asyncrat | f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
Size

2.1MB
MD5

eeba4724f521e42ff8a0e784f6a1cb24
SHA1

6970e09618deea73835519ac8134346f57d38e86
SHA256

f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f
SHA512

5a405cc970b5a3d8896fe68bb73bd7288ec632f593db839b2969e070a3bef76ae0c29e4a5b170e3bef441a77a72d64c1250b2fb90c40604bd50fefa48dd5e172
SSDEEP

49152:rPFyoneU8xiPI9yJqw8Ncgz7jo9+OxycuVckvry:rFyonUxi7YwQI+eQ

Score

10^/10

asyncrat blacknet nanocore njrat remcos bot client default host evasion keylogger persistence rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes

reg_key
EdgeBrowser.exe
splitter
123

Extracted

Family

nanocore

Version

1.2.2.0

dontreachme3.ddns.net:3603

dontreachme1.ddns.net:3603

Mutex

19a5c2b0-5593-40da-9945-6c6b53e85d75

Attributes

activate_away_mode
false
backup_connection_host
dontreachme1.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-15T15:45:18.745530536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
3603
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
19a5c2b0-5593-40da-9945-6c6b53e85d75
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dontreachme3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

https://furyx.de/panel

Mutex

BN[e5decf896675e5ecc7bbef8ebff8a786]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
50651597687556f33b7fc75d90350b99
startup
false
usb_spread
true

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

dontreachme3.ddns.net:3605

dontreachme1.ddns.net:3605

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
explorer.exe
copy_folder
explorer
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
RuntimeBroker
keylog_path
%AppData%
mouse_option
true
mutex
remcos_ekuntpjjaa
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
RuntimeBroker
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
EpicGames.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

resource	yara_rule
behavioral2/memory/6820-247-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/6820-247-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeExplorer.exe\""	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\NortonInstaller.exe\""	NortonInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\WinExplorer.exe\""	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EpicGames Service.exe\""	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe\""	Firefoxinstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	EpicGames Service.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 13 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/6268-219-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe

Executes dropped EXE 22 IoCs

pid	Process
4904	Email Checker Pro.exe
2432	Firefoxinstaller.exe
5044	NortonInstaller.exe
3056	WinExplorer.exe
2636	EdgeExplorer.exe
2588	EpicGames Service.exe
4248	WD+UAC.exe
1464	Kruppelcr.exe
6256	EdgeExplorer.exe
6288	WinExplorer.exe
6296	Firefoxinstaller.exe
6268	EpicGames Service.exe
6384	Firefoxinstaller.exe
6316	NortonInstaller.exe
6464	Firefoxinstaller.exe
6820	Firefoxinstaller.exe
7072	WindowsExplorer.exe
1952	EdgeBrowser.exe
4584	EdgeBrowser.exe
6776	explorer.exe
5376	EdgeBrowser.exe
7124	EdgeBrowser.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0006000000022e09-136.dat	vmprotect
behavioral2/files/0x0006000000022e09-137.dat	vmprotect

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WindowsExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Firefoxinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EpicGames Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Firefoxinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	NortonInstaller.exe

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe	EdgeExplorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe	EdgeExplorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeExplorer.exe = "0"	EdgeExplorer.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NortonInstaller.exe = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefoxinstaller.exe = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExplorer.exe = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGames Service.exe = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeExplorer.exe = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exeI nstaller\\Firefox.exe"	Firefoxinstaller.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NortonInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	WindowsExplorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
2636	EdgeExplorer.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
5044	NortonInstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
2432	Firefoxinstaller.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
3056	WinExplorer.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe
2588	EpicGames Service.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 6256	2636	EdgeExplorer.exe	151
PID 3056 set thread context of 6288	3056	WinExplorer.exe	155
PID 2588 set thread context of 6268	2588	EpicGames Service.exe	153
PID 5044 set thread context of 6316	5044	NortonInstaller.exe	154
PID 2432 set thread context of 6464	2432	Firefoxinstaller.exe	158
PID 6464 set thread context of 6820	6464	Firefoxinstaller.exe	162
PID 1952 set thread context of 4584	1952	EdgeBrowser.exe	195
PID 5376 set thread context of 7124	5376	EdgeBrowser.exe	225

