phobos | caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87

Analysis

max time kernel
110s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
Size

451KB
MD5

7041b5e6716fbc3d51516bfc782b1adf
SHA1

8a7188931e6d548c1c717be4386df5a19e04b51f
SHA256

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SHA512

75800515735a33a6479791bf628951cafc8d6b09119ebbc80e5570731ee3d343d7386c8e2ac07c14ae7fa34ee5b5bf16264b804ab7e2ad7f667335d918e95709
SSDEEP

6144:dJ9FSjroYqIslQS49PJPGTsqgU4yct3kgDNx5DKUfiyk6EeRqD6u:dbFSXzslQ34eU4yct3BBx5DKfwEeRC

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>49C07676-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 49C07676-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2256-138-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys
behavioral1/memory/2256-139-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys
behavioral1/memory/2256-140-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys
behavioral1/memory/2256-141-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys
behavioral1/memory/2256-153-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys
behavioral1/memory/2256-156-0x0000000004D30000-0x0000000005130000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe

description pid process target process

PID 2256 created 2572 2256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2264 bcdedit.exe
3992 bcdedit.exe
2096 bcdedit.exe
1796 bcdedit.exe
Renames multiple (472) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

972 wbadmin.exe
1376 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3980 netsh.exe
1800 netsh.exe
Drops startup file 1 IoCs

Processes:

o{qOsfR.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\o{qOsfR.exe o{qOsfR.exe
Executes dropped EXE 6 IoCs

Processes:

84`.exeo{qOsfR.exexUZbuun.exe84`.exeo{qOsfR.exe8846.exe

pid process

4464 84`.exe
1048 o{qOsfR.exe
2268 xUZbuun.exe
3704 84`.exe
2212 o{qOsfR.exe
1788 8846.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2256 created 2572	2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe	Explorer.EXE

pid	process
2264	bcdedit.exe
3992	bcdedit.exe
2096	bcdedit.exe
1796	bcdedit.exe

pid	process
972	wbadmin.exe
1376	wbadmin.exe

pid	process
3980	netsh.exe
1800	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\o{qOsfR.exe	o{qOsfR.exe

pid	process
4464	84`.exe
1048	o{qOsfR.exe
2268	xUZbuun.exe
3704	84`.exe
2212	o{qOsfR.exe
1788	8846.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8846.exe	upx
behavioral1/memory/1788-4077-0x00007FF704BC0000-0x00007FF705451000-memory.dmp	upx
behavioral1/memory/1788-4456-0x00007FF704BC0000-0x00007FF705451000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\8846.exe	upx

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

o{qOsfR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe"	o{qOsfR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe"	o{qOsfR.exe

Drops desktop.ini file(s) 24 IoCs

Processes:

o{qOsfR.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	o{qOsfR.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	o{qOsfR.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Program Files\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	o{qOsfR.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	o{qOsfR.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	o{qOsfR.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 ipinfo.io
72 ipinfo.io
77 ipinfo.io
60 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

84`.exe

description pid process target process

PID 4464 set thread context of 3704 4464 84`.exe 84`.exe

flow	ioc
62	ipinfo.io
72	ipinfo.io
77	ipinfo.io
60	ipinfo.io

description	pid	process	target process
PID 4464 set thread context of 3704	4464	84`.exe	84`.exe

Drops file in Program Files directory 64 IoCs

Processes:

o{qOsfR.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms	o{qOsfR.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tt.pak.DATA.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_bg.dll	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg	o{qOsfR.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png	o{qOsfR.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\ThinAppXManifest.xml.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png	o{qOsfR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\el.pak.DATA	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	o{qOsfR.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1	o{qOsfR.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-black.png	o{qOsfR.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png	o{qOsfR.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-100.png	o{qOsfR.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-lightunplated.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ar.pak	o{qOsfR.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar	o{qOsfR.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	o{qOsfR.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png	o{qOsfR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js	o{qOsfR.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.id[49C07676-3483].[[email protected]].8base	o{qOsfR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_ios.gif	o{qOsfR.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
5096	2256	WerFault.exe	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
3896	2212	WerFault.exe	o{qOsfR.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe84`.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	84`.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	84`.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	84`.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
3340	tasklist.exe
3332	tasklist.exe
3828	tasklist.exe
616	tasklist.exe
4368	tasklist.exe
796	tasklist.exe
744	tasklist.exe
4708	tasklist.exe
4912	tasklist.exe
4552	tasklist.exe
4400	tasklist.exe
1016	tasklist.exe
224	tasklist.exe
3840	tasklist.exe
668	tasklist.exe
852	tasklist.exe
4296	tasklist.exe
2324	tasklist.exe
2100	tasklist.exe
5016	tasklist.exe
3432	tasklist.exe
5080	tasklist.exe
5100	tasklist.exe
3980	tasklist.exe
3020	tasklist.exe
3760	tasklist.exe
1112	tasklist.exe
3632	tasklist.exe
1540	tasklist.exe
3644	tasklist.exe
744	tasklist.exe
2584	tasklist.exe
4628	tasklist.exe
5040	tasklist.exe
2108	tasklist.exe
4740	tasklist.exe
3732	tasklist.exe
1488	tasklist.exe
616	tasklist.exe
616	tasklist.exe
3888	tasklist.exe
2884	tasklist.exe
4788	tasklist.exe
4168	tasklist.exe
1796	tasklist.exe
280	tasklist.exe
4856	tasklist.exe
3196	tasklist.exe
1232	tasklist.exe
700	tasklist.exe
3992	tasklist.exe
1524	tasklist.exe
448	tasklist.exe
2140	tasklist.exe
4436	tasklist.exe
1380	tasklist.exe
4204	tasklist.exe
1652	tasklist.exe
2764	tasklist.exe
3252	tasklist.exe
1784	tasklist.exe
5036	tasklist.exe
2140	tasklist.exe
616	tasklist.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4908 systeminfo.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 101 Go-http-client/1.1
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1016 vssadmin.exe
164 vssadmin.exe

