087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

Analysis

max time kernel
182s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Size

1.1MB
MD5

e00e791b11a45b14e9697634ec448b59
SHA1

d09ce3a226c5a75113768979f8b0d707886a9a7d
SHA256

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd
SHA512

f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257
SSDEEP

24576:pbCj2sObHtqQ4QETwiOVUYn6+GU/zjCHlifv6k:pbCjPKNqQ8wiA9F7Lak

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 32 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1580 created 5108 1580 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 1580 created 5108	1580	WerFault.exe	RegAsm.exe

Executes dropped EXE 42 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

pid	process
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4856	sysmon.exe
4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4228	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3468	sysmon.exe
4576	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4972	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3104	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3100	sysmon.exe
2316	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2128	sysmon.exe
2064	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
376	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3460	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2664	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4856	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1404	sysmon.exe
4796	sysmon.exe
3940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3068	sysmon.exe
2640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4544	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
788	sysmon.exe
4196	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2464	sysmon.exe
5060	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4008	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2932	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2320	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3692	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3392	sysmon.exe
4244	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2056	sysmon.exe
3676	sysmon.exe
3868	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4576	sysmon.exe
3232	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeWScript.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\""	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe RegAsm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	RegAsm.exe

Suspicious use of SetThreadContext 30 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	pid	process	target process
PID 1520 set thread context of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4924 set thread context of 3824	4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 set thread context of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3904 set thread context of 3440	3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 set thread context of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3720 set thread context of 4536	3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4228 set thread context of 3796	4228	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4576 set thread context of 3660	4576	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4972 set thread context of 3452	4972	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3104 set thread context of 2240	3104	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2316 set thread context of 4648	2316	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2064 set thread context of 1124	2064	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 376 set thread context of 1956	376	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3460 set thread context of 5108	3460	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 set thread context of 1232	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2664 set thread context of 4920	2664	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2888 set thread context of 512	2888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4856 set thread context of 3992	4856	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3940 set thread context of 892	3940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2640 set thread context of 4552	2640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4544 set thread context of 1588	4544	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4196 set thread context of 3884	4196	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 5060 set thread context of 1100	5060	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4008 set thread context of 4980	4008	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2932 set thread context of 1772	2932	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2320 set thread context of 4608	2320	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3692 set thread context of 1636	3692	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4244 set thread context of 5112	4244	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3868 set thread context of 4280	3868	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3232 set thread context of 1856	3232	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
332	3824	WerFault.exe	RegAsm.exe
892	3440	WerFault.exe	RegAsm.exe
4024	4536	WerFault.exe	RegAsm.exe
1744	3452	WerFault.exe	RegAsm.exe
2184	2240	WerFault.exe	RegAsm.exe
4836	4648	WerFault.exe	RegAsm.exe
2552	5108	WerFault.exe	RegAsm.exe
4680	1232	WerFault.exe	RegAsm.exe
1776	3992	WerFault.exe	RegAsm.exe
3500	4280	WerFault.exe	RegAsm.exe
2968	1856	WerFault.exe	RegAsm.exe

Modifies registry class 1 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3760 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3760 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3760	RegAsm.exe

pid	process
3760	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeWScript.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe

description	pid	process	target process
PID 1520 wrote to memory of 456	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1520 wrote to memory of 456	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1520 wrote to memory of 456	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 456 wrote to memory of 4924	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4924	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4924	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1520 wrote to memory of 2224	1520	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4924 wrote to memory of 3824	4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4924 wrote to memory of 3824	4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4924 wrote to memory of 3824	4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4924 wrote to memory of 3824	4924	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 456 wrote to memory of 940	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 940	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 940	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 940 wrote to memory of 3760	940	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 456 wrote to memory of 3904	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 3904	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 3904	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 2224 wrote to memory of 4856	2224	RegAsm.exe	sysmon.exe
PID 2224 wrote to memory of 4856	2224	RegAsm.exe	sysmon.exe
PID 2224 wrote to memory of 4856	2224	RegAsm.exe	sysmon.exe
PID 3904 wrote to memory of 3440	3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3904 wrote to memory of 3440	3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3904 wrote to memory of 3440	3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3904 wrote to memory of 3440	3904	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 456 wrote to memory of 4516	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4516	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4516	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 4516 wrote to memory of 4276	4516	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 456 wrote to memory of 3720	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 3720	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 3720	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 3720 wrote to memory of 4536	3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3720 wrote to memory of 4536	3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3720 wrote to memory of 4536	3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 3720 wrote to memory of 4536	3720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 456 wrote to memory of 4228	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4228	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 456 wrote to memory of 4228	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 4276 wrote to memory of 3468	4276	RegAsm.exe	sysmon.exe
PID 4276 wrote to memory of 3468	4276	RegAsm.exe	sysmon.exe
PID 4276 wrote to memory of 3468	4276	RegAsm.exe	sysmon.exe
PID 456 wrote to memory of 4576	456	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