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4820	4248	WerFault.exe	89
6648	2636	WerFault.exe	86
6712	3056	WerFault.exe	85
6912	2588	WerFault.exe	87
6960	5044	WerFault.exe	84
828	1952	WerFault.exe	183
4776	5376	WerFault.exe	213

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5788	schtasks.exe
6852	schtasks.exe
6324	schtasks.exe
6648	schtasks.exe
3248	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
5480	timeout.exe
6184	timeout.exe
5888	timeout.exe
6052	timeout.exe
3876	timeout.exe
4312	timeout.exe
5156	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
6396	reg.exe
7028	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6956	PING.EXE
2136	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
2100	powershell.exe
2100	powershell.exe
532	powershell.exe
532	powershell.exe
3356	powershell.exe
3356	powershell.exe
4252	powershell.exe
4252	powershell.exe
2536	powershell.exe
2536	powershell.exe
4644	powershell.exe
4644	powershell.exe
4076	powershell.exe
4076	powershell.exe
4156	powershell.exe
4156	powershell.exe
4212	powershell.exe
4212	powershell.exe
976	powershell.exe
976	powershell.exe
2968	powershell.exe
2968	powershell.exe
1252	powershell.exe
1252	powershell.exe
1956	powershell.exe
1956	powershell.exe
3196	powershell.exe
3196	powershell.exe
2908	powershell.exe
2908	powershell.exe
1424	powershell.exe
1424	powershell.exe
3988	powershell.exe
3988	powershell.exe
4040	powershell.exe
4040	powershell.exe
1120	powershell.exe
1120	powershell.exe
2520	powershell.exe
2520	powershell.exe
532	powershell.exe
532	powershell.exe
4252	powershell.exe
4252	powershell.exe
2100	powershell.exe
2100	powershell.exe
4212	powershell.exe
4212	powershell.exe
2536	powershell.exe
2536	powershell.exe
4644	powershell.exe
4644	powershell.exe
3196	powershell.exe
3196	powershell.exe
4156	powershell.exe
4156	powershell.exe
3356	powershell.exe
3356	powershell.exe
1956	powershell.exe
1956	powershell.exe
4076	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6316	NortonInstaller.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
Token: SeDebugPrivilege	1464	Kruppelcr.exe
Token: SeDebugPrivilege	3056	WinExplorer.exe
Token: SeDebugPrivilege	2588	EpicGames Service.exe
Token: SeDebugPrivilege	2432	Firefoxinstaller.exe
Token: SeDebugPrivilege	2636	EdgeExplorer.exe
Token: SeDebugPrivilege	5044	NortonInstaller.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeBackupPrivilege	5644	dw20.exe
Token: SeBackupPrivilege	5644	dw20.exe
Token: SeDebugPrivilege	6288	WinExplorer.exe
Token: SeDebugPrivilege	6316	NortonInstaller.exe
Token: SeDebugPrivilege	6316	NortonInstaller.exe
Token: SeDebugPrivilege	6268	EpicGames Service.exe
Token: SeDebugPrivilege	6268	EpicGames Service.exe
Token: SeDebugPrivilege	6812	powershell.exe
Token: SeDebugPrivilege	1952	EdgeBrowser.exe
Token: SeDebugPrivilege	6676	powershell.exe
Token: SeDebugPrivilege	7136	powershell.exe
Token: SeDebugPrivilege	7152	powershell.exe
Token: SeDebugPrivilege	6820	Firefoxinstaller.exe
Token: SeDebugPrivilege	4584	EdgeBrowser.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe
Token: SeDebugPrivilege	5376	EdgeBrowser.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	7024	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe
Token: 33	4584	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	4584	EdgeBrowser.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6820	Firefoxinstaller.exe
6820	Firefoxinstaller.exe
6776	explorer.exe
6820	Firefoxinstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4904	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	82
PID 336 wrote to memory of 4904	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	82
PID 336 wrote to memory of 2432	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	83
PID 336 wrote to memory of 2432	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	83
PID 336 wrote to memory of 2432	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	83
PID 336 wrote to memory of 5044	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	84
