amadey | 14a5e51f0ed1c1116de4d58c8e667cb95d4ef4a3b3c8b1d2c2c9eca99b5e16af

Analysis

max time kernel
110s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Lazy.397537.29059.exe
Size

166KB
MD5

d5292955f46b473ff62846a4106a504c
SHA1

38dd9ce415ff29a2c09ffacd60477372b3dffe32
SHA256

14a5e51f0ed1c1116de4d58c8e667cb95d4ef4a3b3c8b1d2c2c9eca99b5e16af
SHA512

7bb02e30b49162434f1587b406f90ec4e7227b0b1b3764ba302cf1f0555cefa323081e9b88153820a91337797fdec934a152c4344a93638886cde21a8c08ff0b
SSDEEP

3072:WhOUozowo7h0BEYmbuw16GVuiIPMoClTrx0iVC4aw9LlKfzj:Wh5iiOBEBbx6GjXxbFdlKrj

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

YT LOGS CLOUD

176.123.4.46:33783

Attributes

auth_value
f423cd8452a39820862c1ea501db4ccf

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeAppLaunch.exe

pid	process
6116	schtasks.exe
2272	schtasks.exe
3040	schtasks.exe
3908	schtasks.exe
5760	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-333-0x0000000003B90000-0x0000000003CC1000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FEA7.exe	healer
C:\Users\Admin\AppData\Local\Temp\FEA7.exe	healer
behavioral2/memory/2684-71-0x0000000000430000-0x000000000043A000-memory.dmp	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3920-194-0x0000000004AD0000-0x00000000053BB000-memory.dmp	family_glupteba
behavioral2/memory/3920-252-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3920-326-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3920-434-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3920-471-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3920-507-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral2/memory/3920-520-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

FEA7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	FEA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FEA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	FEA7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	FEA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	FEA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	FEA7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1504-99-0x00000000007C0000-0x000000000081A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\14A4.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\14A4.exe	family_redline
behavioral2/memory/4692-118-0x00000000007B0000-0x000000000080A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

237B.exeupdater.exe

description	pid	process	target process
PID 4016 created 3168	4016	237B.exe	Explorer.EXE
PID 4016 created 3168	4016	237B.exe	Explorer.EXE
PID 4016 created 3168	4016	237B.exe	Explorer.EXE
PID 4016 created 3168	4016	237B.exe	Explorer.EXE
PID 4392 created 3168	4392	updater.exe	Explorer.EXE
PID 4392 created 3168	4392	updater.exe	Explorer.EXE
PID 4392 created 3168	4392	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5680-519-0x00007FF7EABE0000-0x00007FF7EB420000-memory.dmp	xmrig
behavioral2/memory/5680-557-0x00007FF7EABE0000-0x00007FF7EB420000-memory.dmp	xmrig

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1876 netsh.exe

pid	process
1876	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe1223.exekos1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	1223.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	kos1.exe

Executes dropped EXE 29 IoCs

Processes:

F760.exeFAAD.exex2426292.exex7708006.exex3960767.exeg4888851.exeFDFA.exeFEA7.exekos1.exe86D.exeexplothe.exeh1794779.exe1223.exe14A4.exemsedge.exess41.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetoolspub2.exe237B.exeset16.exeis-2BE7G.tmpkos.exemsedge.exepreviewer.exeupdater.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplothe.exe

pid	process
1492	F760.exe
1896	FAAD.exe
3420	x2426292.exe
3104	x7708006.exe
3612	x3960767.exe
4636	g4888851.exe
1540	FDFA.exe
2684	FEA7.exe
3784	kos1.exe
1504	86D.exe
3640	explothe.exe
3052	h1794779.exe
3772	1223.exe
4692	14A4.exe
4344	msedge.exe
4400	ss41.exe
3340	toolspub2.exe
3920	31839b57a4f11171d6abc8bbc4451ee4.exe
3784	kos1.exe
3452	toolspub2.exe
4016	237B.exe
1796	set16.exe
3896	is-2BE7G.tmp
1656	kos.exe
1636	msedge.exe
640	previewer.exe
4392	updater.exe
5776	31839b57a4f11171d6abc8bbc4451ee4.exe
1732	explothe.exe

