aurora | 2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f

Resubmissions

09/01/2023, 12:46

230109-pzzzkaeb73 10

31/12/2022, 16:26

221231-txqekahh85 10

31/12/2022, 16:11

221231-tnc3wahh62 10

Analysis

max time kernel
300s
max time network
394s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2023, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
Size

262KB
MD5

a58ba818715cbcd50fff388b246e04d1
SHA1

52ebdb14a8e3d61ffc6b3df3d76c4434733ea7de
SHA256

2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f
SHA512

d6a98a816a0e5561128d674371f130cf43b68bc4c350866b20d1eac970e4c5aa4db53badec16dc27df3695e97d2bdb6e6fa8ae72981324671c060457c03339ee
SSDEEP

3072:MlLntn1Y9zL3g7foklrmRQXN7SCzyLgCmN6kb5vfOxOvlmqrzn8f227hZY:sneL3qocb7SufCJ4SOYcn8rZY

Score

10^/10

aurora dcrat djvu smokeloader vidar 19 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

djvu

http://spaceris.com/lancer/get.php

Attributes

extension
.zouu
offline_id
7hl6KB3alcoZ6n4DhS2rApCezkIMzShntAiXWMt1
payload_url
http://uaery.top/dl/build2.exe

http://spaceris.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3pXlaPXFm Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0631JOsie

rsa_pubkey.plain

Extracted

Family

aurora

82.115.223.77:8081

Extracted

Family

vidar

Version

1.8

Botnet

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923

Attributes

profile_id
19

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1843ef78-7b18-4241-a3da-b93e861de0c2\\F4F8.exe\" --AutoStart"		F4F8.exe
		3900	schtasks.exe
		4984	schtasks.exe
		4228	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe

Detected Djvu ransomware 10 IoCs

resource	yara_rule
behavioral1/memory/748-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/748-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3576-173-0x0000000004E40000-0x0000000004F5B000-memory.dmp	family_djvu
behavioral1/memory/748-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/748-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/748-181-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4176-190-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4176-192-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4176-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4176-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

resource	yara_rule
behavioral1/memory/4136-133-0x0000000000520000-0x0000000000529000-memory.dmp	family_smokeloader
behavioral1/memory/1572-163-0x00000000005A0000-0x00000000005A9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 64 IoCs

flow	pid	Process
128	2532	rundll32.exe
247	2532	rundll32.exe
268	2532	rundll32.exe
280	2532	rundll32.exe
282	2532	rundll32.exe
290	2532	rundll32.exe
291	2532	rundll32.exe
292	2532	rundll32.exe
295	2532	rundll32.exe
296	2532	rundll32.exe
297	2532	rundll32.exe
298	2532	rundll32.exe
299	2532	rundll32.exe
300	2532	rundll32.exe
301	2532	rundll32.exe
302	2532	rundll32.exe
303	2532	rundll32.exe
304	2532	rundll32.exe
306	2532	rundll32.exe
307	2532	rundll32.exe
309	2532	rundll32.exe
318	2532	rundll32.exe
319	2532	rundll32.exe
320	2532	rundll32.exe
322	2532	rundll32.exe
324	2532	rundll32.exe
351	2532	rundll32.exe
352	2532	rundll32.exe
353	2532	rundll32.exe
354	2532	rundll32.exe
355	2532	rundll32.exe
356	2532	rundll32.exe
358	2532	rundll32.exe
359	2532	rundll32.exe
365	2532	rundll32.exe
366	2532	rundll32.exe
368	2532	rundll32.exe
371	2532	rundll32.exe
372	2532	rundll32.exe
373	2532	rundll32.exe
374	2532	rundll32.exe
385	2532	rundll32.exe
387	2532	rundll32.exe
388	2532	rundll32.exe
389	2532	rundll32.exe
390	2532	rundll32.exe
392	2532	rundll32.exe
393	2532	rundll32.exe
394	2532	rundll32.exe
403	2532	rundll32.exe
404	2532	rundll32.exe
406	2532	rundll32.exe
407	2532	rundll32.exe
408	2532	rundll32.exe
409	2532	rundll32.exe
411	2532	rundll32.exe
412	2532	rundll32.exe
422	2532	rundll32.exe
423	2532	rundll32.exe
424	2532	rundll32.exe
425	2532	rundll32.exe
426	2532	rundll32.exe
427	2532	rundll32.exe
428	2532	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
720	E738.exe
4780	E95C.exe
1572	EE4F.exe
3856	F17C.exe
3576	F4F8.exe
748	F4F8.exe
1284	F4F8.exe
4176	F4F8.exe
2768	4F2E.exe
3012	build2.exe
3704	build3.exe
368	venuzye.exe
2100	build2.exe
4604	mstsca.exe
4452	B4A0.exe
4332	urjgbsd
4196	ajjgbsd
1664	adwcleaner.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\CPDF_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CPDF_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1664-308-0x0000000000C60000-0x0000000002284000-memory.dmp	upx
behavioral1/memory/1664-309-0x0000000000C60000-0x0000000002284000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F4F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F4F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4F2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 5 IoCs