PID 336 wrote to memory of 5044	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	84
PID 336 wrote to memory of 5044	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	84
PID 336 wrote to memory of 3056	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	85
PID 336 wrote to memory of 3056	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	85
PID 336 wrote to memory of 3056	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	85
PID 336 wrote to memory of 2636	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	86
PID 336 wrote to memory of 2636	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	86
PID 336 wrote to memory of 2636	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	86
PID 336 wrote to memory of 2588	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	87
PID 336 wrote to memory of 2588	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	87
PID 336 wrote to memory of 2588	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	87
PID 336 wrote to memory of 4248	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	89
PID 336 wrote to memory of 4248	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	89
PID 336 wrote to memory of 4248	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	89
PID 336 wrote to memory of 1464	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	88
PID 336 wrote to memory of 1464	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	88
PID 336 wrote to memory of 1464	336	f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe	88
PID 2432 wrote to memory of 4156	2432	Firefoxinstaller.exe	96
PID 2432 wrote to memory of 4156	2432	Firefoxinstaller.exe	96
PID 2432 wrote to memory of 4156	2432	Firefoxinstaller.exe	96
PID 5044 wrote to memory of 532	5044	NortonInstaller.exe	95
PID 5044 wrote to memory of 532	5044	NortonInstaller.exe	95
PID 5044 wrote to memory of 532	5044	NortonInstaller.exe	95
PID 2636 wrote to memory of 4644	2636	EdgeExplorer.exe	94
PID 2636 wrote to memory of 4644	2636	EdgeExplorer.exe	94
PID 2636 wrote to memory of 4644	2636	EdgeExplorer.exe	94
PID 3056 wrote to memory of 4252	3056	WinExplorer.exe	93
PID 3056 wrote to memory of 4252	3056	WinExplorer.exe	93
PID 3056 wrote to memory of 4252	3056	WinExplorer.exe	93
PID 2588 wrote to memory of 2100	2588	EpicGames Service.exe	92
PID 2588 wrote to memory of 2100	2588	EpicGames Service.exe	92
PID 2588 wrote to memory of 2100	2588	EpicGames Service.exe	92
PID 3056 wrote to memory of 4076	3056	WinExplorer.exe	103
PID 3056 wrote to memory of 4076	3056	WinExplorer.exe	103
PID 3056 wrote to memory of 4076	3056	WinExplorer.exe	103
PID 2588 wrote to memory of 3356	2588	EpicGames Service.exe	100
PID 2588 wrote to memory of 3356	2588	EpicGames Service.exe	100
PID 2588 wrote to memory of 3356	2588	EpicGames Service.exe	100
PID 2432 wrote to memory of 3196	2432	Firefoxinstaller.exe	102
PID 2432 wrote to memory of 3196	2432	Firefoxinstaller.exe	102
PID 2432 wrote to memory of 3196	2432	Firefoxinstaller.exe	102
PID 2636 wrote to memory of 2536	2636	EdgeExplorer.exe	101
PID 2636 wrote to memory of 2536	2636	EdgeExplorer.exe	101
PID 2636 wrote to memory of 2536	2636	EdgeExplorer.exe	101
PID 5044 wrote to memory of 1424	5044	NortonInstaller.exe	108
PID 5044 wrote to memory of 1424	5044	NortonInstaller.exe	108
PID 5044 wrote to memory of 1424	5044	NortonInstaller.exe	108
PID 3056 wrote to memory of 2908	3056	WinExplorer.exe	111
PID 3056 wrote to memory of 2908	3056	WinExplorer.exe	111
PID 3056 wrote to memory of 2908	3056	WinExplorer.exe	111
PID 2588 wrote to memory of 2968	2588	EpicGames Service.exe	112
PID 2588 wrote to memory of 2968	2588	EpicGames Service.exe	112
PID 2588 wrote to memory of 2968	2588	EpicGames Service.exe	112
PID 2636 wrote to memory of 4212	2636	EdgeExplorer.exe	119
PID 2636 wrote to memory of 4212	2636	EdgeExplorer.exe	119
PID 2636 wrote to memory of 4212	2636	EdgeExplorer.exe	119
PID 2432 wrote to memory of 1252	2432	Firefoxinstaller.exe	114
PID 2432 wrote to memory of 1252	2432	Firefoxinstaller.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