pid	process
4908	systeminfo.exe

description	flow	ioc
HTTP User-Agent header	101	Go-http-client/1.1

pid	process
1016	vssadmin.exe
164	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2324	taskkill.exe
5104	taskkill.exe
3120	taskkill.exe
5040	taskkill.exe
4448	taskkill.exe
4296	taskkill.exe
3080	taskkill.exe
4228	taskkill.exe
5056	taskkill.exe
5056	taskkill.exe
4444	taskkill.exe
3888	taskkill.exe
2420	taskkill.exe
1656	taskkill.exe
1540	taskkill.exe
4656	taskkill.exe
5072	taskkill.exe
1832	taskkill.exe
5056	taskkill.exe
1488	taskkill.exe
5052	taskkill.exe
1376	taskkill.exe
1984	taskkill.exe
3888	taskkill.exe
2172	taskkill.exe
1620	taskkill.exe
3928	taskkill.exe
2448	taskkill.exe
4880	taskkill.exe
3136	taskkill.exe
2736	taskkill.exe
4236	taskkill.exe
1796	taskkill.exe
1860	taskkill.exe
4988	taskkill.exe
3076	taskkill.exe
1416	taskkill.exe
1544	taskkill.exe
4368	taskkill.exe
3324	taskkill.exe
224	taskkill.exe
2012	taskkill.exe
1440	taskkill.exe
5044	taskkill.exe
4692	taskkill.exe
3036	taskkill.exe
280	taskkill.exe
1620	taskkill.exe
1668	taskkill.exe
2856	taskkill.exe
4296	taskkill.exe
696	taskkill.exe
3896	taskkill.exe
3020	taskkill.exe
2236	taskkill.exe
2272	taskkill.exe
3564	taskkill.exe
1652	taskkill.exe
4192	taskkill.exe
1360	taskkill.exe
1964	taskkill.exe
4400	taskkill.exe
4588	taskkill.exe
296	taskkill.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8846.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8846.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8846.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8846.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.execertreq.exe84`.exeExplorer.EXEo{qOsfR.exe

pid	process
2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
4956	certreq.exe
4956	certreq.exe
4956	certreq.exe
4956	certreq.exe
3704	84`.exe
3704	84`.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
1048	o{qOsfR.exe
1048	o{qOsfR.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
1048	o{qOsfR.exe
1048	o{qOsfR.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
1048	o{qOsfR.exe
1048	o{qOsfR.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
1048	o{qOsfR.exe
1048	o{qOsfR.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2572 Explorer.EXE

pid	process
2572	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

84`.exeExplorer.EXE

pid	process
3704	84`.exe
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE
2572	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEo{qOsfR.exevssvc.exeWMIC.exewbengine.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeDebugPrivilege	1048	o{qOsfR.exe
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeBackupPrivilege	1480	vssvc.exe
Token: SeRestorePrivilege	1480	vssvc.exe
Token: SeAuditPrivilege	1480	vssvc.exe
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3900	WMIC.exe
Token: SeSecurityPrivilege	3900	WMIC.exe
Token: SeTakeOwnershipPrivilege	3900	WMIC.exe
Token: SeLoadDriverPrivilege	3900	WMIC.exe
Token: SeSystemProfilePrivilege	3900	WMIC.exe
Token: SeSystemtimePrivilege	3900	WMIC.exe
Token: SeProfSingleProcessPrivilege	3900	WMIC.exe
Token: SeIncBasePriorityPrivilege	3900	WMIC.exe
Token: SeCreatePagefilePrivilege	3900	WMIC.exe
Token: SeBackupPrivilege	3900	WMIC.exe
Token: SeRestorePrivilege	3900	WMIC.exe
Token: SeShutdownPrivilege	3900	WMIC.exe
Token: SeDebugPrivilege	3900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3900	WMIC.exe
Token: SeRemoteShutdownPrivilege	3900	WMIC.exe
Token: SeUndockPrivilege	3900	WMIC.exe
Token: SeManageVolumePrivilege	3900	WMIC.exe
Token: 33	3900	WMIC.exe
Token: 34	3900	WMIC.exe
Token: 35	3900	WMIC.exe
Token: 36	3900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3900	WMIC.exe
Token: SeSecurityPrivilege	3900	WMIC.exe
Token: SeTakeOwnershipPrivilege	3900	WMIC.exe
Token: SeLoadDriverPrivilege	3900	WMIC.exe
Token: SeSystemProfilePrivilege	3900	WMIC.exe
Token: SeSystemtimePrivilege	3900	WMIC.exe
Token: SeProfSingleProcessPrivilege	3900	WMIC.exe
Token: SeIncBasePriorityPrivilege	3900	WMIC.exe
Token: SeCreatePagefilePrivilege	3900	WMIC.exe
Token: SeBackupPrivilege	3900	WMIC.exe
Token: SeRestorePrivilege	3900	WMIC.exe
Token: SeShutdownPrivilege	3900	WMIC.exe
Token: SeDebugPrivilege	3900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3900	WMIC.exe
Token: SeRemoteShutdownPrivilege	3900	WMIC.exe
Token: SeUndockPrivilege	3900	WMIC.exe
Token: SeManageVolumePrivilege	3900	WMIC.exe
Token: 33	3900	WMIC.exe
Token: 34	3900	WMIC.exe
Token: 35	3900	WMIC.exe
Token: 36	3900	WMIC.exe
Token: SeBackupPrivilege	2252	wbengine.exe
Token: SeRestorePrivilege	2252	wbengine.exe
Token: SeSecurityPrivilege	2252	wbengine.exe
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeDebugPrivilege	4400	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe84`.exeo{qOsfR.execmd.execmd.exeExplorer.EXE8846.exe