pid	Process
2100	build2.exe
2100	build2.exe
2532	rundll32.exe
4064	svchost.exe
2936	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4728	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1843ef78-7b18-4241-a3da-b93e861de0c2\\F4F8.exe\" --AutoStart"	F4F8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.2ip.ua
40	api.2ip.ua
49	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 748	3576	F4F8.exe	93
PID 1284 set thread context of 4176	1284	F4F8.exe	101
PID 3012 set thread context of 2100	3012	build2.exe	120
PID 2532 set thread context of 3336	2532	rundll32.exe	131

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.sig	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOnNotificationInTray.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\br.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforcomments.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Spelling.api	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3100	4896	WerFault.exe	33
1184	3856	WerFault.exe	88
3920	720	WerFault.exe	85
2680	4452	WerFault.exe	127
3788	4196	WerFault.exe	169

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EE4F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EE4F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urjgbsd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EE4F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urjgbsd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urjgbsd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3900	schtasks.exe
4984	schtasks.exe
4228	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4548	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "5"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "91"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "691"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "6"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "733"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "133"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1131"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000000c55ec98120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe0c55ec982956e26d2e0000009ae1010000000100000000000000000000000000000031e600014100700070004400610074006100000042000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6679FD74A452525D25373B6CEC3FE548C483D98B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6679FD74A452525D25373B6CEC3FE548C483D98B\Blob = 0300000001000000140000006679fd74a452525d25373b6cec3fe548c483d98b2000000001000000b0020000308202ac30820215a00302010202084dedb27a2edd0614300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f742043656a746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3231303130393133353031385a170d3235303130383133353031385a30733132303006035504030c294d6963726f736f667420526f6f742043656a746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100b99cc034c19c2cc02c116a6046fb2f570b0b71fc24e204c913a3f1a1c1538c499c331af0efe67a8c56b99d0b137fe4444536788d953b7c72ddbf8bc67cd5ad935ac006e859071b90204d687131d7fc8ccfd65c562f1ca7c2700d45b63b6246c492d5648fb023517cfe436b348321d14f90e6ef2c17f9bb3bbd39c0db4f89e37b0203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f742043656a746966696361746520417574686f726974792032303131300d06092a864886f70d01010b05000381810023c4a24d473b312c45e1be27cc2f840835a9475c861306ba420effd62740b568ca081f5dd05936ab8d680dba78d8062dbebd7621a824d245045f1483369bcdad6c0e8e4445e6023338d5d9ef0f631331d0c9d52ebb477ace2d95a6f1bfaa04608aabb518f0dcf7848a0f0c6ab8278bd6985f84fd6521fa0813a58ff5e9f9d9be	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1988	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3060	Process not Found
3060	Process not Found
3060	Process not Found
1664	adwcleaner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4136	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
4136	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
1760	taskmgr.exe
1760	taskmgr.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
1760	taskmgr.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
1760	taskmgr.exe
3060	Process not Found
3060	Process not Found

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3060	Process not Found
1760	taskmgr.exe
1664	adwcleaner.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4136	2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
1572	EE4F.exe
4332	urjgbsd