C:\Users\Admin\AppData\Local\Temp\f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe
"C:\Users\Admin\AppData\Local\Temp\f57da923e5b75ea46065584301fe67aa5f37998630447b53242050397ee93a8f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\Email Checker Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\Email Checker Pro.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1480
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
- C:\Users\Admin\Documents\Firefoxinstaller.exe
  "C:\Users\Admin\Documents\Firefoxinstaller.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:5496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:4312
- - C:\Users\Admin\Documents\Firefoxinstaller.exe
    "C:\Users\Admin\Documents\Firefoxinstaller.exe"
    3⤵
    - Executes dropped EXE
    PID:6296
- - C:\Users\Admin\Documents\Firefoxinstaller.exe
    "C:\Users\Admin\Documents\Firefoxinstaller.exe"
    3⤵
    - Executes dropped EXE
    PID:6384
- - C:\Users\Admin\Documents\Firefoxinstaller.exe
    "C:\Users\Admin\Documents\Firefoxinstaller.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:6464
  - - C:\Users\Admin\Documents\Firefoxinstaller.exe
      "C:\Users\Admin\Documents\Firefoxinstaller.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /delete /tn "WindowsUpdate.exe" /f
        5⤵
        
        PID:5828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\Documents\Firefoxinstaller.exe"
        5⤵
        
        PID:4312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 5 -w 5000
        6⤵
        Runs ping.exe
        
        PID:2136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Users\Admin\Documents\Firefoxinstaller.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:6648
- C:\Users\Admin\Documents\NortonInstaller.exe
  "C:\Users\Admin\Documents\NortonInstaller.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:5156
- - C:\Users\Admin\Documents\NortonInstaller.exe
    "C:\Users\Admin\Documents\NortonInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:6316
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2BF2.tmp"
      4⤵
      Creates scheduled task(s)
      PID:6852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1164
    3⤵
    - Program crash
    PID:6960
- C:\Users\Admin\Documents\WinExplorer.exe
  "C:\Users\Admin\Documents\WinExplorer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:3876
- - C:\Users\Admin\Documents\WinExplorer.exe
    "C:\Users\Admin\Documents\WinExplorer.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:6288
  - - C:\Users\Admin\Documents\WindowsExplorer.exe
      "C:\Users\Admin\Documents\WindowsExplorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Modifies WinLogon
      PID:7072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        5⤵
        
        PID:5704
      - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        6⤵
        Runs ping.exe
        
        PID:6956
      - C:\explorer\explorer.exe
        
        "C:\explorer\explorer.exe"
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:6776
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:6396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2316
    3⤵
    - Program crash
    PID:6712
- C:\Users\Admin\Documents\EdgeExplorer.exe
  "C:\Users\Admin\Documents\EdgeExplorer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeExplorer.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:5888
- - C:\Users\Admin\Documents\EdgeExplorer.exe
    "C:\Users\Admin\Documents\EdgeExplorer.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:6256
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      4⤵
      PID:5072
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeExplorer.exe" /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:5788
  - - C:\Users\Admin\EdgeBrowser.exe
      "C:\Users\Admin\EdgeBrowser.exe"
      4⤵
      Modifies WinLogon for persistence
      Windows security bypass
      Executes dropped EXE
      Checks computer location settings
      Drops startup file
      Windows security modification
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7136
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        5⤵
        
        PID:7076
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:5480
    - - C:\Users\Admin\EdgeBrowser.exe
        
        "C:\Users\Admin\EdgeBrowser.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn NYAN /F
        6⤵
        
        PID:4776
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
        6⤵
        Creates scheduled task(s)
        
        PID:6324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 2264
        5⤵
        Program crash
        
        PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 2336
    3⤵
    - Program crash
    PID:6648
- C:\Users\Admin\Documents\EpicGames Service.exe
  "C:\Users\Admin\Documents\EpicGames Service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:6052
- - C:\Users\Admin\Documents\EpicGames Service.exe
    "C:\Users\Admin\Documents\EpicGames Service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2288
    3⤵
    - Program crash
    PID:6912
- C:\Users\Admin\Documents\Kruppelcr.exe
  "C:\Users\Admin\Documents\Kruppelcr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Users\Admin\Documents\WD+UAC.exe
  "C:\Users\Admin\Documents\WD+UAC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System policy modification
  PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 904
    3⤵
    - Program crash
    PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4248 -ip 4248
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2636 -ip 2636
1⤵
PID:6356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2432 -ip 2432
1⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
1⤵
PID:2280
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:7028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1464 -ip 1464
1⤵
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5044 -ip 5044
1⤵
PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2588 -ip 2588
1⤵
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3056 -ip 3056
1⤵
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1952 -ip 1952
1⤵
PID:2692

C:\Users\Admin\EdgeBrowser.exe
C:\Users\Admin\EdgeBrowser.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:6184
- C:\Users\Admin\EdgeBrowser.exe
  "C:\Users\Admin\EdgeBrowser.exe"
  2⤵
  - Executes dropped EXE
  PID:7124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:3248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1000
  2⤵
  - Program crash
  PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5376 -ip 5376
1⤵
PID:7096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
8KB

MD5
3966ed8ba5fd08f31e7691b5c05eccce

SHA1
f0a40ba488ca6130c235c2f84f302eb1f71a7227

SHA256
861d56b263bb72957adea15ec9fcb07463d3790701dff12cb8f3845eab003230

SHA512
276c3ed431da76e1244f23e797c06c87cca209164e758b2242e38a9b7b377c82ea55d680b9c336ad3d90c29d04ee04ca5a7fd9a3e17e962e17f668ad66afc2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
52KB

MD5
ebd8f90406c4820902162e3156b1ecb4

SHA1
f909f010552a1471b7a2417d3a954d92dcf44833

SHA256
414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b

SHA512
7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a922641d24147db81ea8826948304854

SHA1
104194336bac63094dfec5c5f9e1921098a24f54

SHA256
5b2db6d2b680b1f8ef631794f2bf4a1161514459b3846fcdc42c75c71840206a

SHA512
b31b1c8d9b30955a7d2c31791c288dfab09939935f85a24d650548245a08f23a8223ce0b500d91b6bfa710642f773ea4777e107a5692820167884a900ca3456d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
168e1a8b8799f669f3910d3313138edd

SHA1
93b66eb38bd9dbdf2511d4e6510a68c8e371d06e

SHA256
0b52a3aae9914795976ebad784b2b492c24be5ca2e148f84e75c481a3ce48d27

SHA512
b8d2885169a905cd2f49b513d5de0921dd785dbe46b72b1d3dc37160646a72509413e330aaa8a79df41f61d17120a7dc7f1bffb2f54e0293d82e3ec033367392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
c13bfda853de7feb0aa4198bd7487464

SHA1
9a18d0546142afc81bf67bdebf11816758540357

SHA256
c84a26b09d70d096508dbb70e9e7dc8f9c0af916b2c38318ec2949936908d821

SHA512
2d20a94d391d7083b08289b5cc652976bee3bbf57af3ed01bacd9dba18b7b6d4ca91954df5667a713093b96f3925976f82041620751ed575dccd43f1a0968f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
46d60b932aeff8beeb6feb3341f521cc

SHA1
e52ba0906026dd1bea4f4494a0771957430b118e

SHA256
095d1bd680e4844234d00c1943b14654c07e059589f29fb81b9cd9b3c942ccda

SHA512
ab2959489957bd957163df3ec56c979d7de6e1d65193d19d2b839db95c65c03a42227e67a44ab771fa0a15e8071eb237dde7e74dc9a1f03cd8c1514ead1853f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
46d60b932aeff8beeb6feb3341f521cc