Loads dropped DLL 4 IoCs

Processes:

is-2BE7G.tmprundll32.exe

pid process

3896 is-2BE7G.tmp
3896 is-2BE7G.tmp
3896 is-2BE7G.tmp
5820 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

FEA7.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" FEA7.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3896	is-2BE7G.tmp
3896	is-2BE7G.tmp
3896	is-2BE7G.tmp
5820	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	FEA7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

F760.exex2426292.exex7708006.exex3960767.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	F760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2426292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7708006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3960767.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

SecuriteInfo.com.Variant.Lazy.397537.29059.exeFAAD.exeg4888851.exeFDFA.exetoolspub2.exemsedge.exeupdater.exe

description	pid	process	target process
PID 3208 set thread context of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 1896 set thread context of 976	1896	FAAD.exe	AppLaunch.exe
PID 4636 set thread context of 4856	4636	g4888851.exe	AppLaunch.exe
PID 1540 set thread context of 2064	1540	FDFA.exe	AppLaunch.exe
PID 3340 set thread context of 3452	3340	toolspub2.exe	toolspub2.exe
PID 4344 set thread context of 1156	4344	msedge.exe	vbc.exe
PID 4392 set thread context of 5680	4392	updater.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-2BE7G.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\is-7HKEH.tmp	is-2BE7G.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-2BE7G.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-2BE7G.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-2BE7G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-BVJR7.tmp	is-2BE7G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-JERDB.tmp	is-2BE7G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-9BE55.tmp	is-2BE7G.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2428	3208	WerFault.exe	SecuriteInfo.com.Variant.Lazy.397537.29059.exe
556	1896	WerFault.exe	FAAD.exe
3444	4636	WerFault.exe	g4888851.exe
3028	4856	WerFault.exe	AppLaunch.exe
3760	1540	WerFault.exe	FDFA.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exeAppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6116 schtasks.exe
3040 schtasks.exe
3908 schtasks.exe
5760 schtasks.exe
2272 schtasks.exe

pid	process
6116	schtasks.exe
3040	schtasks.exe
3908	schtasks.exe
5760	schtasks.exe
2272	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeExplorer.EXE

pid	process
5092	AppLaunch.exe
5092	AppLaunch.exe
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE
3168	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3168 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

676
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

5092 AppLaunch.exe
3452 toolspub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

220 msedge.exe
220 msedge.exe

pid	process
3168	Explorer.EXE

pid	process
676

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEFEA7.exekos.exemsedge.exepreviewer.exe

description	pid	process
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeDebugPrivilege	2684	FEA7.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeDebugPrivilege	1656	kos.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeDebugPrivilege	1636	msedge.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeDebugPrivilege	640	previewer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Lazy.397537.29059.exeExplorer.EXEF760.exex2426292.exex7708006.exex3960767.exeFAAD.exeg4888851.exeFDFA.exe