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeDebugPrivilege	1760	taskmgr.exe
Token: SeSystemProfilePrivilege	1760	taskmgr.exe
Token: SeCreateGlobalPrivilege	1760	taskmgr.exe
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeDebugPrivilege	720	E738.exe
Token: SeDebugPrivilege	4780	E95C.exe
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeIncreaseQuotaPrivilege	4208	wmic.exe
Token: SeSecurityPrivilege	4208	wmic.exe
Token: SeTakeOwnershipPrivilege	4208	wmic.exe
Token: SeLoadDriverPrivilege	4208	wmic.exe
Token: SeSystemProfilePrivilege	4208	wmic.exe
Token: SeSystemtimePrivilege	4208	wmic.exe
Token: SeProfSingleProcessPrivilege	4208	wmic.exe
Token: SeIncBasePriorityPrivilege	4208	wmic.exe
Token: SeCreatePagefilePrivilege	4208	wmic.exe
Token: SeBackupPrivilege	4208	wmic.exe
Token: SeRestorePrivilege	4208	wmic.exe
Token: SeShutdownPrivilege	4208	wmic.exe
Token: SeDebugPrivilege	4208	wmic.exe
Token: SeSystemEnvironmentPrivilege	4208	wmic.exe
Token: SeRemoteShutdownPrivilege	4208	wmic.exe
Token: SeUndockPrivilege	4208	wmic.exe
Token: SeManageVolumePrivilege	4208	wmic.exe
Token: 33	4208	wmic.exe
Token: 34	4208	wmic.exe
Token: 35	4208	wmic.exe
Token: 36	4208	wmic.exe
Token: SeIncreaseQuotaPrivilege	4208	wmic.exe
Token: SeSecurityPrivilege	4208	wmic.exe
Token: SeTakeOwnershipPrivilege	4208	wmic.exe
Token: SeLoadDriverPrivilege	4208	wmic.exe
Token: SeSystemProfilePrivilege	4208	wmic.exe
Token: SeSystemtimePrivilege	4208	wmic.exe
Token: SeProfSingleProcessPrivilege	4208	wmic.exe
Token: SeIncBasePriorityPrivilege	4208	wmic.exe
Token: SeCreatePagefilePrivilege	4208	wmic.exe
Token: SeBackupPrivilege	4208	wmic.exe
Token: SeRestorePrivilege	4208	wmic.exe
Token: SeShutdownPrivilege	4208	wmic.exe
Token: SeDebugPrivilege	4208	wmic.exe
Token: SeSystemEnvironmentPrivilege	4208	wmic.exe
Token: SeRemoteShutdownPrivilege	4208	wmic.exe
Token: SeUndockPrivilege	4208	wmic.exe
Token: SeManageVolumePrivilege	4208	wmic.exe
Token: 33	4208	wmic.exe
Token: 34	4208	wmic.exe
Token: 35	4208	wmic.exe
Token: 36	4208	wmic.exe
Token: SeShutdownPrivilege	3060	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
3060	Process not Found
3060	Process not Found
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe
1760	taskmgr.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe
1664	adwcleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1760	3060	Process not Found	82
PID 3060 wrote to memory of 1760	3060	Process not Found	82
PID 3060 wrote to memory of 720	3060	Process not Found	85
PID 3060 wrote to memory of 720	3060	Process not Found	85
PID 3060 wrote to memory of 720	3060	Process not Found	85
PID 3060 wrote to memory of 4780	3060	Process not Found	86
PID 3060 wrote to memory of 4780	3060	Process not Found	86
PID 3060 wrote to memory of 4780	3060	Process not Found	86
PID 3060 wrote to memory of 1572	3060	Process not Found	87
PID 3060 wrote to memory of 1572	3060	Process not Found	87
PID 3060 wrote to memory of 1572	3060	Process not Found	87
PID 3060 wrote to memory of 3856	3060	Process not Found	88
PID 3060 wrote to memory of 3856	3060	Process not Found	88
PID 3060 wrote to memory of 3856	3060	Process not Found	88
PID 3060 wrote to memory of 3576	3060	Process not Found	89
PID 3060 wrote to memory of 3576	3060	Process not Found	89
PID 3060 wrote to memory of 3576	3060	Process not Found	89
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 3576 wrote to memory of 748	3576	F4F8.exe	93
PID 748 wrote to memory of 4728	748	F4F8.exe	96
PID 748 wrote to memory of 4728	748	F4F8.exe	96
PID 748 wrote to memory of 4728	748	F4F8.exe	96
PID 748 wrote to memory of 1284	748	F4F8.exe	98
PID 748 wrote to memory of 1284	748	F4F8.exe	98
PID 748 wrote to memory of 1284	748	F4F8.exe	98
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 1284 wrote to memory of 4176	1284	F4F8.exe	101
PID 3060 wrote to memory of 2768	3060	Process not Found	106
PID 3060 wrote to memory of 2768	3060	Process not Found	106
PID 4176 wrote to memory of 3012	4176	F4F8.exe	107
PID 4176 wrote to memory of 3012	4176	F4F8.exe	107
PID 4176 wrote to memory of 3012	4176	F4F8.exe	107
PID 4176 wrote to memory of 3704	4176	F4F8.exe	108
PID 4176 wrote to memory of 3704	4176	F4F8.exe	108
PID 4176 wrote to memory of 3704	4176	F4F8.exe	108
PID 2768 wrote to memory of 368	2768	4F2E.exe	109
PID 2768 wrote to memory of 368	2768	4F2E.exe	109
PID 3704 wrote to memory of 3900	3704	build3.exe	111
PID 3704 wrote to memory of 3900	3704	build3.exe	111
PID 3704 wrote to memory of 3900	3704	build3.exe	111
PID 368 wrote to memory of 4208	368	venuzye.exe	112
PID 368 wrote to memory of 4208	368	venuzye.exe	112
PID 368 wrote to memory of 792	368	venuzye.exe	114
PID 368 wrote to memory of 792	368	venuzye.exe	114
PID 792 wrote to memory of 2188	792	cmd.exe	116
PID 792 wrote to memory of 2188	792	cmd.exe	116
PID 368 wrote to memory of 3252	368	venuzye.exe	117
PID 368 wrote to memory of 3252	368	venuzye.exe	117