SHA1
e52ba0906026dd1bea4f4494a0771957430b118e

SHA256
095d1bd680e4844234d00c1943b14654c07e059589f29fb81b9cd9b3c942ccda

SHA512
ab2959489957bd957163df3ec56c979d7de6e1d65193d19d2b839db95c65c03a42227e67a44ab771fa0a15e8071eb237dde7e74dc9a1f03cd8c1514ead1853f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
c9bf2a513956b01d61bc7c776a10b916

SHA1
d0e91f49f25b82ab055eb75b4e7ca97d59d661fa

SHA256
163332e52d72d7b1f3b90a781d44436610bf984c463b285d15f36b59eded7943

SHA512
0ed79da4d0ee007a155ea4bfecd8afa30e58da1d21c3f5dd9763ba44298a8fb550c59cd3d665b5e32cf5dce0306414a19077b3a173b24f1a5b029896d9fa51b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
c9bf2a513956b01d61bc7c776a10b916

SHA1
d0e91f49f25b82ab055eb75b4e7ca97d59d661fa

SHA256
163332e52d72d7b1f3b90a781d44436610bf984c463b285d15f36b59eded7943

SHA512
0ed79da4d0ee007a155ea4bfecd8afa30e58da1d21c3f5dd9763ba44298a8fb550c59cd3d665b5e32cf5dce0306414a19077b3a173b24f1a5b029896d9fa51b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
c9bf2a513956b01d61bc7c776a10b916

SHA1
d0e91f49f25b82ab055eb75b4e7ca97d59d661fa

SHA256
163332e52d72d7b1f3b90a781d44436610bf984c463b285d15f36b59eded7943

SHA512
0ed79da4d0ee007a155ea4bfecd8afa30e58da1d21c3f5dd9763ba44298a8fb550c59cd3d665b5e32cf5dce0306414a19077b3a173b24f1a5b029896d9fa51b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
de596cb1b72e5bdc16430fe56f536686

SHA1
d0476fb92e9e9a70159b3e15a5cb8bb7b1674cc1

SHA256
c01c27e5f2cdcf872661a36b4c393e571e7a389d55b73a2c75603960a57e3dbf

SHA512
ba09504a49e9c44a8f6b858ffb8094c7e32b61538de8eb13ec8543b28abed8d54b1c998096353bca22f645c20f7163b7e9d704936375d1f85fbbb89f9d155ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email Checker Pro.exe

Filesize
955KB

MD5
1bef91cb37c8f1f62152448f0a5445ac

SHA1
16585c0de057593fd660c96b896855395cada2f0

SHA256
80cdcd9103e4392512038f4bc9299a4e538fd5c42145c6711ae23f58470aa80f

SHA512
769fe922e4c92223e878d667c628634632c5a8beef6daace59a95e5fa635d9070f4b8154e858afb8f9f280512be0369920fa04084b2fda3aabe1b9c8c1f08ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email Checker Pro.exe

Filesize
955KB

MD5
1bef91cb37c8f1f62152448f0a5445ac

SHA1
16585c0de057593fd660c96b896855395cada2f0

SHA256
80cdcd9103e4392512038f4bc9299a4e538fd5c42145c6711ae23f58470aa80f

SHA512
769fe922e4c92223e878d667c628634632c5a8beef6daace59a95e5fa635d9070f4b8154e858afb8f9f280512be0369920fa04084b2fda3aabe1b9c8c1f08ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
127B

MD5
80b32b79bf519fce07cdf7b8b7881067

SHA1
2fe368e8f5855ef5f08c46f389bf3b5482ace60b

SHA256
8ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1

SHA512
dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BF2.tmp

Filesize
1KB

MD5
8d64f65d497b498fe88d9f446628e0e6

SHA1
2c01f76965fa52f717649db191a016b04c296b97

SHA256
735f05df747c5fee00b019083ce51cc52bc338382228e43441f1700a8dc3385b

SHA512
e9f3df490abd42ca4321a771ee35a54819e37eea99256a398544d94c6ff30f7d021a23d87233e3112a2edb5d5fecef4835b688281e2b29d114af01a90cd6fbf1