description	pid	process	target process
PID 3208 wrote to memory of 2020	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 2020	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 2020	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5084	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5084	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5084	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3208 wrote to memory of 5092	3208	SecuriteInfo.com.Variant.Lazy.397537.29059.exe	AppLaunch.exe
PID 3168 wrote to memory of 1492	3168	Explorer.EXE	F760.exe
PID 3168 wrote to memory of 1492	3168	Explorer.EXE	F760.exe
PID 3168 wrote to memory of 1492	3168	Explorer.EXE	F760.exe
PID 3168 wrote to memory of 1896	3168	Explorer.EXE	FAAD.exe
PID 3168 wrote to memory of 1896	3168	Explorer.EXE	FAAD.exe
PID 3168 wrote to memory of 1896	3168	Explorer.EXE	FAAD.exe
PID 1492 wrote to memory of 3420	1492	F760.exe	x2426292.exe
PID 1492 wrote to memory of 3420	1492	F760.exe	x2426292.exe
PID 1492 wrote to memory of 3420	1492	F760.exe	x2426292.exe
PID 3420 wrote to memory of 3104	3420	x2426292.exe	x7708006.exe
PID 3420 wrote to memory of 3104	3420	x2426292.exe	x7708006.exe
PID 3420 wrote to memory of 3104	3420	x2426292.exe	x7708006.exe
PID 3104 wrote to memory of 3612	3104	x7708006.exe	x3960767.exe
PID 3104 wrote to memory of 3612	3104	x7708006.exe	x3960767.exe
PID 3104 wrote to memory of 3612	3104	x7708006.exe	x3960767.exe
PID 3612 wrote to memory of 4636	3612	x3960767.exe	g4888851.exe
PID 3612 wrote to memory of 4636	3612	x3960767.exe	g4888851.exe
PID 3612 wrote to memory of 4636	3612	x3960767.exe	g4888851.exe
PID 3168 wrote to memory of 4708	3168	Explorer.EXE	cmd.exe
PID 3168 wrote to memory of 4708	3168	Explorer.EXE	cmd.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 1896 wrote to memory of 976	1896	FAAD.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 4636 wrote to memory of 4856	4636	g4888851.exe	AppLaunch.exe
PID 3168 wrote to memory of 1540	3168	Explorer.EXE	FDFA.exe
PID 3168 wrote to memory of 1540	3168	Explorer.EXE	FDFA.exe
PID 3168 wrote to memory of 1540	3168	Explorer.EXE	FDFA.exe
PID 3168 wrote to memory of 2684	3168	Explorer.EXE	FEA7.exe
PID 3168 wrote to memory of 2684	3168	Explorer.EXE	FEA7.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe
PID 1540 wrote to memory of 2064	1540	FDFA.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.397537.29059.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.397537.29059.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 292
3⤵
- Program crash
PID:2428

C:\Users\Admin\AppData\Local\Temp\F760.exe
C:\Users\Admin\AppData\Local\Temp\F760.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 540
8⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 152
7⤵
- Program crash
PID:3444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
6⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\FAAD.exe
C:\Users\Admin\AppData\Local\Temp\FAAD.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 268
3⤵
- Program crash
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBD7.bat" "
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffbdfc46f8,0x7fffbdfc4708,0x7fffbdfc4718
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9621094559240463541,11700085502788868236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
4⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9621094559240463541,11700085502788868236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
4⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220

C:\Users\Admin\AppData\Local\Temp\FDFA.exe
C:\Users\Admin\AppData\Local\Temp\FDFA.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 136
3⤵
- Program crash
PID:3760

C:\Users\Admin\AppData\Local\Temp\FEA7.exe
C:\Users\Admin\AppData\Local\Temp\FEA7.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Users\Admin\AppData\Local\Temp\FF73.exe
C:\Users\Admin\AppData\Local\Temp\FF73.exe
2⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:2272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:908

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
5⤵
PID:3760

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
5⤵
PID:1644

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:896

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:5820

C:\Users\Admin\AppData\Local\Temp\86D.exe
C:\Users\Admin\AppData\Local\Temp\86D.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\1223.exe
C:\Users\Admin\AppData\Local\Temp\1223.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3772

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
3⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:3920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:5776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2128

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Modifies data under HKEY_USERS
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5168

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:4744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5152

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:3908

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:5572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:5424

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:5760

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3784

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
4⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\is-S0F7L.tmp\is-2BE7G.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S0F7L.tmp\is-2BE7G.tmp" /SL4 $120160 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3896

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
6⤵
PID:1636

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
6⤵
PID:4728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
7⤵
PID:1924

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3340

C:\Users\Admin\AppData\Local\Temp\14A4.exe
C:\Users\Admin\AppData\Local\Temp\14A4.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\1736.exe
C:\Users\Admin\AppData\Local\Temp\1736.exe
2⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\237B.exe
C:\Users\Admin\AppData\Local\Temp\237B.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4016

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:6020

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5148

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2228

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5276

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4808

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:6028

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
2⤵
- DcRat
- Creates scheduled task(s)
PID:6116