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe
"C:\Users\Admin\AppData\Local\Temp\2f7a15691c51124019ccf5cbde2f399e52164f645b70bf4aaab596391146bb7f.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4896 -ip 4896
1⤵
PID:4400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4896 -s 2472
1⤵
- Program crash
PID:3100

C:\Users\Admin\AppData\Local\Temp\E738.exe
C:\Users\Admin\AppData\Local\Temp\E738.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1252
  2⤵
  - Program crash
  PID:3920

C:\Users\Admin\AppData\Local\Temp\E95C.exe
C:\Users\Admin\AppData\Local\Temp\E95C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Users\Admin\AppData\Local\Temp\EE4F.exe
C:\Users\Admin\AppData\Local\Temp\EE4F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1572

C:\Users\Admin\AppData\Local\Temp\F17C.exe
C:\Users\Admin\AppData\Local\Temp\F17C.exe
1⤵
- Executes dropped EXE
PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 340
  2⤵
  - Program crash
  PID:1184

C:\Users\Admin\AppData\Local\Temp\F4F8.exe
C:\Users\Admin\AppData\Local\Temp\F4F8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\F4F8.exe
  C:\Users\Admin\AppData\Local\Temp\F4F8.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\1843ef78-7b18-4241-a3da-b93e861de0c2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4728
- - C:\Users\Admin\AppData\Local\Temp\F4F8.exe
    "C:\Users\Admin\AppData\Local\Temp\F4F8.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\F4F8.exe
      "C:\Users\Admin\AppData\Local\Temp\F4F8.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe
        
        "C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3012
      - C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe
        
        "C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe" & exit
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4548
    - - C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build3.exe
        
        "C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3856 -ip 3856
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 720 -ip 720
1⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\4F2E.exe
C:\Users\Admin\AppData\Local\Temp\4F2E.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Roaming\venuzye.exe
  "C:\Users\Admin\AppData\Roaming\venuzye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\system32\cmd.exe
    cmd /C "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      PID:2188
- - C:\Windows\system32\cmd.exe
    cmd /C "wmic cpu get name"
    3⤵
    PID:3252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:3596

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4604
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:4984

C:\Users\Admin\AppData\Local\Temp\B4A0.exe
C:\Users\Admin\AppData\Local\Temp\B4A0.exe
1⤵
- Executes dropped EXE
PID:4452
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - outlook_office_path
  - outlook_win_path
  PID:2532
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15570
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 320
  2⤵
  - Program crash
  PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4452 -ip 4452
1⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x120,0x124,0xd4,0x128,0x7ffa6e634f50,0x7ffa6e634f60,0x7ffa6e634f70
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2060 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1608 /prefetch:8
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3544 /prefetch:2
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1032 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,4827902206882255530,1713183846994685492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1988

C:\Users\Admin\AppData\Roaming\urjgbsd
C:\Users\Admin\AppData\Roaming\urjgbsd
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4332

C:\Users\Admin\AppData\Roaming\ajjgbsd
C:\Users\Admin\AppData\Roaming\ajjgbsd
1⤵
- Executes dropped EXE
PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 320
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4196 -ip 4196
1⤵
PID:1440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4064
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll",XgZYYzY3NQ==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2936
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll",XgZYYzY3NQ==
  2⤵
  PID:2280
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15570
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2916

C:\Users\Admin\Desktop\adwcleaner.exe
"C:\Users\Admin\Desktop\adwcleaner.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1664
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" winsock reset
  2⤵
  PID:1768

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4716

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2132

C:\Users\Admin\Desktop\adwcleaner.exe
"C:\Users\Admin\Desktop\adwcleaner.exe"
1⤵
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:3456
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:4228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\SystemID\PersonalID.txt

