c19a708e63

Download Submit
\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
8fd994a3c894cd76f088dfb89244b2f2

SHA1
1e48479da1f1166acfc377bb98c53c4c2de9a504

SHA256
7686f7ecee5b77bc14c79bbd052641cf256d47796a7a2a6b66a9fa2c61eb60b7

SHA512
2177a89fb8f3c451579829f1d75c613e5e59201b4104eeb8fdb9a208ae33cf7d0a9efb393f50e4c54d26229c14848290f5a42b4bb0b07a0b395d9bf82690f148

Download Submit
\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
8fd994a3c894cd76f088dfb89244b2f2

SHA1
1e48479da1f1166acfc377bb98c53c4c2de9a504

SHA256
7686f7ecee5b77bc14c79bbd052641cf256d47796a7a2a6b66a9fa2c61eb60b7

SHA512
2177a89fb8f3c451579829f1d75c613e5e59201b4104eeb8fdb9a208ae33cf7d0a9efb393f50e4c54d26229c14848290f5a42b4bb0b07a0b395d9bf82690f148

Download Submit
\Users\Admin\AppData\Local\Temp\_1lEGh3.c
Filesize
2.1MB

MD5
d292463230412cdabcb148c43eddc64b

SHA1
c44d73fb177296b62b9717ce70dd1b42e7cb67eb

SHA256
b1edb2e21bbe119152debc401cc4c692488125a81d95ec1ba76b3eccde696c15

SHA512
700e4153bef9d0055ae8aff4d0f18f38bf3b3d8dd9424234e605b72a122185bf92cbf4c6c21bf9e13f0c90b50687f44f99340e8b59e7fff391ac3e7e18741346

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
422KB

MD5
6a88864e46a99fc80ed605a8674aea68

SHA1
5290388ef67f658c31f5a99f4bbd9ca557bc3ab7

SHA256
f292fb7fefcd5c7815955ea5a691fd91160884e2a79ebe3ff6458fe7fea79448

SHA512
c2cd9b9bbbe7661e9ec7c235f1dde9976ee79c02a5fd049b043b4a048e05692d16b53dd1206537a192199d829a4e4622758edb12ac46c14475edeea897fccdc5

Download Submit
memory/224-2306-0x0000000000000000-mapping.dmp

Download
memory/388-1824-0x0000000000000000-mapping.dmp

Download
memory/1200-340-0x0000000000980000-0x0000000000ACA000-memory.dmp

Filesize
1.3MB

Download
memory/1200-351-0x0000000000400000-0x000000000084C000-memory.dmp

Filesize
4.3MB

Download
memory/1200-536-0x0000000000400000-0x000000000084C000-memory.dmp

Filesize
4.3MB

Download
memory/1200-335-0x0000000000980000-0x0000000000ACA000-memory.dmp

Filesize
1.3MB

Download
memory/1200-219-0x0000000000000000-mapping.dmp

Download
memory/1276-2711-0x0000000000000000-mapping.dmp

Download
memory/1612-2377-0x0000000000000000-mapping.dmp

Download
memory/1652-2786-0x0000000000000000-mapping.dmp

Download
memory/1652-2356-0x0000000000000000-mapping.dmp

Download
memory/1784-1466-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1784-1419-0x0000000000000000-mapping.dmp

Download
memory/1784-1492-0x00000000054C0000-0x000000000550B000-memory.dmp

Filesize
300KB

Download
memory/1784-1472-0x00000000026D0000-0x000000000270C000-memory.dmp

Filesize
240KB

Download
memory/1784-1469-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1784-1463-0x0000000002520000-0x000000000255E000-memory.dmp

Filesize
248KB

Download
memory/1784-1467-0x0000000000600000-0x000000000063E000-memory.dmp

Filesize
248KB

Download
memory/1808-1577-0x0000000000000000-mapping.dmp

Download
memory/2200-2793-0x0000000000BE8EA0-mapping.dmp

Download
memory/2216-1771-0x0000000000000000-mapping.dmp

Download
memory/2228-2327-0x0000000000000000-mapping.dmp

Download
memory/2304-245-0x0000000000000000-mapping.dmp

Download
memory/2304-384-0x0000000000850000-0x00000000008FE000-memory.dmp

Filesize
696KB

Download
memory/2304-389-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/2304-394-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/2304-760-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/2304-716-0x0000000000850000-0x00000000008FE000-memory.dmp

Filesize
696KB

Download
memory/2368-2361-0x0000000000000000-mapping.dmp

Download
memory/2368-2592-0x0000000000000000-mapping.dmp

Download
memory/2508-2326-0x0000000000000000-mapping.dmp

Download
memory/2548-188-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-190-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-298-0x0000000002600000-0x000000000271B000-memory.dmp

Filesize
1.1MB

Download
memory/2548-184-0x0000000000000000-mapping.dmp

Download
memory/2548-294-0x0000000000940000-0x00000000009EE000-memory.dmp

Filesize
696KB

Download
memory/2600-2523-0x0000000000000000-mapping.dmp

Download
memory/2664-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/2664-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x0000000000C01000-0x0000000000C17000-memory.dmp

Filesize
88KB

Download
memory/2664-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x0000000000A30000-0x0000000000A39000-memory.dmp

Filesize
36KB

Download
memory/2664-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x0000000000C01000-0x0000000000C17000-memory.dmp

Filesize
88KB

Download
memory/2664-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/2664-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-1565-0x0000000000DD0000-0x0000000001097000-memory.dmp

Filesize
2.8MB

Download
memory/2704-1584-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/2704-1567-0x0000000002A40000-0x0000000002D41000-memory.dmp

Filesize
3.0MB

Download
memory/2704-1496-0x0000000000000000-mapping.dmp

Download
memory/2704-1570-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/2988-1579-0x0000000002310000-0x0000000002823000-memory.dmp