C:\Users\Admin\AppData\Local\Temp\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Local\Temp\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Src.vbs" 0
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 80
5⤵
- Program crash
PID:332

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 88
5⤵
- Program crash
PID:892

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:3468

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 88
5⤵
- Program crash
PID:4024

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:3796

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:3660

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 80
5⤵
- Program crash
PID:1744

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 80
5⤵
- Program crash
PID:2184

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 80
5⤵
- Program crash
PID:4836

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1124

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:1956

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 80
5⤵
- Program crash
PID:2552

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 80
5⤵
- Program crash
PID:4680

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:4920

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:512

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 80
5⤵
- Program crash
PID:1776

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:892

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:4552

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1588

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3884

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:1100

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:4980

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1772

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:4608

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:1636

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Checks computer location settings
PID:5112

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
5⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 80
5⤵
- Program crash
PID:3500

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 80
5⤵
- Program crash
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2224

C:\ProgramData\378998\sysmon.exe
"C:\ProgramData\378998\sysmon.exe"
3⤵
- Executes dropped EXE
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3824 -ip 3824
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3440 -ip 3440
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4536 -ip 4536
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3452 -ip 3452
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2240 -ip 2240
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4648 -ip 4648
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5108 -ip 5108
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1232 -ip 1232
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3992 -ip 3992
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4280 -ip 4280
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1856 -ip 1856
1⤵
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\ProgramData\378998\sysmon.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
500B

MD5
673ef491588c73b520d013da6ae85912

SHA1
dbe04459ce24d5716fdc02a66c231b4e87e44382

SHA256
454e88ef63bf571defaf3d8d392f286cf3d58907e3b721a7ed2cd6ad0ce63b29

SHA512
bb23d78e31cdd6edf91d1de9b229537f74244a35e8cbe0949ee7a54ca124962c34bf7638ae0d63947c9e2a067c246e65bb83bea74e69bbb859a21f6f587d1e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sysmon.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\Src.vbs
Filesize
220B

MD5
bf97d1855681f2d320e75cd57a326c4c

SHA1
30067c154088e35e71acc396942ce511e3fead18

SHA256
f920c4d29e31489499b1b8df498342861e3f813cc2a3d389f80c12f143de4212

SHA512
93d2262ec2742a0003df176dc3d5b09ba433c231c373d9e1eae2a66cdc000c04e1148587674e49de9f241c85ebb77226c8c43c84d9943050933da353ebf030b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
9fc61e0c72bc49f90d4a6aa7b01bd125

SHA1
475fc4c591243db80da5f6d5c121d7949ba3b678

SHA256
f12dd3aaf12c0a9bfc06518eda9b958a1f29db278b44454adad50fa4050cb972

SHA512
8d5e517cb04792a52bffc5daa06d6ef6823e9ce81466ae6774be323fa16fcc35a2e4c4beb1f663ddee8c2c89f9de6a133dd367169df62b3d6803da50492d49c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
91613a1808d2d28e4af8cabfea74aa08

SHA1
b12abd195549824dbda5aaa6328a41f5fca86a08

SHA256
2e3e51e4dac64cbe2f1d4a0417b1a0b7555f81bddb395d47fb8ad12b7a41ac58

SHA512
662aaaf444ed9961cc62ab69534b578afc3e95129d50cfc172a4517be9e6cb991689bcd632845cac4474fa7ec9f9726b1b12f3318ead6498e121bd5d3df75c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
a9f4b0e31ecacb7137b3d28e6b0b2ddb

SHA1
ed9cdacaafa4b0b5898897c638ffc9fffdd2815c

SHA256
483a8af8409136e117c0ae1bd3a78a4277581a92b7552e5a721d0ed872393d09

SHA512
13066eaf053bc74d3807874c6fd3fb097cf02e677ecc7d786c7f8b04eb6de8b044a45cc63ff4fcebc31e04060807a50da36fd704cd17cf9cc5b670a3417f3718