Filesize
42B

MD5
15a69b8e478da0a3c34463ce2a3c9727

SHA1
9ee632cb0e17b760f5655d67f21ad9dd9c124793

SHA256
00dc9381b42367952477eceac3373f4808fce89ee8ef08f89eb62fb68bafce46

SHA512
e6c87e615a7044cb7c9a4fac6f1db28520c4647c46a27bf8e30dcd10742f7d4f3360ead47cd67f531de976c71b91ecb45cf0ac5d1d472fa00b8eed643514feff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
61a9f01083346a0ee40dc68983932b14

SHA1
85737a00e510acc709a5ea03d04a666bf41eb912

SHA256
db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7

SHA512
80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
589514a7ae90cdf114f5f63d720a442a

SHA1
63632187f607aa50c81654650f7ed673ac7e86c9

SHA256
e685f6216919f46392498db07a4539ee3c312eb20302e77d3cd8d69d1a805a6a

SHA512
efd43cd28866a7ddf9749ccff3903e82118e8bf3792f2b7095ab614c165de317d7b6bf3b6002d5950a127bcea27641b7f61270be1391e5cfe91e0d5ccc058beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
deb5907196e6e5e0e915c276f65a6924

SHA1
62802115ee04a17e66297fbfd5ab8d933040ffdb

SHA256
48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1

SHA512
4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
d4664502930ea449b4f2e942ed6ed2f6

SHA1
e4278c7ee950a97f801b087b01e6dc96e5db6954

SHA256
efa9a60de4cddc87056655b0a6da382ba5b11611c1beadfc6e1c9d6d3bab027f

SHA512
45ecc51bbea32c082195e1b4d97052bae901c25d2e5192b93fe343905a09be1c2bbc31fe6dd35830e7d799f355408d3acbd4e7e0cb81c3690f202a20ee738b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
f474b275969640513db3dc061d3909a9

SHA1
563011fec6d62b9dd4ff5b0113a338629f3e5e9a

SHA256
9927fa0040df2332e2419565db474a9a47aa46fee3afe9d8e5fa33f2dd56785b

SHA512
8e16bbc14c43a154195b7be4537d72fd189c66ca06adb6cfb69343b991dfde9bd85e87d87f7e8f804745968da55f603e8a7f0f68b4f87807b213b6c1401c7350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
5bbe8516388fe0fce415ae28c5362de2

SHA1
eacef2e7d8db8c0f9f2bf8f6403ec31ac3d4366c

SHA256
37cb99e0355ea52a55a7cb7b30d9351c76c78ff4708defb1cc2b5c1cb80935f2

SHA512
182c07acc80bbbf1481f610cf051ccdc9ddeba418b58bdb9e5d0527db362a1cad7d16cff334424417f2a0dc770d303da276b1e936b50897b92f0837945f1c2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
15baab7248c313c1a426f18d1d692f3b

SHA1
36e5afe8b622555b61ef301f564c955a4a28316c

SHA256
d24fccfea91133c5d652cb07556e5144f430839f2f0de66a7ad9773ffbb9707a

SHA512
ac66a65fbcd96acdb970d94d1df486dd237e02b157bb2e2e8deb05f0d5ef1677014e2b95571c0e20df5ab9ce2c3870c996f5c8b2628571e1c318a15b4639da04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
4893aaf0a89f1529eb89f8728ae29fa8

SHA1
083f732523fa029fce5f206ab6ce7479a9995015

SHA256
d35af0bf9d20720f80b7cadb0c0e2ef20351447dfc1c3f7d6510eadc5b3bb25f

SHA512
1f07a69061fead59e5921847f38287901202851e10f9235c976cfd3a838f606e4af93f090ea1a297da873cbc68286be76af64ec3d15f539ede20b26f3eed5689

Download Submit
C:\Users\Admin\AppData\Local\1843ef78-7b18-4241-a3da-b93e861de0c2\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe

Filesize
429KB

MD5
8c14bb1505244971374a88f37a4ec22a

SHA1
cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0

SHA256
f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962

SHA512
5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

Download Submit
C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe

Filesize
429KB

MD5
8c14bb1505244971374a88f37a4ec22a

SHA1
cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0

SHA256
f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962

SHA512
5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

Download Submit
C:\Users\Admin\AppData\Local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
3b21faa6836429a86efdb74220343bad

SHA1
a5efb1980a3f4dfbe5a266e83b1d68ad9f03cd5d

SHA256
b47412e47985bd20a4138f1ea0cac4de635a394238a051a1f57d374fe49af4d9

SHA512
a374993022ddcc52de00e20d3209fdc6e57cd55cbbb1b9c16a3a23ce6d2d8b57a4bd52e83857b275fb79b7dc07202dad144b353a969788f513dff9a6c9fa6165