Filesize
5.1MB

Download
memory/2988-1549-0x0000000000000000-mapping.dmp

Download
memory/3024-350-0x0000000000000000-mapping.dmp

Download
memory/3024-545-0x0000000003270000-0x00000000032E5000-memory.dmp

Filesize
468KB

Download
memory/3024-579-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/3024-620-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/3132-2261-0x0000000000000000-mapping.dmp

Download
memory/3156-323-0x0000000000000000-mapping.dmp

Download
memory/3156-707-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3156-511-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-515-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3284-1507-0x0000000000000000-mapping.dmp

Download
memory/3476-2417-0x0000000000000000-mapping.dmp

Download
memory/3480-966-0x0000000000000000-mapping.dmp

Download
memory/3556-466-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/3556-457-0x0000000000A21000-0x0000000000A37000-memory.dmp

Filesize
88KB

Download
memory/3556-807-0x0000000000A21000-0x0000000000A37000-memory.dmp

Filesize
88KB

Download
memory/3556-287-0x0000000000000000-mapping.dmp

Download
memory/3556-461-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/3556-810-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/3564-868-0x0000000000000000-mapping.dmp

Download
memory/3564-1732-0x0000000000000000-mapping.dmp

Download
memory/3568-2376-0x0000000000000000-mapping.dmp

Download
memory/3572-1822-0x0000000000000000-mapping.dmp

Download
memory/3588-675-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-507-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-310-0x0000000000424141-mapping.dmp

Download
memory/3640-1963-0x0000000000000000-mapping.dmp

Download
memory/3640-718-0x0000000000A20000-0x0000000000B6A000-memory.dmp

Filesize
1.3MB

Download
memory/3640-673-0x0000000000000000-mapping.dmp

Download
memory/3684-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-189-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-153-0x0000000000000000-mapping.dmp

Download
memory/3684-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-179-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-186-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-182-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3684-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-834-0x0000000000000000-mapping.dmp

Download
memory/3880-923-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/3880-927-0x00000000021C0000-0x000000000220C000-memory.dmp

Filesize
304KB

Download
memory/3892-2868-0x00007FF6E6985FD0-mapping.dmp

Download
memory/3988-1692-0x0000000000000000-mapping.dmp

Download
memory/4256-2200-0x0000000000000000-mapping.dmp

Download
memory/4336-2664-0x0000000000000000-mapping.dmp

Download
memory/4344-729-0x0000000000424141-mapping.dmp

Download
memory/4344-1245-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-805-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4424-2278-0x0000000000000000-mapping.dmp

Download
memory/4456-1384-0x0000000000000000-mapping.dmp

Download
memory/4556-377-0x0000000000000000-mapping.dmp

Download
memory/4556-756-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/4556-397-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/4560-2974-0x0000000000000000-mapping.dmp

Download
memory/4628-1391-0x0000000000000000-mapping.dmp

Download
memory/4688-175-0x0000000000000000-mapping.dmp

Download
memory/4704-632-0x0000000000000000-mapping.dmp

Download
memory/4736-1612-0x0000000000000000-mapping.dmp

Download
memory/4752-2207-0x0000000000000000-mapping.dmp

Download
memory/4792-1874-0x0000000000000000-mapping.dmp

Download
memory/4804-1572-0x0000000000000000-mapping.dmp

Download
memory/4816-2384-0x0000000000000000-mapping.dmp

Download
memory/4908-696-0x0000000009A50000-0x0000000009A9B000-memory.dmp

Filesize
300KB

Download
memory/4908-648-0x0000000007240000-0x0000000007246000-memory.dmp

Filesize
24KB

Download
memory/4908-1250-0x000000000B3F0000-0x000000000B5B2000-memory.dmp

Filesize
1.8MB

Download
memory/4908-860-0x000000000AEF0000-0x000000000B3EE000-memory.dmp

Filesize
5.0MB

Download
memory/4908-857-0x000000000A950000-0x000000000A9E2000-memory.dmp

Filesize
584KB

Download
memory/4908-1251-0x000000000C0D0000-0x000000000C5FC000-memory.dmp

Filesize
5.2MB

Download
memory/4908-821-0x0000000009BF0000-0x0000000009C56000-memory.dmp

Filesize
408KB

Download
memory/4908-577-0x000000000045ADEE-mapping.dmp

Download
memory/4908-627-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4908-2892-0x0000000000000000-mapping.dmp

Download
memory/4908-689-0x0000000009E30000-0x000000000A436000-memory.dmp

Filesize
6.0MB

Download
memory/4908-690-0x0000000009940000-0x0000000009A4A000-memory.dmp

Filesize
1.0MB

Download
memory/4908-692-0x0000000009870000-0x0000000009882000-memory.dmp

Filesize
72KB

Download
memory/4908-694-0x00000000098D0000-0x000000000990E000-memory.dmp

Filesize
248KB

Download
memory/4944-185-0x0000000000000000-mapping.dmp

Download
memory/4944-561-0x00000000048B0000-0x0000000004A02000-memory.dmp

Filesize
1.3MB

Download
memory/4944-345-0x00000000048B0000-0x0000000004A02000-memory.dmp

Filesize
1.3MB

Download
memory/4944-328-0x0000000004590000-0x0000000004759000-memory.dmp

Filesize
1.8MB

Download
memory/4944-191-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4960-1645-0x0000000000000000-mapping.dmp

Download
memory/5016-1918-0x0000000000000000-mapping.dmp

Download
memory/5076-978-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5076-924-0x000000000042406C-mapping.dmp

Download
memory/5076-1386-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5108-2973-0x0000000000000000-mapping.dmp

Download