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:4516

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5376

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5616

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5024

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5128

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5664

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
2⤵
- DcRat
- Creates scheduled task(s)
PID:3040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3208 -ip 3208
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1896 -ip 1896
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4856 -ip 4856
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4636 -ip 4636
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1540 -ip 1540
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffbdfc46f8,0x7fffbdfc4708,0x7fffbdfc4718
1⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,17806311033787899290,2612397446298450258,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
1⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17806311033787899290,2612397446298450258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
1⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17806311033787899290,2612397446298450258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,17806311033787899290,2612397446298450258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17806311033787899290,2612397446298450258,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
1⤵
PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5468

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4392

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe
Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c126b33f65b7fc4ece66e42d6802b02e

SHA1
2a169a1c15e5d3dab708344661ec04d7339bcb58

SHA256
ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8

SHA512
eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f8f73e9936e3783314f8dc058009d8ee

SHA1
60fba26808c84f1f51cf37a206f75c6c70819d29

SHA256
ec03c59e3fe4c3d93a33f778f8d909497aff7bf6541fe8e445562202cdb7f752

SHA512
733d3b3ec25b83fd12eb282085e04d4316123caf2091aac98d84dea1bd4803697106cbcc99abfa21090b3d090b6314533a7855729c6b83c3d8e64d943500c09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b982ea5a1c0592d75256f23e138f754b

SHA1
dc4788b9cfd2c94031cfd9f07a1e6e27ff4ec8fa

SHA256
530ead98bfa224fbbf7aa529ed3b20bccd39586b3aa6b8bc485b0b688ffd83fb

SHA512
3298ab6c4f15fabd973374f2fddc8e9ea372794849328e2fc038218318d7b30096271308370e9b87f67228898f30c8784453516e5beda1c7d73b8fe9c5485734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1ae6e0df23f0f154936229bfeccd916a

SHA1
edc653ebe640c334e2c8f9e1b9aacab0ce39e1b2

SHA256
013e3785d9da42ab54c5424cb01587d0f715bc270aa84637f03320e46d5093a9

SHA512
452e2dcbd665036dcf7e3614d924cf82d32cbe1802313912348e380ca396e33fc2b24ca6abf4f99000396de35463bedc6292b572e8cc4d04d230f54d6379391c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3a0fdc1eb4c9f0d5ebe1c3cc9ba995db

SHA1
20fa3e8f730c931f71efde1f37586046aba06cd9

SHA256
8a74d83895f36a39c271f654f9d75f94d94163342760ea70141e3c1d68d2a438

SHA512
042b5093fcf26c0269b15841f70d45cdce88502d7605565a9752ee9859c49fbbb700612cf31556bebd66f69fb641e864a9562f15b01ddcb0ed63594117660959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3a0fdc1eb4c9f0d5ebe1c3cc9ba995db

SHA1
20fa3e8f730c931f71efde1f37586046aba06cd9

SHA256
8a74d83895f36a39c271f654f9d75f94d94163342760ea70141e3c1d68d2a438

SHA512
042b5093fcf26c0269b15841f70d45cdce88502d7605565a9752ee9859c49fbbb700612cf31556bebd66f69fb641e864a9562f15b01ddcb0ed63594117660959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
683af261e5f8a3510b7f62c7181a7904

SHA1
3cf5a3967d9e5bb12fa9d2013239e0d0df2185e6

SHA256
743d8b2b88867799469f0b6cf11eba9c53d6cec34f8c51cb8aea77a257b35238

SHA512
8d4c426515c079c3e061399746953867eeb419fa0c2bda5757a6282bca5b601c9d35c1bca4cccf266fce3cacecca2e67e6befb4378f2037f7020091ded712c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1223.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\1223.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\14A4.exe
Filesize
341KB

MD5
53df0c8b56120e03e1657e366720ecd9

SHA1
a09ccc5dfa35fe46f1203e5e95c3025ff2f0930d

SHA256
bc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff

SHA512
b940864beb7a9d300173e98e343a7d21bef9b3aa48f3d198816b8e9909463f35354312ffb699893e27ef312504d1ddcad9288792ec2492086d3716d217c1011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14A4.exe
Filesize
341KB