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F2E.exe

Filesize
15.9MB

MD5
759c12b796e6748a79b1317056194a6d

SHA1
2931c81c3d03d8c2bf7e47cda59c46059c07bab8

SHA256
d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93

SHA512
e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F2E.exe

Filesize
15.9MB

MD5
759c12b796e6748a79b1317056194a6d

SHA1
2931c81c3d03d8c2bf7e47cda59c46059c07bab8

SHA256
d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93

SHA512
e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4A0.exe

Filesize
1.1MB

MD5
e7f1a070a914352c8e80242c1618732b

SHA1
669a862cdcad14ae1258c997f62f124c8fb1048f

SHA256
0749948b3bf98c2c5bc03060634d215542f87dab8a92677f1885cf0b9ea36f39

SHA512
18fbf494f375a2285f85774de8de75c2d89582e06b94c2a56266676a24e4b19c9a2e51afd0e039f01a48b142cfbe4661aba2b57e706d6f1cb527ac4b7d6d3faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4A0.exe

Filesize
1.1MB

MD5
e7f1a070a914352c8e80242c1618732b

SHA1
669a862cdcad14ae1258c997f62f124c8fb1048f

SHA256
0749948b3bf98c2c5bc03060634d215542f87dab8a92677f1885cf0b9ea36f39

SHA512
18fbf494f375a2285f85774de8de75c2d89582e06b94c2a56266676a24e4b19c9a2e51afd0e039f01a48b142cfbe4661aba2b57e706d6f1cb527ac4b7d6d3faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E738.exe

Filesize
426KB

MD5
5789f1c2e5a03d55327799a606e59195

SHA1
258ac4c218e4010560be0c51e21ee4c2480ec576

SHA256
5680d2e482451222f0be4ea9914d8073e6e2b59ac3008125794f95fb45f37b1d

SHA512
e84acfbe90132674c3c1b8abd573601d37cd6be882c80601a5c4675eb332c20e73723186af471ced333c67de9aed43ca797959f6dc5dc575b76712338c3c8561

Download Submit
C:\Users\Admin\AppData\Local\Temp\E738.exe

Filesize
426KB

MD5
5789f1c2e5a03d55327799a606e59195

SHA1
258ac4c218e4010560be0c51e21ee4c2480ec576

SHA256
5680d2e482451222f0be4ea9914d8073e6e2b59ac3008125794f95fb45f37b1d

SHA512
e84acfbe90132674c3c1b8abd573601d37cd6be882c80601a5c4675eb332c20e73723186af471ced333c67de9aed43ca797959f6dc5dc575b76712338c3c8561

Download Submit
C:\Users\Admin\AppData\Local\Temp\E95C.exe

Filesize
453KB

MD5
a54b11ad76c698e14478d64391430be7

SHA1
4aea31ed39f0942b345bed0b6813562d72b6b792

SHA256
ade40de269f1106cc15af503873ca91733dc4e4173bc7af3448de19435e51fee

SHA512
5376f01fbfbcb7bb02f4e61c17473bb8c603b00a270a3a48cc0bdb13cf992b33b6d3a5a09f4fb9fb937e25ff40d45b1264b803698298181efcf93e9278b32e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\E95C.exe

Filesize
453KB

MD5
a54b11ad76c698e14478d64391430be7

SHA1
4aea31ed39f0942b345bed0b6813562d72b6b792

SHA256
ade40de269f1106cc15af503873ca91733dc4e4173bc7af3448de19435e51fee

SHA512
5376f01fbfbcb7bb02f4e61c17473bb8c603b00a270a3a48cc0bdb13cf992b33b6d3a5a09f4fb9fb937e25ff40d45b1264b803698298181efcf93e9278b32e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE4F.exe

Filesize
327KB

MD5
02908ad603f0a72ed2f8e92bf0f2fa76

SHA1
9df99976acda2ab389e424fc0689d2743e5c291f

SHA256
ee76f1d57e44116d9b1a2af44182deb6c28cea0d84238453421976999f201cb4

SHA512
46f4c7d6f7df76391ecaedf9e5865d3c7886312b3c803daf7c84bc1e071f16be9ccf0287ee0cc515bd5e57281d2a926111099a2e6c1b213594147c1772ef483f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE4F.exe

Filesize
327KB

MD5
02908ad603f0a72ed2f8e92bf0f2fa76

SHA1
9df99976acda2ab389e424fc0689d2743e5c291f

SHA256
ee76f1d57e44116d9b1a2af44182deb6c28cea0d84238453421976999f201cb4

SHA512
46f4c7d6f7df76391ecaedf9e5865d3c7886312b3c803daf7c84bc1e071f16be9ccf0287ee0cc515bd5e57281d2a926111099a2e6c1b213594147c1772ef483f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F17C.exe