description	pid	process	target process
PID 2256 wrote to memory of 4956	2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe	certreq.exe
PID 2256 wrote to memory of 4956	2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe	certreq.exe
PID 2256 wrote to memory of 4956	2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe	certreq.exe
PID 2256 wrote to memory of 4956	2256	caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe	certreq.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 4464 wrote to memory of 3704	4464	84`.exe	84`.exe
PID 1048 wrote to memory of 5044	1048	o{qOsfR.exe	cmd.exe
PID 1048 wrote to memory of 5044	1048	o{qOsfR.exe	cmd.exe
PID 1048 wrote to memory of 4428	1048	o{qOsfR.exe	cmd.exe
PID 1048 wrote to memory of 4428	1048	o{qOsfR.exe	cmd.exe
PID 4428 wrote to memory of 1800	4428	cmd.exe	netsh.exe
PID 4428 wrote to memory of 1800	4428	cmd.exe	netsh.exe
PID 5044 wrote to memory of 1016	5044	cmd.exe	vssadmin.exe
PID 5044 wrote to memory of 1016	5044	cmd.exe	vssadmin.exe
PID 4428 wrote to memory of 3980	4428	cmd.exe	netsh.exe
PID 4428 wrote to memory of 3980	4428	cmd.exe	netsh.exe
PID 5044 wrote to memory of 3900	5044	cmd.exe	WMIC.exe
PID 5044 wrote to memory of 3900	5044	cmd.exe	WMIC.exe
PID 5044 wrote to memory of 2264	5044	cmd.exe	bcdedit.exe
PID 5044 wrote to memory of 2264	5044	cmd.exe	bcdedit.exe
PID 5044 wrote to memory of 3992	5044	cmd.exe	bcdedit.exe
PID 5044 wrote to memory of 3992	5044	cmd.exe	bcdedit.exe
PID 5044 wrote to memory of 972	5044	cmd.exe	wbadmin.exe
PID 5044 wrote to memory of 972	5044	cmd.exe	wbadmin.exe
PID 2572 wrote to memory of 1788	2572	Explorer.EXE	8846.exe
PID 2572 wrote to memory of 1788	2572	Explorer.EXE	8846.exe
PID 2572 wrote to memory of 3320	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3320	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3320	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3320	2572	Explorer.EXE	explorer.exe
PID 1788 wrote to memory of 3548	1788	8846.exe	curl.exe
PID 1788 wrote to memory of 3548	1788	8846.exe	curl.exe
PID 2572 wrote to memory of 296	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 296	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 296	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3744	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3744	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3744	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 3744	2572	Explorer.EXE	explorer.exe
PID 1788 wrote to memory of 1476	1788	8846.exe	cmd.exe
PID 1788 wrote to memory of 1476	1788	8846.exe	cmd.exe
PID 1788 wrote to memory of 4400	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 4400	1788	8846.exe	taskkill.exe
PID 2572 wrote to memory of 4912	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 4912	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 4912	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 4912	2572	Explorer.EXE	explorer.exe
PID 1788 wrote to memory of 4296	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 4296	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 3928	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 3928	1788	8846.exe	taskkill.exe
PID 2572 wrote to memory of 2836	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 2836	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 2836	2572	Explorer.EXE	explorer.exe
PID 2572 wrote to memory of 2836	2572	Explorer.EXE	explorer.exe
PID 1788 wrote to memory of 3076	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 3076	1788	8846.exe	taskkill.exe
PID 1788 wrote to memory of 448	1788	8846.exe	runas.exe
PID 1788 wrote to memory of 448	1788	8846.exe	runas.exe
PID 2572 wrote to memory of 4620	2572	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
"C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 816
3⤵
- Program crash
PID:5096

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Users\Admin\AppData\Local\Temp\8846.exe
C:\Users\Admin\AppData\Local\Temp\8846.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
3⤵
PID:4400

C:\Windows\SYSTEM32\cmd.exe
cmd /c
3⤵
PID:1476

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
3⤵
- Kills process with taskkill
PID:4296

C:\Windows\system32\taskkill.exe
taskkill /F /IM edge.exe
3⤵
- Kills process with taskkill
PID:3928

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
3⤵
- Kills process with taskkill
PID:3076

C:\Windows\system32\runas.exe
runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\8846.exe
3⤵
PID:448

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq httpdebuggerui.exe"
3⤵
- Enumerates processes with tasklist
PID:3432

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
3⤵
- Kills process with taskkill
PID:1544

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wireshark.exe"
3⤵
- Enumerates processes with tasklist
PID:5040

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
3⤵
PID:1836

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq fiddler.exe"
3⤵
PID:1360

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
3⤵
- Kills process with taskkill
PID:2324

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe"
3⤵
- Enumerates processes with tasklist
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /F /IM regedit.exe
3⤵
- Kills process with taskkill
PID:2272

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq taskmgr.exe"
3⤵
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /F /IM taskmgr.exe
3⤵
- Kills process with taskkill
PID:5072

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxservice.exe"
3⤵
- Enumerates processes with tasklist
PID:5080

C:\Windows\system32\taskkill.exe
taskkill /F /IM vboxservice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq df5serv.exe"
3⤵
- Enumerates processes with tasklist
PID:3252

C:\Windows\system32\taskkill.exe
taskkill /F /IM df5serv.exe
3⤵
PID:852

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq processhacker.exe"
3⤵
- Enumerates processes with tasklist
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /F /IM processhacker.exe
3⤵
- Kills process with taskkill
PID:1832

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxtray.exe"
3⤵
- Enumerates processes with tasklist
PID:3840

C:\Windows\system32\taskkill.exe
taskkill /F /IM vboxtray.exe
3⤵
PID:796

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmtoolsd.exe"
3⤵
PID:284

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmtoolsd.exe
3⤵
PID:1132

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwaretray.exe"
3⤵
PID:2728

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmwaretray.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ida64.exe"
3⤵
- Enumerates processes with tasklist
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /F /IM ida64.exe
3⤵
- Kills process with taskkill
PID:1796

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ollydbg.exe"
3⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM ollydbg.exe
3⤵
- Kills process with taskkill
PID:3564

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq pestudio.exe"
3⤵
PID:3320

C:\Windows\system32\taskkill.exe
taskkill /F /IM pestudio.exe
3⤵
PID:4692

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwareuser.exe"
3⤵
- Enumerates processes with tasklist
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmwareuser.exe
3⤵
PID:2412