MD5
53df0c8b56120e03e1657e366720ecd9

SHA1
a09ccc5dfa35fe46f1203e5e95c3025ff2f0930d

SHA256
bc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff

SHA512
b940864beb7a9d300173e98e343a7d21bef9b3aa48f3d198816b8e9909463f35354312ffb699893e27ef312504d1ddcad9288792ec2492086d3716d217c1011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1736.exe
Filesize
1.0MB

MD5
31c3b0ab9b83cafb8eb3a7890e2d05ca

SHA1
5ae01358b1c88a6a0ef5d240abdc756835fdb572

SHA256
35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215

SHA512
b727cf5777a7e4fe338ed81ce66bdec626ffd3226a332157a780cc1ff499cb0b17b8f339c21f7d99f42bc7ddc951d3ac5139d05e34c2f7e81582ec84f3989e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1736.exe
Filesize
1.0MB

MD5
31c3b0ab9b83cafb8eb3a7890e2d05ca

SHA1
5ae01358b1c88a6a0ef5d240abdc756835fdb572

SHA256
35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215

SHA512
b727cf5777a7e4fe338ed81ce66bdec626ffd3226a332157a780cc1ff499cb0b17b8f339c21f7d99f42bc7ddc951d3ac5139d05e34c2f7e81582ec84f3989e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\237B.exe
Filesize
5.2MB

MD5
d381d9db9cbd1b60afdfb4f05e52a775

SHA1
d59c52583ca791e07f3e6aec2ee2590ab9bfd67e

SHA256
3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9

SHA512
cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\86D.exe
Filesize
407KB

MD5
ab42dd45f0015269d23c14792397617f

SHA1
0d6a95083466527b58b87fcfa2ba182758c534b3

SHA256
53bc1e571f46bd27d5eb5130efb564ffaa9644d1f8b5bb23e24e0f1d006ec14f

SHA512
67d76904b2015d2368b272a0c974f712b8840b26aed555b52443a96387b0f95df5ed8523e732261f7ac8916c27a1ce1c3d3e0abc9e0b501efcf83193e91b37a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\86D.exe
Filesize
407KB

MD5
ab42dd45f0015269d23c14792397617f

SHA1
0d6a95083466527b58b87fcfa2ba182758c534b3

SHA256
53bc1e571f46bd27d5eb5130efb564ffaa9644d1f8b5bb23e24e0f1d006ec14f

SHA512
67d76904b2015d2368b272a0c974f712b8840b26aed555b52443a96387b0f95df5ed8523e732261f7ac8916c27a1ce1c3d3e0abc9e0b501efcf83193e91b37a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F760.exe
Filesize
842KB

MD5
a07c28bde965f11b2878133c4bbb7c80

SHA1
cfc37932426514f48bdff5e2570fb67dcfd43468

SHA256
d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284

SHA512
4afbb9f9c6f3294f9d8cd6df8765b8e74b5ffbf2557f32102c5d28b21af454c9fc733e7385916bce5ff57ba6c2f24ddac2495f4d9e935f79bba459c62ee0c862

Download Submit
C:\Users\Admin\AppData\Local\Temp\F760.exe
Filesize
842KB

MD5
a07c28bde965f11b2878133c4bbb7c80

SHA1
cfc37932426514f48bdff5e2570fb67dcfd43468

SHA256
d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284

SHA512
4afbb9f9c6f3294f9d8cd6df8765b8e74b5ffbf2557f32102c5d28b21af454c9fc733e7385916bce5ff57ba6c2f24ddac2495f4d9e935f79bba459c62ee0c862

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAD.exe
Filesize
276KB

MD5
86f901b5d37e0ba33b43605eb3b59607

SHA1
55ab47e93a5f7c001a3e5030112985a1b61c80e1

SHA256
719e7f20850766f55e905825a6e856c33f686c95c7538e436b7e9c566146f7d5

SHA512
04e31c47561d9e159dd3c069823e9b5a3683e5ce14e92474069d7a485c7fea445ddea004761af8343786c1656e228f7832150534dc6ae26f9905df1059a5140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAD.exe
Filesize
276KB