Filesize
353KB

MD5
7ed687ac3ea2d88751c61ee4242d2cb1

SHA1
f4540c03affd6da03d56ebde96b3405877c4339d

SHA256
4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007

SHA512
cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F17C.exe

Filesize
353KB

MD5
7ed687ac3ea2d88751c61ee4242d2cb1

SHA1
f4540c03affd6da03d56ebde96b3405877c4339d

SHA256
4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007

SHA512
cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4F8.exe

Filesize
852KB

MD5
5a4646dc1e0caa4a0c2da0ddb1c7e97f

SHA1
bd57414c9549641a54a27cb7868d318689685938

SHA256
9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba

SHA512
6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp

Filesize
714KB

MD5
9dd70d24b2657a9254b9fd536a4d06d5

SHA1
348a1d210d7c4daef8ecdb692eadf3975971e8ee

SHA256
d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd

SHA512
dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp

Filesize
714KB

MD5
9dd70d24b2657a9254b9fd536a4d06d5

SHA1
348a1d210d7c4daef8ecdb692eadf3975971e8ee

SHA256
d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd

SHA512
dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\venuzye.exe

Filesize
4.4MB

MD5
a571e4d8f9c450f2c256e3ca4ed01f59

SHA1
acae29d7d8ca985b369525b4defdca4962592b4e

SHA256
8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e

SHA512
068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0

Download Submit
\??\c:\users\admin\appdata\local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build2.exe

Filesize
429KB

MD5
8c14bb1505244971374a88f37a4ec22a

SHA1
cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0

SHA256
f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962

SHA512
5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

Download Submit
\??\c:\users\admin\appdata\local\9d87f84d-b658-43a1-9daf-8de6b126c79b\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\??\c:\users\admin\appdata\roaming\venuzye.exe

Filesize
4.4MB

MD5
a571e4d8f9c450f2c256e3ca4ed01f59

SHA1
acae29d7d8ca985b369525b4defdca4962592b4e

SHA256
8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e

SHA512
068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0

Download Submit
memory/720-178-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/720-152-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/720-179-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/720-159-0x0000000005860000-0x000000000589C000-memory.dmp

Filesize
240KB

Download
memory/720-158-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/720-157-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/720-199-0x000000000084F000-0x000000000087E000-memory.dmp

Filesize
188KB

Download
memory/720-200-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/720-185-0x000000000084F000-0x000000000087E000-memory.dmp

Filesize
188KB

Download
memory/720-156-0x0000000005090000-0x00000000056A8000-memory.dmp

Filesize
6.1MB

Download
memory/720-153-0x000000000084F000-0x000000000087E000-memory.dmp

Filesize
188KB

Download
memory/720-155-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/720-154-0x00000000007C0000-0x000000000080B000-memory.dmp

Filesize
300KB

Download
memory/748-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/748-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/748-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/748-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/748-181-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1284-191-0x0000000004CE5000-0x0000000004D76000-memory.dmp

Filesize
580KB

Download
memory/1416-344-0x00000286CC9E0000-0x00000286CCB20000-memory.dmp

Filesize
1.2MB

Download
memory/1416-343-0x00000286CC9E0000-0x00000286CCB20000-memory.dmp

Filesize
1.2MB

Download
memory/1572-164-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1572-162-0x000000000070E000-0x0000000000724000-memory.dmp

Filesize
88KB

Download
memory/1572-163-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/1572-177-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1664-309-0x0000000000C60000-0x0000000002284000-memory.dmp

Filesize
22.1MB

Download
memory/1664-308-0x0000000000C60000-0x0000000002284000-memory.dmp

Filesize
22.1MB

Download
memory/2100-257-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-227-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-230-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-234-0x00000000509B0000-0x0000000050A42000-memory.dmp

Filesize
584KB

Download
memory/2100-223-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-225-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2280-341-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2280-339-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2280-340-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2280-334-0x0000000004FF0000-0x0000000005B31000-memory.dmp

Filesize
11.3MB

Download
memory/2280-335-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2280-338-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2280-336-0x0000000005CF0000-0x0000000005E30000-memory.dmp

Filesize
1.2MB

Download
memory/2532-272-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2532-274-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2532-269-0x0000000005E00000-0x0000000006941000-memory.dmp

Filesize
11.3MB

Download
memory/2532-282-0x0000000005E00000-0x0000000006941000-memory.dmp

Filesize
11.3MB

Download
memory/2532-270-0x0000000005E00000-0x0000000006941000-memory.dmp

Filesize
11.3MB

Download
memory/2532-276-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2532-275-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2532-271-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2532-273-0x00000000040A0000-0x00000000041E0000-memory.dmp