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vgauthservice.exe"
3⤵
PID:1132

C:\Windows\system32\taskkill.exe
taskkill /F /IM vgauthservice.exe
3⤵
PID:4692

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmacthlp.exe"
3⤵
- Enumerates processes with tasklist
PID:3888

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmacthlp.exe
3⤵
- Kills process with taskkill
PID:2420

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x96dbg.exe"
3⤵
- Enumerates processes with tasklist
PID:5100

C:\Windows\system32\taskkill.exe
taskkill /F /IM x96dbg.exe
3⤵
PID:1904

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmsrvc.exe"
3⤵
- Enumerates processes with tasklist
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmsrvc.exe
3⤵
- Kills process with taskkill
PID:5044

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x32dbg.exe"
3⤵
- Enumerates processes with tasklist
PID:4912

C:\Windows\system32\taskkill.exe
taskkill /F /IM x32dbg.exe
3⤵
- Kills process with taskkill
PID:5040

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmusrvc.exe"
3⤵
- Enumerates processes with tasklist
PID:4552

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmusrvc.exe
3⤵
PID:2816

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq prl_cc.exe"
3⤵
- Enumerates processes with tasklist
PID:448

C:\Windows\system32\taskkill.exe
taskkill /F /IM prl_cc.exe
3⤵
- Kills process with taskkill
PID:5052

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq prl_tools.exe"
3⤵
- Enumerates processes with tasklist
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /F /IM prl_tools.exe
3⤵
- Kills process with taskkill
PID:4588

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq xenservice.exe"
3⤵
- Enumerates processes with tasklist
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /F /IM xenservice.exe
3⤵
- Kills process with taskkill
PID:1668

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-ga.exe"
3⤵
PID:2188

C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-ga.exe
3⤵
- Kills process with taskkill
PID:4692

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq joeboxcontrol.exe"
3⤵
- Enumerates processes with tasklist
PID:280

C:\Windows\system32\taskkill.exe
taskkill /F /IM joeboxcontrol.exe
3⤵
- Kills process with taskkill
PID:296

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ksdumperclient.exe"
3⤵
- Enumerates processes with tasklist
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /F /IM ksdumperclient.exe
3⤵
PID:3092

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ksdumper.exe"
3⤵
- Enumerates processes with tasklist
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /F /IM ksdumper.exe
3⤵
PID:700

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq joeboxserver.exe"
3⤵
- Enumerates processes with tasklist
PID:2140

C:\Windows\system32\taskkill.exe
taskkill /F /IM joeboxserver.exe
3⤵
- Kills process with taskkill
PID:5056

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
3⤵
- Enumerates processes with tasklist
PID:668

C:\Windows\system32\taskkill.exe
taskkill /F /IM Wireshark.exe
3⤵
PID:2960

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq idaq.exe"
3⤵
- Enumerates processes with tasklist
PID:3644

C:\Windows\system32\taskkill.exe
taskkill /F /IM idaq.exe
3⤵
- Kills process with taskkill
PID:4448

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq idaq64.exe"
3⤵
- Enumerates processes with tasklist
PID:852

C:\Windows\system32\taskkill.exe
taskkill /F /IM idaq64.exe
3⤵
PID:4236

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ida64.exe"
3⤵
- Enumerates processes with tasklist
PID:4856

C:\Windows\system32\taskkill.exe
taskkill /F /IM ida64.exe
3⤵
PID:292

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe"
3⤵
- Enumerates processes with tasklist
PID:2140

C:\Windows\system32\taskkill.exe
taskkill /F /IM OLLYDBG.exe
3⤵
PID:5004

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq WinDbg.exe"
3⤵
- Enumerates processes with tasklist
PID:3828

C:\Windows\system32\taskkill.exe
taskkill /F /IM WinDbg.exe
3⤵
- Kills process with taskkill
PID:1656

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe"
3⤵
- Enumerates processes with tasklist
PID:744

C:\Windows\system32\taskkill.exe
taskkill /F /IM Procmon.exe
3⤵
PID:3984

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware.exe"
3⤵
- Enumerates processes with tasklist
PID:2884

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware.exe
3⤵
PID:3248

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-tray.exe"
3⤵
- Enumerates processes with tasklist
PID:3340

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-tray.exe
3⤵
PID:4704

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-vmx.exe"
3⤵
- Enumerates processes with tasklist
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-vmx.exe
3⤵
- Kills process with taskkill
PID:2856

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-authd.exe"
3⤵
- Enumerates processes with tasklist
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-authd.exe
3⤵
PID:1132

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VirtualBox.exe"
3⤵
- Enumerates processes with tasklist
PID:2584

C:\Windows\system32\taskkill.exe
taskkill /F /IM VirtualBox.exe
3⤵
PID:2960

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxSVC.exe"
3⤵
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxSVC.exe
3⤵
- Kills process with taskkill
PID:4296

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxNetDHCP.exe"
3⤵
- Enumerates processes with tasklist
PID:3196

C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxNetDHCP.exe
3⤵
PID:2344

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxNetNAT.exe"
3⤵
- Enumerates processes with tasklist
PID:4436

C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxNetNAT.exe
3⤵
- Kills process with taskkill
PID:1860

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxHeadless.exe"
3⤵
- Enumerates processes with tasklist
PID:4788

C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxHeadless.exe
3⤵
- Kills process with taskkill
PID:4368

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-system-x86_64.exe"
3⤵
- Enumerates processes with tasklist
PID:3760

C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-system-x86_64.exe
3⤵
- Kills process with taskkill
PID:1540

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-system-arm.exe"
3⤵
- Enumerates processes with tasklist
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-system-arm.exe
3⤵
PID:4316

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python.exe"
3⤵
- Enumerates processes with tasklist
PID:4168

C:\Windows\system32\taskkill.exe
taskkill /F /IM python.exe
3⤵
- Kills process with taskkill
PID:1440

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq pythonw.exe"
3⤵
- Enumerates processes with tasklist
PID:4204