MD5
86f901b5d37e0ba33b43605eb3b59607

SHA1
55ab47e93a5f7c001a3e5030112985a1b61c80e1

SHA256
719e7f20850766f55e905825a6e856c33f686c95c7538e436b7e9c566146f7d5

SHA512
04e31c47561d9e159dd3c069823e9b5a3683e5ce14e92474069d7a485c7fea445ddea004761af8343786c1656e228f7832150534dc6ae26f9905df1059a5140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBD7.bat
Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDFA.exe
Filesize
310KB

MD5
29949b56cba6b89e6266ee9a92798026

SHA1
1faa37a1bb4cb14128bcceb8023ef6445b1d2df1

SHA256
08d1731720a6a6f02f7b1b18bf6b48dcf956b26ac239cec21c0a066f9b84cc07

SHA512
ac98640ad2a8735bc5a8a2dc01f81d3c28c649b45f90462a415d79d8cf6d292649a165aff51812846600d757f70b1e182a8a671f83669fe72d309502b15f873c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDFA.exe
Filesize
310KB

MD5
29949b56cba6b89e6266ee9a92798026

SHA1
1faa37a1bb4cb14128bcceb8023ef6445b1d2df1

SHA256
08d1731720a6a6f02f7b1b18bf6b48dcf956b26ac239cec21c0a066f9b84cc07

SHA512
ac98640ad2a8735bc5a8a2dc01f81d3c28c649b45f90462a415d79d8cf6d292649a165aff51812846600d757f70b1e182a8a671f83669fe72d309502b15f873c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA7.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA7.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF73.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF73.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
Filesize
747KB

MD5
ca42c052d5b62daf640d7f58ffa8012b

SHA1
7910389205ac156517b101929946487f9e06e137

SHA256
9644983cb74a03a2aa59287cf392602441351867f8337549ddb22aa7bc0d04de

SHA512
c7654a3a3beeb9ebb11dc24d2d0aa6785375406f0959542c17806f4d6bfac445c58529220dde131aaf50da63da769c1123ae192034b5294524340dfddcde98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
Filesize
747KB

MD5
ca42c052d5b62daf640d7f58ffa8012b

SHA1
7910389205ac156517b101929946487f9e06e137

SHA256
9644983cb74a03a2aa59287cf392602441351867f8337549ddb22aa7bc0d04de

SHA512
c7654a3a3beeb9ebb11dc24d2d0aa6785375406f0959542c17806f4d6bfac445c58529220dde131aaf50da63da769c1123ae192034b5294524340dfddcde98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
Filesize
516KB

MD5
2c92ab862f5c2f268ba0b65dbc39833a

SHA1
9d0b1a12706a6d88d2027e04e71c0af00138f2bb

SHA256
cbb32a5ed4ba58bba0fd6339a32ecfd7e9445a6a03290aade0aea334fa398c50

SHA512
9f703eb1f07f13fc34f2fbd30e34bb2fb3450bbc098794638ffae2a3b5b66c1d167899ea4c50c5f8ffc6ad9dd64ca25b583bf50129d7fb6b4a1e6a5fa9a323fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
Filesize
516KB

MD5
2c92ab862f5c2f268ba0b65dbc39833a

SHA1
9d0b1a12706a6d88d2027e04e71c0af00138f2bb

SHA256
cbb32a5ed4ba58bba0fd6339a32ecfd7e9445a6a03290aade0aea334fa398c50

SHA512
9f703eb1f07f13fc34f2fbd30e34bb2fb3450bbc098794638ffae2a3b5b66c1d167899ea4c50c5f8ffc6ad9dd64ca25b583bf50129d7fb6b4a1e6a5fa9a323fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
Filesize
350KB

MD5
95f8d18f7ada4b285644598fe6ad8015

SHA1
a3bb6834b1f6af280f2cbff74aaa59f1d846ac89

SHA256
14c667b102e8a2607aa49f65b626ce1e4b47d3c1eee7aa338c33d346848460fc

SHA512
7c2afdad28cf94d44071e5a7cf669bf8a3fd2366d5c875b0bfc2a36cb78dfda96bb47e7a0180d961e7b830b1c8382e8dd9d7e84b719845b375ba70abdf3af0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
Filesize
350KB