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
b02268ce5ce3148c75366a800be00e84

SHA1
f4082534127d9dd287eb164f7b2c018fbd76b055

SHA256
2ba13e2840a83f017f799eb338270093dc45d89d4e227e88dcef38f13e22993b

SHA512
18d04219e25651e58a07bf6f2f856454751b5b3e1e63ec2c7abf9b8ec84f4e715a5068ef59bb8696a61a785effcf1242634e0f68bbf52eaa231e4da2c8d5792d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
916fde489d48ddcbe1c757388f59f87e

SHA1
8d78caaba1670f6d5bdc516e01188e09032ab7ce

SHA256
e8c0af09fbcba6db1afb0ee1f8ad8bd27cfb3de20fd6216f933f5ab8e8a009b1

SHA512
c642df16e0d5ff4068350e226bf2c1743e948f923ae2632fc91caa4a3c20cce7f93a981cf3838fe2a4fe095864331e9c5004908c1e10d581ab418938638a0a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
7f089b8bc7e018a3fc5b822b6793d0c2

SHA1
2adbdfc1af7b57035e41377e9d455bafc5f392d5

SHA256
be211a76bfe1589958ec2bb73fe36747c5127a90a5e8e183770f952e82e9d759

SHA512
93e6f0d14836ff28d1643e7d7e16b7459d356e078c9621e0acc0b6e73440f2b3603f545ccd7ee1196b8685fc61a747a393476eca77e407d5f1aff9544212ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
89763ec4e9f2ca2bf45a4fbed11e61f9

SHA1
13ee6b29d2ce8b195ddbd8ea0c0980ecdfaeaa04

SHA256
1cdd7358f16617a638436147e779d08ab8be4d5c0349a7acaae1b5322be119c7

SHA512
479eaf47201e11a80f82b58b66c2d3e8acb02202db370961efb8b98202ed6536918db39d6935fee75935136730617034fb0a69bf57cacd4d0c3e32388893a958

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
memory/376-230-0x0000000000000000-mapping.dmp

Download
memory/456-215-0x00000000035D0000-0x00000000035E7000-memory.dmp

Filesize
92KB

Download
memory/456-212-0x00000000035D0000-0x00000000035E7000-memory.dmp

Filesize
92KB

Download
memory/456-213-0x00000000035D0000-0x00000000035E7000-memory.dmp

Filesize
92KB

Download
memory/456-132-0x0000000000000000-mapping.dmp

Download
memory/512-324-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/512-407-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/512-302-0x0000000006D50000-0x0000000006D67000-memory.dmp

Filesize
92KB

Download
memory/512-304-0x0000000006D50000-0x0000000006D67000-memory.dmp

Filesize
92KB

Download
memory/512-301-0x0000000006D50000-0x0000000006D67000-memory.dmp

Filesize
92KB

Download
memory/512-300-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/512-296-0x0000000000000000-mapping.dmp

Download
memory/788-336-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/788-335-0x0000000000000000-mapping.dmp

Download
memory/892-315-0x0000000004EE0000-0x0000000004EF7000-memory.dmp

Filesize
92KB

Download
memory/892-410-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/892-312-0x0000000000000000-mapping.dmp

Download
memory/892-343-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/892-316-0x0000000004EE0000-0x0000000004EF7000-memory.dmp

Filesize
92KB

Download
memory/892-317-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/892-314-0x0000000004EE0000-0x0000000004EF7000-memory.dmp

Filesize
92KB

Download
memory/940-143-0x0000000000000000-mapping.dmp

Download
memory/1100-389-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1100-408-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1100-364-0x0000000000000000-mapping.dmp

Download
memory/1100-367-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1124-263-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1124-242-0x00000000066F0000-0x0000000006707000-memory.dmp

Filesize
92KB

Download
memory/1124-243-0x00000000066F0000-0x0000000006707000-memory.dmp

Filesize
92KB

Download
memory/1124-255-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1124-246-0x00000000066F0000-0x0000000006707000-memory.dmp

Filesize
92KB

Download
memory/1124-226-0x0000000000000000-mapping.dmp

Download
memory/1124-229-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1232-271-0x0000000000000000-mapping.dmp

Download
memory/1404-292-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1404-290-0x0000000000000000-mapping.dmp