C:\Windows\system32\taskkill.exe
taskkill /F /IM pythonw.exe
3⤵
PID:5036

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python3.exe"
3⤵
- Enumerates processes with tasklist
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /F /IM python3.exe
3⤵
- Kills process with taskkill
PID:1376

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python3w.exe"
3⤵
- Enumerates processes with tasklist
PID:700

C:\Windows\system32\taskkill.exe
taskkill /F /IM python3w.exe
3⤵
- Kills process with taskkill
PID:4444

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe"
3⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM Taskmgr.exe
3⤵
PID:220

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq msconfig.exe"
3⤵
- Enumerates processes with tasklist
PID:4400

C:\Windows\system32\taskkill.exe
taskkill /F /IM msconfig.exe
3⤵
- Kills process with taskkill
PID:1652

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe"
3⤵
- Enumerates processes with tasklist
PID:3332

C:\Windows\system32\taskkill.exe
taskkill /F /IM regedit.exe
3⤵
- Kills process with taskkill
PID:1488

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x64dbg.exe"
3⤵
- Enumerates processes with tasklist
PID:4368

C:\Windows\system32\taskkill.exe
taskkill /F /IM x64dbg.exe
3⤵
- Kills process with taskkill
PID:4192

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x32dbg.exe"
3⤵
- Enumerates processes with tasklist
PID:1232

C:\Windows\system32\taskkill.exe
taskkill /F /IM x32dbg.exe
3⤵
- Kills process with taskkill
PID:1360

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq radare2.exe"
3⤵
- Enumerates processes with tasklist
PID:1016

C:\Windows\system32\taskkill.exe
taskkill /F /IM radare2.exe
3⤵
PID:4652

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq r2.exe"
3⤵
- Enumerates processes with tasklist
PID:224

C:\Windows\system32\taskkill.exe
taskkill /F /IM r2.exe
3⤵
- Kills process with taskkill
PID:4880

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Ghidra.exe"
3⤵
- Enumerates processes with tasklist
PID:796

C:\Windows\system32\taskkill.exe
taskkill /F /IM Ghidra.exe
3⤵
PID:280

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"
3⤵
- Enumerates processes with tasklist
PID:4740

C:\Windows\system32\taskkill.exe
taskkill /F /IM ImmunityDebugger.exe
3⤵
- Kills process with taskkill
PID:1984

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"
3⤵
- Enumerates processes with tasklist
PID:3732

C:\Windows\system32\taskkill.exe
taskkill /F /IM ImmunityDebugger.exe
3⤵
- Kills process with taskkill
PID:696

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
3⤵
- Enumerates processes with tasklist
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /F /IM Fiddler.exe
3⤵
- Kills process with taskkill
PID:4656

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq tcpview.exe"
3⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpview.exe
3⤵
- Kills process with taskkill
PID:3888

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Sysmon.exe"
3⤵
- Enumerates processes with tasklist
PID:744

C:\Windows\system32\taskkill.exe
taskkill /F /IM Sysmon.exe
3⤵
PID:1860

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ProcessHacker.exe"
3⤵
- Enumerates processes with tasklist
PID:4296

C:\Windows\system32\taskkill.exe
taskkill /F /IM ProcessHacker.exe
3⤵
PID:2492

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ApateDNS.exe"
3⤵
- Enumerates processes with tasklist
PID:2100

C:\Windows\system32\taskkill.exe
taskkill /F /IM ApateDNS.exe
3⤵
- Kills process with taskkill
PID:3036

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Cuckoo.exe"
3⤵
- Enumerates processes with tasklist
PID:4628

C:\Windows\system32\taskkill.exe
taskkill /F /IM Cuckoo.exe
3⤵
- Kills process with taskkill
PID:3080

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq CFF Explorer.exe"
3⤵
PID:4788

C:\Windows\system32\taskkill.exe
taskkill /F /IM "CFF Explorer.exe"
3⤵
- Kills process with taskkill
PID:2448

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
3⤵
- Enumerates processes with tasklist
PID:1112

C:\Windows\system32\taskkill.exe
taskkill /F /IM Wireshark.exe
3⤵
PID:4116

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot.exe"
3⤵
- Enumerates processes with tasklist
PID:4708

C:\Windows\system32\taskkill.exe
taskkill /F /IM Regshot.exe
3⤵
- Kills process with taskkill
PID:4988

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq procexp.exe"
3⤵
- Enumerates processes with tasklist
PID:5016

C:\Windows\system32\taskkill.exe
taskkill /F /IM procexp.exe
3⤵
- Kills process with taskkill
PID:3896

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq procexp64.exe"
3⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM procexp64.exe
3⤵
- Kills process with taskkill
PID:3888

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq dumpcap.exe"
3⤵
- Enumerates processes with tasklist
PID:1488

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
3⤵
PID:848

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:164

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:2108

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -Command Add-Type -AssemblyName "System.Windows.Forms;$clip=[Windows.Forms.Clipboard]::GetImage();if ($clip -ne $null) { $clip.Save('C:\Users\Admin\AppData\Local\Temp\2985226527') };"
3⤵
PID:4652

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:1484

C:\Windows\System32\Wbem\wmic.exe
wmic desktopmonitor get "screenheight, screenwidth"
3⤵
PID:4788

C:\Windows\system32\cmd.exe
cmd /C net session
3⤵
PID:956

C:\Windows\system32\net.exe
net session
4⤵
PID:696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:2468

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:4908

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:616

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
3⤵
PID:3564

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3320

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:848

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3792

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:2172

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:880

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3076

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3140

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3600

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3204

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3036

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3436

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:4896

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:1540

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:1452

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:2448

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
3⤵
- Kills process with taskkill
PID:4228

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
3⤵
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
3⤵
PID:4748

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
3⤵
- Kills process with taskkill
PID:3324

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:1416

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:5056

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
PID:4124

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
PID:5020

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:3136

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:1964

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:224

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:280

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:4236

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
PID:2468

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
- Kills process with taskkill
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
3⤵
PID:4484

C:\Windows\system32\cmd.exe
cmd /C "C:\Users\Admin\AppData\Local\Temp\My Phone.exe"
3⤵
PID:3252