MD5
95f8d18f7ada4b285644598fe6ad8015

SHA1
a3bb6834b1f6af280f2cbff74aaa59f1d846ac89

SHA256
14c667b102e8a2607aa49f65b626ce1e4b47d3c1eee7aa338c33d346848460fc

SHA512
7c2afdad28cf94d44071e5a7cf669bf8a3fd2366d5c875b0bfc2a36cb78dfda96bb47e7a0180d961e7b830b1c8382e8dd9d7e84b719845b375ba70abdf3af0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
Filesize
276KB

MD5
10e8671ffe86e59b2fe0b2df12a5e440

SHA1
b3fa7f7dfb6200e4c85897f7bafd7332feb3ecd8

SHA256
2cfe41188ed39d1c3638a7c28234ce554d3454a2148883d5dae4f2c2cd7bf620

SHA512
689c0721e02d1e86e05222ca5cd7bf20d33b8669ffbb7bd45784f9e88f2211ed61fcff8809cfa236c5974372c6f35d436b5fb57c9cb7e37a8bc9ec7dead7a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
Filesize
276KB

MD5
10e8671ffe86e59b2fe0b2df12a5e440

SHA1
b3fa7f7dfb6200e4c85897f7bafd7332feb3ecd8

SHA256
2cfe41188ed39d1c3638a7c28234ce554d3454a2148883d5dae4f2c2cd7bf620

SHA512
689c0721e02d1e86e05222ca5cd7bf20d33b8669ffbb7bd45784f9e88f2211ed61fcff8809cfa236c5974372c6f35d436b5fb57c9cb7e37a8bc9ec7dead7a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
Filesize
174KB

MD5
ee9daf06e494a000acf8c1a0af54e859

SHA1
221a848d92cdf4efd125c422dc0a3d1dbe822561

SHA256
0375d30432cf2075ed6c0fe3d7e244f3a08bcf76e6c13bf195f357db6ca41435

SHA512
1371e464da588620b8c59a2fe7d1f0f0444794d9248340d1703583d565d76eec80f2cd6d660bceec78421f494b2cf7a58692b344dcbc02adc465c2f8289b20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
Filesize
174KB

MD5
ee9daf06e494a000acf8c1a0af54e859

SHA1
221a848d92cdf4efd125c422dc0a3d1dbe822561

SHA256
0375d30432cf2075ed6c0fe3d7e244f3a08bcf76e6c13bf195f357db6ca41435

SHA512
1371e464da588620b8c59a2fe7d1f0f0444794d9248340d1703583d565d76eec80f2cd6d660bceec78421f494b2cf7a58692b344dcbc02adc465c2f8289b20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3rmispn.ucp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HSDD8.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HSDD8.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HSDD8.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S0F7L.tmp\is-2BE7G.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S0F7L.tmp\is-2BE7G.tmp
Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe
Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe
Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
\??\pipe\LOCAL\crashpad_1984_RQGPHLSMHXMMRDTC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_220_UMGUKJGLHAVESKMB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-486-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/640-556-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/640-299-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/640-467-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/640-518-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/976-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/976-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/976-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/976-50-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/976-78-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1156-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1156-213-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/1156-224-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1156-188-0x0000000000F50000-0x0000000000F56000-memory.dmp

Filesize
24KB

Download
memory/1504-182-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/1504-112-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/1504-174-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/1504-99-0x00000000007C0000-0x000000000081A000-memory.dmp

Filesize
360KB

Download
memory/1504-284-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/1504-102-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1504-254-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1504-230-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/1636-280-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1636-285-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1636-281-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1656-233-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/1656-253-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/1656-269-0x00007FFFC0D10000-0x00007FFFC17D1000-memory.dmp

Filesize
10.8MB

Download
memory/1796-226-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1796-210-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2064-100-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/2064-80-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/2064-98-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/2064-79-0x0000000005830000-0x0000000005836000-memory.dmp

Filesize
24KB

Download
memory/2064-105-0x0000000005980000-0x00000000059CC000-memory.dmp

Filesize
304KB

Download
memory/2064-93-0x0000000005F00000-0x0000000006518000-memory.dmp

Filesize
6.1MB

Download
memory/2064-96-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download
memory/2064-191-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/2064-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2064-97-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/2064-171-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/2684-144-0x00007FFFC0D10000-0x00007FFFC17D1000-memory.dmp