Download
memory/1508-256-0x0000000000000000-mapping.dmp

Download
memory/1580-264-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1580-266-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1580-265-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1588-366-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1588-342-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1588-337-0x0000000000000000-mapping.dmp

Download
memory/1588-340-0x0000000000520000-0x0000000000537000-memory.dmp

Filesize
92KB

Download
memory/1588-339-0x0000000000520000-0x0000000000537000-memory.dmp

Filesize
92KB

Download
memory/1588-341-0x0000000000520000-0x0000000000537000-memory.dmp

Filesize
92KB

Download
memory/1588-370-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1636-414-0x0000000000000000-mapping.dmp

Download
memory/1636-446-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1636-420-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1772-397-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1772-391-0x0000000000000000-mapping.dmp

Download
memory/1772-423-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1956-240-0x0000000004FB0000-0x0000000004FC7000-memory.dmp

Filesize
92KB

Download
memory/1956-233-0x0000000000000000-mapping.dmp

Download
memory/1956-235-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1956-388-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/1956-258-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2056-435-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2064-223-0x0000000000000000-mapping.dmp

Download
memory/2128-216-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2128-211-0x0000000000000000-mapping.dmp

Download
memory/2224-158-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2224-138-0x0000000000000000-mapping.dmp

Download
memory/2224-198-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2224-139-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2224-142-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2240-202-0x0000000000000000-mapping.dmp

Download
memory/2316-207-0x0000000000000000-mapping.dmp

Download
memory/2320-393-0x0000000000000000-mapping.dmp

Download
memory/2464-372-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2464-354-0x0000000000000000-mapping.dmp

Download
memory/2464-356-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/2640-323-0x00000000042E0000-0x00000000042F7000-memory.dmp

Filesize
92KB

Download
memory/2640-320-0x0000000000000000-mapping.dmp

Download
memory/2640-322-0x00000000042E0000-0x00000000042F7000-memory.dmp

Filesize
92KB

Download
memory/2640-321-0x00000000042E0000-0x00000000042F7000-memory.dmp

Filesize
92KB

Download
memory/2664-259-0x0000000000000000-mapping.dmp

Download
memory/2888-280-0x0000000000000000-mapping.dmp

Download
memory/2888-282-0x00000000015A0000-0x00000000015B7000-memory.dmp

Filesize
92KB

Download
memory/2888-284-0x00000000015A0000-0x00000000015B7000-memory.dmp

Filesize
92KB

Download
memory/2888-285-0x00000000015A0000-0x00000000015B7000-memory.dmp

Filesize
92KB

Download
memory/2932-382-0x0000000000000000-mapping.dmp

Download
memory/3068-319-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3068-318-0x0000000000000000-mapping.dmp

Download
memory/3100-204-0x0000000000000000-mapping.dmp

Download
memory/3100-206-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3104-196-0x0000000000000000-mapping.dmp

Download
memory/3392-421-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3392-419-0x0000000000000000-mapping.dmp

Download
memory/3440-156-0x0000000000000000-mapping.dmp

Download
memory/3452-193-0x0000000000000000-mapping.dmp

Download
memory/3460-252-0x00000000042B0000-0x00000000042C7000-memory.dmp

Filesize
92KB

Download
memory/3460-253-0x00000000042B0000-0x00000000042C7000-memory.dmp

Filesize
92KB

Download
memory/3460-236-0x0000000000000000-mapping.dmp

Download
memory/3460-251-0x00000000042B0000-0x00000000042C7000-memory.dmp

Filesize
92KB

Download
memory/3468-181-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3468-176-0x0000000000000000-mapping.dmp

Download
memory/3468-180-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3660-191-0x0000000000000000-mapping.dmp

Download
memory/3660-249-0x0000000006FA0000-0x0000000006FB7000-memory.dmp

Filesize
92KB

Download
memory/3660-248-0x0000000006FA0000-0x0000000006FB7000-memory.dmp

Filesize
92KB

Download
memory/3660-250-0x0000000006FA0000-0x0000000006FB7000-memory.dmp

Filesize
92KB

Download
memory/3660-195-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3660-272-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3660-219-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3676-444-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3692-409-0x0000000000000000-mapping.dmp

Download
memory/3720-167-0x0000000000000000-mapping.dmp

Download
memory/3760-165-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3760-148-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3760-146-0x0000000000000000-mapping.dmp