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
3⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
3⤵
PID:3452

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
3⤵
PID:4592

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
3⤵
PID:5080

C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
3⤵
- Kills process with taskkill
PID:5056

C:\Windows\system32\taskkill.exe
taskkill /F /IM litecoin-qt.exe
3⤵
PID:2096

C:\Windows\system32\taskkill.exe
taskkill /F /IM dash-qt.exe
3⤵
- Kills process with taskkill
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /F /IM geth.exe
3⤵
- Kills process with taskkill
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /F /IM electrum.exe
3⤵
PID:1944

C:\Windows\system32\taskkill.exe
taskkill /F /IM exodus.exe
3⤵
PID:1528

C:\Windows\system32\taskkill.exe
taskkill /F /IM atomic.exe
3⤵
- Kills process with taskkill
PID:3120

C:\Windows\system32\taskkill.exe
taskkill /F /IM monero-wallet-gui.exe
3⤵
- Kills process with taskkill
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /F /IM monerod.exe
3⤵
PID:292

C:\Windows\system32\taskkill.exe
taskkill /F /IM coinomi.exe
3⤵
PID:2644

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:4484

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:956

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:1232

C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
3⤵
PID:3036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3320

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:296

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2836

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3548

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256
1⤵
PID:4068

C:\Users\Admin\AppData\Local\Microsoft\84`.exe
"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Microsoft\84`.exe
"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3704

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 460
3⤵
- Program crash
PID:3896

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1800

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3980

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1016

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2264

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3992

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3248

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3384

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:5020

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:164

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:4448

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2096

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1796

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1376

C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
"C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2212 -ip 2212
1⤵
PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[49C07676-3483].[[email protected]].8base
Filesize
3.2MB

MD5
f3705eecbe7fafb7f0d58b22c412c6d0

SHA1
923033e7eb9351b4741ccec117afc5837549fbee

SHA256
29bfaf87ca688a65ff64ce007e240736771c42f1f900a806280f8fb61b2ae1bf

SHA512
358c01e0eb34a7d7e0054f2ea547d316ddcbc6b766a2e39f024648d3793ae465b164f022f50f5806b578b3c70f0e45e254ec5641fe5243708adbb436b151f365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
47019698e3fc31a456c70ef75101d231

SHA1
be181f735f5871afcdceac3265fb0b6297926d26

SHA256
0c7e47ad91809bc2de99a687e6d0a46852a275c66fb8047568c04772d1e3a7e5

SHA512
1c4302cd5176cf64064a39723723be9839e6a55575a2d4cfe2cd0b78edbee07daa3f8ba8fdb20134322db6d220e0827d0f900b99ea9ea53545012b0cf0088937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.id[49C07676-3483].[[email protected]].8base
Filesize
92KB

MD5
ab288733bdf9894fb104639b8986cf56

SHA1
6ccdfa31cec8244e589d3dd9dd06b2b858bb1bdd

SHA256
53c0a44aa59bef25963310d534baf383d36f8595bc9ea75974a69fc0dd158ff8

SHA512
1313a2f0f122737f48e86abe83259100ee8e222db0dfe085fa15c0a07e1e68261f9673503fe73bea201d918fe2538395a9be4438d2adad8dc2a2cb4715367bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
Filesize
231KB

MD5
e411054bf19f624a88719981c5eb22d6

SHA1
943df640e6c34757e60dbcb98129f3550bec7f38

SHA256
046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0

SHA512
39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
Filesize
231KB

MD5
e411054bf19f624a88719981c5eb22d6

SHA1
943df640e6c34757e60dbcb98129f3550bec7f38

SHA256
046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0

SHA512
39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8846.exe
Filesize
3.0MB

MD5
e66da0976a0b61e5324342c041f96c76

SHA1
497b6095951eb9693f80adc80be25584bbd7af57

SHA256
bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6

SHA512
a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8846.exe
Filesize
3.0MB

MD5
e66da0976a0b61e5324342c041f96c76

SHA1
497b6095951eb9693f80adc80be25584bbd7af57

SHA256
bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6

SHA512
a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
5.5MB

MD5
f1dc5b8a79c63a340d928dfd24dd2f60

SHA1
4062882b01ace1ed1c9bdd9ea3869b20292d1052

SHA256
f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc

SHA512
70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[49C07676-3483].[[email protected]].8base
Filesize
5.5MB

MD5
f1dc5b8a79c63a340d928dfd24dd2f60

SHA1
4062882b01ace1ed1c9bdd9ea3869b20292d1052

SHA256
f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc

SHA512
70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[49C07676-3483].[[email protected]].8base
Filesize
18KB

MD5
c58a7650b719596881841fe2efe9b453

SHA1
c8c58aeba6612a63f14264d3c8390ea0474191bd

SHA256
bf781faf3605aa0f4ea8d0c50832d16c99c444dd197112e2663c4b309d2f9cd8

SHA512
c30566715ba8f4a2d73190967b7b0e6b07c711f69f7b12a467208ab72a3d3d5c7d6e91019a0052f79bbae36e49c5302f4513ec4c886e793e81af174ca81bc549

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
Filesize
1KB

MD5
a015d06580dfc6de7153bcb761cfd4fc

SHA1
2edbc0ecf42d46a1416402eb844777d24a81806c

SHA256
dbfc298aa68a6af43c04e2315f7f6448277e811399c7bf036f9a367285538b1e

SHA512
dd6a5f34841a0edff47f52f6e75cbfcfb82a579d596912a3e772c15231701f8a035fe49e3109a4ee9dee70eac6504ba6c244c899dd8f62812f67fe84a84ae600

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
Filesize
7KB

MD5
542c6328f637df6a0f2e106a36a90c84

SHA1
3d8564a387f1520756cfb4f141bc6fb221166c72

SHA256
16add558ff94f8f48db32cfc769acab336d760d69fc7160d983307bf826cc0e2

SHA512
c0ebef212a30f0b4e1609eaef2deb11babfd7aa7ceb99a5b6120a7a9878127b601f59183d0a63557c181b8f3aad6cb8a8b5ac5e614491b4735d7581c11771a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
Filesize
1KB