Filesize
10.8MB

Download
memory/2684-275-0x00007FFFC0D10000-0x00007FFFC17D1000-memory.dmp

Filesize
10.8MB

Download
memory/2684-71-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2684-74-0x00007FFFC0D10000-0x00007FFFC17D1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-92-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3052-279-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3052-95-0x0000000002740000-0x0000000002746000-memory.dmp

Filesize
24KB

Download
memory/3052-190-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/3052-94-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/3052-106-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3168-2-0x00000000029F0000-0x0000000002A06000-memory.dmp

Filesize
88KB

Download
memory/3168-255-0x00000000030C0000-0x00000000030D6000-memory.dmp

Filesize
88KB

Download
memory/3340-180-0x0000000002630000-0x0000000002639000-memory.dmp

Filesize
36KB

Download
memory/3340-177-0x00000000027A0000-0x00000000028A0000-memory.dmp

Filesize
1024KB

Download
memory/3452-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3452-257-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3452-187-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3784-248-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/3784-169-0x0000000000F50000-0x00000000010C4000-memory.dmp

Filesize
1.5MB

Download
memory/3784-172-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/3896-256-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3896-377-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3920-326-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-471-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-252-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-192-0x00000000046D0000-0x0000000004AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3920-507-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-520-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-434-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/3920-194-0x0000000004AD0000-0x00000000053BB000-memory.dmp

Filesize
8.9MB

Download
memory/4016-437-0x00007FF7A2230000-0x00007FF7A2760000-memory.dmp

Filesize
5.2MB

Download
memory/4016-362-0x00007FF7A2230000-0x00007FF7A2760000-memory.dmp

Filesize
5.2MB

Download
memory/4344-193-0x0000000000910000-0x0000000000A6D000-memory.dmp

Filesize
1.4MB

Download
memory/4344-189-0x0000000000910000-0x0000000000A6D000-memory.dmp

Filesize
1.4MB

Download
memory/4344-124-0x0000000000910000-0x0000000000A6D000-memory.dmp

Filesize
1.4MB

Download
memory/4392-482-0x00007FF7DA030000-0x00007FF7DA560000-memory.dmp

Filesize
5.2MB

Download
memory/4392-473-0x00007FF7DA030000-0x00007FF7DA560000-memory.dmp

Filesize
5.2MB

Download
memory/4400-331-0x0000000003A10000-0x0000000003B81000-memory.dmp

Filesize
1.4MB

Download
memory/4400-333-0x0000000003B90000-0x0000000003CC1000-memory.dmp

Filesize
1.2MB

Download
memory/4400-162-0x00007FF692800000-0x00007FF69286A000-memory.dmp

Filesize
424KB

Download
memory/4692-117-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/4692-118-0x00000000007B0000-0x000000000080A000-memory.dmp

Filesize
360KB

Download
memory/4692-185-0x00000000077E0000-0x00000000077F0000-memory.dmp

Filesize
64KB

Download
memory/4692-297-0x0000000072C90000-0x0000000073440000-memory.dmp

Filesize
7.7MB

Download
memory/4692-152-0x0000000007610000-0x00000000076A2000-memory.dmp

Filesize
584KB

Download
memory/4692-313-0x0000000009AC0000-0x0000000009B36000-memory.dmp

Filesize
472KB

Download
memory/4692-141-0x0000000007B20000-0x00000000080C4000-memory.dmp

Filesize
5.6MB

Download
memory/4692-312-0x00000000099F0000-0x0000000009A40000-memory.dmp

Filesize
320KB

Download
memory/4856-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5092-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5092-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5092-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5680-519-0x00007FF7EABE0000-0x00007FF7EB420000-memory.dmp

Filesize
8.2MB

Download
memory/5680-481-0x0000000000B00000-0x0000000000B20000-memory.dmp

Filesize
128KB

Download
memory/5680-557-0x00007FF7EABE0000-0x00007FF7EB420000-memory.dmp

Filesize
8.2MB

Download