Download Submit
C:\Users\Admin\Documents\EdgeExplorer.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\Documents\EdgeExplorer.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\Documents\EdgeExplorer.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\Documents\EpicGames Service.exe

Filesize
1.1MB

MD5
b117965f227519eb5c8d6e86bc2dd2a4

SHA1
e1d80bd0958b69cc73eaf1ee26aa816f795aad63

SHA256
f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

SHA512
728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

Download Submit
C:\Users\Admin\Documents\EpicGames Service.exe

Filesize
1.1MB

MD5
b117965f227519eb5c8d6e86bc2dd2a4

SHA1
e1d80bd0958b69cc73eaf1ee26aa816f795aad63

SHA256
f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

SHA512
728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

Download Submit
C:\Users\Admin\Documents\EpicGames Service.exe

Filesize
1.1MB

MD5
b117965f227519eb5c8d6e86bc2dd2a4

SHA1
e1d80bd0958b69cc73eaf1ee26aa816f795aad63

SHA256
f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

SHA512
728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Kruppelcr.exe

Filesize
39KB

MD5
a3f90c77310f6bae831e96fe73ba58e9

SHA1
e9d27043c24e52bb658bb21bd3e2d71bba8e2123

SHA256
2d0605c56ec732a4029a00b5688512bf9ce31da5173995326fad16aced2d3292

SHA512
e64c4d9592d13b290e30bd8f63df3fa1f647f13cb2b6a4fc6507b10649cd8a41e314537b6b0ac70ec9b08c29c0db47664337dcac877d610078d87039138c3887

Download Submit
C:\Users\Admin\Documents\Kruppelcr.exe

Filesize
39KB

MD5
a3f90c77310f6bae831e96fe73ba58e9

SHA1
e9d27043c24e52bb658bb21bd3e2d71bba8e2123

SHA256
2d0605c56ec732a4029a00b5688512bf9ce31da5173995326fad16aced2d3292

SHA512
e64c4d9592d13b290e30bd8f63df3fa1f647f13cb2b6a4fc6507b10649cd8a41e314537b6b0ac70ec9b08c29c0db47664337dcac877d610078d87039138c3887

Download Submit
C:\Users\Admin\Documents\NortonInstaller.exe

Filesize
2.1MB

MD5
d2fe1a2f73303d37c178250add341b97

SHA1
e341e8adaec629d299101bbf1b9a3ca2bfaf7417

SHA256
26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

SHA512
0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

Download Submit
C:\Users\Admin\Documents\NortonInstaller.exe

Filesize
2.1MB

MD5
d2fe1a2f73303d37c178250add341b97

SHA1
e341e8adaec629d299101bbf1b9a3ca2bfaf7417

SHA256
26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

SHA512
0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

Download Submit
C:\Users\Admin\Documents\NortonInstaller.exe

Filesize
2.1MB

MD5
d2fe1a2f73303d37c178250add341b97

SHA1
e341e8adaec629d299101bbf1b9a3ca2bfaf7417

SHA256
26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

SHA512
0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

Download Submit
C:\Users\Admin\Documents\WD+UAC.exe

Filesize
97KB

MD5
77796247470714fe3672f805d5ff6903

SHA1
1aca720af56f7120cbb923c5bd7ac877bcd834e6

SHA256
dfb39aae10f9924bf6658a9c16451968f8f677fde6d66f02269d3a9be106e0c5

SHA512
71118f3d837c10f813369203f0a58b9a0861b5981d47860d6f83227e56278f09d00ce8ae8c5c75fa442eeb79c3601eefcee50e91e4009d7902ea7c9be4bc49ae

Download Submit
C:\Users\Admin\Documents\WD+UAC.exe

Filesize
97KB

MD5
77796247470714fe3672f805d5ff6903

SHA1
1aca720af56f7120cbb923c5bd7ac877bcd834e6

SHA256
dfb39aae10f9924bf6658a9c16451968f8f677fde6d66f02269d3a9be106e0c5

SHA512
71118f3d837c10f813369203f0a58b9a0861b5981d47860d6f83227e56278f09d00ce8ae8c5c75fa442eeb79c3601eefcee50e91e4009d7902ea7c9be4bc49ae