MD5
7b3305f96651f27c74e8002ec0b44839

SHA1
0cdd02c96468bd23579653affde7bb981aeb6d91

SHA256
9e2e1bab13b122ee5d7acf4c076dc5557a20bbbb6cff7b64ee08c0ea9b096c08

SHA512
0a8f60d3a7aeddcf89669c5832457c363af2f908efe0694b4a3d6550e5698b595de284b1bdedadaf00192bc48503c2cc8359b24fb8276e8c95aa8fd56f40bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
Filesize
7KB

MD5
d6fb6b88df7912d68b50d01038dd7789

SHA1
2392ea0f6099ff2eaef136841f605f688c832173

SHA256
d58670c23850324abd693eefbb869803809d316109b4bb128a9e9c1f62675b5a

SHA512
91ace3c3df091ff9a681de04e1ff073d39c14bb60ab3caba5d30e2ce5fd9f0929e8d7dedd22cfbf5a8e256835f9bcac88dbdba475bc9f065a8279347e40f729f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base
Filesize
10KB

MD5
708eb29f4777a503c45825d329023a74

SHA1
95d17a423e5ca11fed0b3e2d4f063a1a0c6c94dc

SHA256
173ef8765682723f8a795e3dfc46ebb10f3d12486a7d756aa4d5237f505430d1

SHA512
6c34d3ded38767903385a9aed69462538e776479a1b150cbd7c64c59aad774508b2b47298cc397ba4bef0659f5ebde20e48b82f2e2913b07c30dd883d98ba14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base
Filesize
36KB

MD5
4cf7bea86a26583101e449800788dc37

SHA1
7996eba7e26ef80d697b0508611eb0ba8894abfc

SHA256
af1b82395d73b965742d73e5de25cc2a27ca9a1aef1b6f36abdf2ee964a1b1c7

SHA512
86b1a06cebd1fea0a2293ab3369767177eb0d256a0d281ba82df63fcaf855a5f15e1b78e2094d474d668dd32bac2999e2e7352fc4bb1286dff97c972c7c49f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base
Filesize
402KB

MD5
6fa4f10e853cf89b061c9268c8133576

SHA1
0466e9d8d09fc0abaf2e27da97dfa0237cb87dba

SHA256
dd43f704f19efe024b46f26d08390aa8604b9b6f57301524f7a4f4670cd09fff

SHA512
b4c7d82e7ffdfd701fffd1e47c1a14d3b51226983560f90dde709c040bffb2fabc164a158e9cf69a4a0604e8108937f56d691d61bc1442b2d3d7e62c1a78ef46

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base
Filesize
10KB

MD5
c638c40fe97bb6b546f2538a44f35b98

SHA1
420dd2125c97caa443bb432ae6935f4c40f92684

SHA256
c7e7b8047fa308d8592551487b6d13191016118a531c1ea80bf63cac0a62c1d4

SHA512
97475c16bbf038815bd27c280632d844200a08825fdc70b3bc553c7ae01b197db9b35e85b7cd0b52612bf609c976bc6d7a7d446ba007a3df9234933883829052

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base
Filesize
36KB

MD5
bb9abbdce679124c74b3afad8c23e596

SHA1
2d5fcd25ff078f313022dae5e407846a145023cd

SHA256
daf9265a4fb85c3a3b56ac4d5c60f925b043d3b938445eba731f4cd2941da143

SHA512
4513928eea53ac2d0b51312c2c0ef693bff0f80127021a26f7daca1b111b51ce880e544517b13d6a9ea82234eafc7455d77f78bb70beb96e4c7ef0cbf2b49318

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base
Filesize
402KB

MD5
95eb6d58355a32549c76533bbb96d956

SHA1
2bd23e5a031070c7fac780ef300d2beed1460d74

SHA256
65345783d30ec4b0ed52713812b2597bb2baeb1803e068e2df2f1cb75e3172b8

SHA512
e5379ea2f65305f69d8560a09ab529d170a9d961f1eb8d4a0502ab9dbbb1a986bf8c8b23c3a55387bb5c6e0bbfd8bd7f54700978f95ba6beb8781bc8835756c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wnkc3a2.dfu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[49C07676-3483].[[email protected]].8base
Filesize
52KB

MD5
a57e4611a831393e6cc9623bef488570

SHA1
a81f4a82fc2e642d6251fbd5dfc34f2746389a1d

SHA256
cdb4ae09876db4ae869303d1cbb39f8dcc2483eecd7a124bdf92ea0c86902637

SHA512
bbe869f983a69feb148477f28782d7291864835d892bda4d146cfe5259486ab176997c5cc71acf4b1edc0ebb25c5ea2cfef7a7bf2efe2169ce6a0fdf6937754d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\cookies.sqlite.id[49C07676-3483].[[email protected]].8base
Filesize
96KB

MD5
467ae65d56d5e8e480528e1fc428966d

SHA1
2b445265a97d6019ea15fd14e846e24ca76c5b44

SHA256
c921b2817364cc6d3eaa13eebddf9f07ad7550655bbb141d38fcc7953316e0e9

SHA512
f440cbe70b66bf1aa3f6c77071e5f2908d23d8b673550d00f8dca86b742f52df212f2bf491a808ebf2fbed0b49ddcde9afffe8d65bebaf987f28d474ccc1d794

Download Submit
C:\Users\Admin\AppData\Roaming\ibejtah
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Roaming\jgfuvhs
Filesize
438KB

MD5
846afdb0a212e48cdd195fcee22ca463

SHA1
1401b23aa789cd88be8bbbb11bc2477d96b4523b

SHA256
0be0858b6f4d3254968a447d6f42464cf64100f6ef9c7e1ee5e272f6d5ee7c9f

SHA512
be16e1e637c1e1124f451f2674f90ffdb5aa870cd412141ea476fd6c0cf9cf32b2a4d10f6e37bf3df45e8753f2a0b5ae95a30ba6d9a04194e661838fda0d16b6