Filesize
1.2MB

Download
memory/2768-205-0x00007FFA6DAD0000-0x00007FFA6E591000-memory.dmp

Filesize
10.8MB

Download
memory/2768-216-0x00007FFA6DAD0000-0x00007FFA6E591000-memory.dmp

Filesize
10.8MB

Download
memory/2768-204-0x0000000000670000-0x000000000165A000-memory.dmp

Filesize
15.9MB

Download
memory/2936-303-0x00000000048E0000-0x0000000005421000-memory.dmp

Filesize
11.3MB

Download
memory/2936-301-0x00000000048E0000-0x0000000005421000-memory.dmp

Filesize
11.3MB

Download
memory/2936-302-0x00000000048E0000-0x0000000005421000-memory.dmp

Filesize
11.3MB

Download
memory/3012-228-0x0000000000500000-0x000000000054C000-memory.dmp

Filesize
304KB

Download
memory/3012-226-0x0000000000588000-0x00000000005B6000-memory.dmp

Filesize
184KB

Download
memory/3336-278-0x000001F0E98F0000-0x000001F0E9A30000-memory.dmp

Filesize
1.2MB

Download
memory/3336-283-0x0000000000BE0000-0x0000000000E81000-memory.dmp

Filesize
2.6MB

Download
memory/3336-279-0x0000000000BE0000-0x0000000000E81000-memory.dmp

Filesize
2.6MB

Download
memory/3336-280-0x000001F0E98F0000-0x000001F0E9A30000-memory.dmp

Filesize
1.2MB

Download
memory/3336-281-0x000001F0E7E70000-0x000001F0E8122000-memory.dmp

Filesize
2.7MB

Download
memory/3576-170-0x0000000003306000-0x0000000003397000-memory.dmp

Filesize
580KB

Download
memory/3576-173-0x0000000004E40000-0x0000000004F5B000-memory.dmp

Filesize
1.1MB

Download
memory/3856-165-0x000000000325D000-0x0000000003272000-memory.dmp

Filesize
84KB

Download
memory/3856-171-0x0000000000400000-0x000000000301B000-memory.dmp

Filesize
44.1MB

Download
memory/4064-299-0x0000000003BC0000-0x0000000004701000-memory.dmp

Filesize
11.3MB

Download
memory/4064-306-0x0000000003BC0000-0x0000000004701000-memory.dmp

Filesize
11.3MB

Download
memory/4136-133-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/4136-132-0x000000000058E000-0x000000000059E000-memory.dmp

Filesize
64KB

Download
memory/4136-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4136-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4176-192-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4176-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4176-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4176-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4196-296-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4196-295-0x000000000054E000-0x0000000000564000-memory.dmp

Filesize
88KB

Download
memory/4332-293-0x000000000059D000-0x00000000005AD000-memory.dmp

Filesize
64KB

Download
memory/4332-297-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4332-294-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4452-268-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4452-264-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4452-263-0x0000000002280000-0x0000000002395000-memory.dmp

Filesize
1.1MB

Download
memory/4452-262-0x0000000002148000-0x000000000221C000-memory.dmp

Filesize
848KB

Download
memory/4716-325-0x000001D732DE0000-0x000001D732EE0000-memory.dmp

Filesize
1024KB

Download
memory/4716-326-0x000001D735CE0000-0x000001D735D00000-memory.dmp

Filesize
128KB

Download
memory/4716-327-0x000001D7332B0000-0x000001D7332D0000-memory.dmp

Filesize
128KB

Download
memory/4716-323-0x000001D7333B8000-0x000001D7333C0000-memory.dmp

Filesize
32KB

Download
memory/4716-324-0x000001D7332B0000-0x000001D7332D0000-memory.dmp

Filesize
128KB

Download
memory/4780-198-0x0000000000400000-0x0000000003034000-memory.dmp

Filesize
44.2MB

Download
memory/4780-161-0x0000000000400000-0x0000000003034000-memory.dmp

Filesize
44.2MB

Download
memory/4780-186-0x000000000309D000-0x00000000030CB000-memory.dmp

Filesize
184KB

Download
memory/4780-184-0x00000000091E0000-0x000000000970C000-memory.dmp

Filesize
5.2MB

Download
memory/4780-160-0x000000000309D000-0x00000000030CB000-memory.dmp

Filesize
184KB

Download
memory/4780-183-0x0000000009010000-0x00000000091D2000-memory.dmp

Filesize
1.8MB

Download