Download Submit
C:\Users\Admin\Documents\WinExplorer.exe

Filesize
1.0MB

MD5
3830fb01bdf4b41e2e9551d422caf795

SHA1
d63a892fc41d2be82de8d02a04b906a8595dcac9

SHA256
6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

SHA512
5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

Download Submit
C:\Users\Admin\Documents\WinExplorer.exe

Filesize
1.0MB

MD5
3830fb01bdf4b41e2e9551d422caf795

SHA1
d63a892fc41d2be82de8d02a04b906a8595dcac9

SHA256
6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

SHA512
5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

Download Submit
C:\Users\Admin\Documents\WinExplorer.exe

Filesize
1.0MB

MD5
3830fb01bdf4b41e2e9551d422caf795

SHA1
d63a892fc41d2be82de8d02a04b906a8595dcac9

SHA256
6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

SHA512
5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

Download Submit
C:\Users\Admin\Documents\WindowsExplorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
C:\Users\Admin\Documents\WindowsExplorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
C:\Users\Admin\EdgeBrowser.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\EdgeBrowser.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\EdgeBrowser.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\explorer\explorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
C:\explorer\explorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
memory/336-168-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/336-134-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/336-132-0x0000000000930000-0x0000000000B46000-memory.dmp

Filesize
2.1MB

Download
memory/336-133-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/532-198-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/532-254-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/976-275-0x0000000006780000-0x000000000678A000-memory.dmp

Filesize
40KB

Download
memory/976-232-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/1120-234-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/1252-246-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/1424-237-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/1464-167-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/1956-235-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/2100-256-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/2100-196-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/2100-190-0x0000000004CC0000-0x0000000004CF6000-memory.dmp

Filesize
216KB

Download
memory/2432-155-0x00000000002B0000-0x0000000000440000-memory.dmp

Filesize
1.6MB

Download
memory/2468-326-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/2520-250-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/2536-290-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/2536-255-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/2588-170-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/2588-157-0x00000000006E0000-0x00000000007F4000-memory.dmp

Filesize
1.1MB

Download
memory/2588-164-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/2636-153-0x00000000004B0000-0x00000000005F6000-memory.dmp

Filesize
1.3MB

Download
memory/2752-329-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/2908-248-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/2968-253-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/3056-171-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/3056-154-0x0000000000830000-0x000000000093C000-memory.dmp

Filesize
1.0MB

Download
memory/3196-288-0x0000000007E80000-0x0000000007F16000-memory.dmp

Filesize
600KB

Download
memory/3196-245-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/3356-236-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/3356-263-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/3988-251-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4040-243-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4076-244-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4156-241-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4212-238-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4212-230-0x0000000007390000-0x00000000073C2000-memory.dmp

Filesize
200KB

Download
memory/4212-308-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/4248-169-0x0000000009DB0000-0x000000000A354000-memory.dmp

Filesize
5.6MB

Download
memory/4248-161-0x0000000000950000-0x0000000000972000-memory.dmp

Filesize
136KB

Download
memory/4252-231-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4252-207-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/4252-194-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4252-197-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4252-239-0x0000000007A20000-0x0000000007A3E000-memory.dmp

Filesize
120KB

Download
memory/4644-233-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/4644-261-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/4904-165-0x00007FFEC5B10000-0x00007FFEC6546000-memory.dmp

Filesize
10.2MB

Download
memory/5044-158-0x00000000009B0000-0x0000000000BD4000-memory.dmp

Filesize
2.1MB

Download
memory/5788-328-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/6256-212-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6268-219-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6288-215-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6316-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6464-228-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6676-293-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/6676-324-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download
memory/6812-291-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/6820-260-0x0000000005A60000-0x0000000005AB6000-memory.dmp

Filesize
344KB

Download
memory/6820-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7024-327-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

Filesize
304KB

Download
memory/7136-294-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download
memory/7152-292-0x000000006FC90000-0x000000006FCDC000-memory.dmp

Filesize
304KB

Download