Download Submit
C:\Users\Admin\Desktop\info.hta
Filesize
5KB

MD5
bf3a812498cabcdbf88171de1d70b27c

SHA1
1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd

SHA256
9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992

SHA512
1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

Download Submit
C:\info.hta
Filesize
5KB

MD5
bf3a812498cabcdbf88171de1d70b27c

SHA1
1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd

SHA256
9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992

SHA512
1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

Download Submit
C:\info.hta
Filesize
5KB

MD5
bf3a812498cabcdbf88171de1d70b27c

SHA1
1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd

SHA256
9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992

SHA512
1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

Download Submit
C:\users\public\desktop\info.hta
Filesize
5KB

MD5
bf3a812498cabcdbf88171de1d70b27c

SHA1
1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd

SHA256
9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992

SHA512
1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

Download Submit
F:\info.hta
Filesize
5KB

MD5
bf3a812498cabcdbf88171de1d70b27c

SHA1
1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd

SHA256
9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992

SHA512
1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

Download Submit
memory/212-4921-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/212-4918-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/212-4920-0x00000000012A0000-0x00000000012A5000-memory.dmp

Filesize
20KB

Download
memory/296-4323-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/296-4326-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/296-4328-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1048-3747-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1048-568-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1048-194-0x0000000002D70000-0x0000000002D7F000-memory.dmp

Filesize
60KB

Download
memory/1048-193-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

Filesize
1024KB

Download
memory/1048-615-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1048-1137-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1048-683-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

Filesize
1024KB

Download
memory/1048-195-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1456-5128-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/1456-5127-0x0000000000620000-0x0000000000624000-memory.dmp

Filesize
16KB

Download
memory/1788-4077-0x00007FF704BC0000-0x00007FF705451000-memory.dmp

Filesize
8.6MB

Download
memory/1788-4456-0x00007FF704BC0000-0x00007FF705451000-memory.dmp

Filesize
8.6MB

Download
memory/2212-214-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download
memory/2212-206-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/2256-153-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-138-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-141-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-142-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/2256-145-0x00000000059F0000-0x0000000005A26000-memory.dmp

Filesize
216KB

Download
memory/2256-144-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2256-148-0x0000000004950000-0x00000000049C1000-memory.dmp

Filesize
452KB

Download
memory/2256-152-0x00000000059F0000-0x0000000005A26000-memory.dmp

Filesize
216KB

Download
memory/2256-139-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-137-0x0000000002D40000-0x0000000002D47000-memory.dmp

Filesize
28KB

Download
memory/2256-134-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/2256-140-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-155-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2256-156-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2256-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2256-135-0x0000000004950000-0x00000000049C1000-memory.dmp

Filesize
452KB

Download
memory/2268-905-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/2268-199-0x0000000002C60000-0x0000000002C65000-memory.dmp

Filesize
20KB

Download
memory/2268-201-0x0000000000400000-0x0000000002B45000-memory.dmp

Filesize
39.3MB

Download
memory/2268-198-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/2572-528-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-500-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-499-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-202-0x00000000031B0000-0x00000000031C6000-memory.dmp

Filesize
88KB

Download
memory/2572-517-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-511-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-479-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-444-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-507-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-497-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-472-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-525-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-514-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-551-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-570-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-431-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-448-0x0000000008920000-0x0000000008930000-memory.dmp

Filesize
64KB

Download
memory/2572-485-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-681-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-453-0x00000000088C0000-0x00000000088D0000-memory.dmp

Filesize
64KB

Download
memory/2572-682-0x0000000003280000-0x0000000003289000-memory.dmp

Filesize
36KB

Download
memory/2836-4452-0x0000000000380000-0x000000000038B000-memory.dmp

Filesize
44KB

Download
memory/2836-4457-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2836-5138-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2836-4471-0x0000000000380000-0x000000000038B000-memory.dmp

Filesize
44KB

Download
memory/2880-5146-0x0000000000EE0000-0x0000000000EE5000-memory.dmp

Filesize
20KB

Download
memory/2880-5147-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/3320-4290-0x00000000006D0000-0x000000000073B000-memory.dmp

Filesize
428KB

Download
memory/3320-4313-0x00000000006D0000-0x000000000073B000-memory.dmp

Filesize
428KB

Download
memory/3320-4469-0x00000000006D0000-0x000000000073B000-memory.dmp

Filesize
428KB

Download
memory/3320-4291-0x0000000000740000-0x00000000007B5000-memory.dmp

Filesize
468KB

Download
memory/3704-192-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3704-205-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3704-187-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3744-4332-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

Filesize
16KB

Download
memory/3744-5121-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

Filesize
16KB

Download
memory/3744-4333-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/3744-4331-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/3848-5123-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/3848-5122-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4464-186-0x0000000002CD0000-0x0000000002CD9000-memory.dmp

Filesize
36KB

Download
memory/4464-185-0x0000000002B90000-0x0000000002C90000-memory.dmp

Filesize
1024KB

Download
memory/4620-5459-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/4620-4614-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/4620-4603-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/4620-4599-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/4912-4353-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/4912-4350-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/4912-4347-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/4936-5470-0x0000000001270000-0x0000000001291000-memory.dmp

Filesize
132KB

Download
memory/4956-173-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-167-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-212-0x000001D07E140000-0x000001D07E145000-memory.dmp

Filesize
20KB

Download
memory/4956-175-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-174-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-213-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

Filesize
2.0MB

Download
memory/4956-172-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-171-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-170-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

Filesize
2.0MB

Download
memory/4956-169-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-168-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-184-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

Filesize
2.0MB

Download
memory/4956-165-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-163-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-162-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-161-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-160-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-159-0x00007FF450500000-0x00007FF45062D000-memory.dmp

Filesize
1.2MB

Download
memory/4956-158-0x000001D07E140000-0x000001D07E147000-memory.dmp

Filesize
28KB

Download
memory/4956-157-0x000001D07C080000-0x000001D07C083000-memory.dmp

Filesize
12KB

Download
memory/4956-143-0x000001D07C080000-0x000001D07C083000-memory.dmp

Filesize
12KB

Download