Download
memory/3796-201-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3796-186-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3796-184-0x0000000000000000-mapping.dmp

Download
memory/3796-245-0x0000000006C80000-0x0000000006C97000-memory.dmp

Filesize
92KB

Download
memory/3796-268-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3796-247-0x0000000006C80000-0x0000000006C97000-memory.dmp

Filesize
92KB

Download
memory/3796-244-0x0000000006C80000-0x0000000006C97000-memory.dmp

Filesize
92KB

Download
memory/3824-140-0x0000000000000000-mapping.dmp

Download
memory/3884-371-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3884-353-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/3884-348-0x0000000000000000-mapping.dmp

Download
memory/3904-149-0x0000000000000000-mapping.dmp

Download
memory/3940-309-0x0000000003020000-0x0000000003037000-memory.dmp

Filesize
92KB

Download
memory/3940-308-0x0000000000000000-mapping.dmp

Download
memory/3940-310-0x0000000003020000-0x0000000003037000-memory.dmp

Filesize
92KB

Download
memory/3940-311-0x0000000003020000-0x0000000003037000-memory.dmp

Filesize
92KB

Download
memory/3992-305-0x0000000000000000-mapping.dmp

Download
memory/4008-368-0x0000000000000000-mapping.dmp

Download
memory/4196-344-0x0000000000000000-mapping.dmp

Download
memory/4228-172-0x0000000000000000-mapping.dmp

Download
memory/4276-241-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4276-162-0x0000000000000000-mapping.dmp

Download
memory/4276-166-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4276-174-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4276-222-0x0000000006850000-0x0000000006867000-memory.dmp

Filesize
92KB

Download
memory/4276-220-0x0000000006850000-0x0000000006867000-memory.dmp

Filesize
92KB

Download
memory/4276-221-0x0000000006850000-0x0000000006867000-memory.dmp

Filesize
92KB

Download
memory/4516-159-0x0000000000000000-mapping.dmp

Download
memory/4536-170-0x0000000000000000-mapping.dmp

Download
memory/4544-332-0x00000000042C0000-0x00000000042D7000-memory.dmp

Filesize
92KB

Download
memory/4544-331-0x0000000000000000-mapping.dmp

Download
memory/4544-333-0x00000000042C0000-0x00000000042D7000-memory.dmp

Filesize
92KB

Download
memory/4544-334-0x00000000042C0000-0x00000000042D7000-memory.dmp

Filesize
92KB

Download
memory/4552-330-0x0000000006420000-0x0000000006437000-memory.dmp

Filesize
92KB

Download
memory/4552-328-0x0000000006420000-0x0000000006437000-memory.dmp

Filesize
92KB

Download
memory/4552-325-0x0000000000000000-mapping.dmp

Download
memory/4552-436-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4552-355-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4552-329-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4552-327-0x0000000006420000-0x0000000006437000-memory.dmp

Filesize
92KB

Download
memory/4576-182-0x0000000000000000-mapping.dmp

Download
memory/4576-447-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4608-406-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4608-427-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4608-401-0x0000000000000000-mapping.dmp

Download
memory/4648-217-0x0000000000000000-mapping.dmp

Download
memory/4796-298-0x0000000000000000-mapping.dmp

Download
memory/4796-303-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4856-287-0x0000000000000000-mapping.dmp

Download
memory/4856-155-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4856-151-0x0000000000000000-mapping.dmp

Download
memory/4920-307-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4920-278-0x0000000006710000-0x0000000006727000-memory.dmp

Filesize
92KB

Download
memory/4920-274-0x0000000000000000-mapping.dmp

Download
memory/4920-276-0x0000000006710000-0x0000000006727000-memory.dmp

Filesize
92KB

Download
memory/4920-279-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4920-277-0x0000000006710000-0x0000000006727000-memory.dmp

Filesize
92KB

Download
memory/4920-376-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4924-135-0x0000000000000000-mapping.dmp

Download
memory/4972-187-0x0000000000000000-mapping.dmp

Download
memory/4980-377-0x0000000000000000-mapping.dmp

Download
memory/4980-422-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/4980-390-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download
memory/5060-360-0x0000000000000000-mapping.dmp

Download
memory/5108-261-0x0000000000000000-mapping.dmp

Download
memory/5112-437-0x0000000072EA0000-0x0000000073451000-memory.dmp

Filesize
5.7MB

Download