amadey | f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e

Resubmissions

30-01-2024 18:55

240130-xk9t8aahc9 10

30-01-2024 18:49

240130-xgtzlacbek 10

30-01-2024 17:26

240130-vzvbzabegr 10

Analysis

max time kernel
94s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe5aa71a9083e8e8afe13394c10f01df.exe
Size

790KB
MD5

fe5aa71a9083e8e8afe13394c10f01df
SHA1

62111b0428acfc13dd5f8d6b23c14c56f7c20e06
SHA256

f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
SHA512

6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617
SSDEEP

12288:QcjlmwpPa5yDBonlo7YNQGGnBaWn1sPDqWOF4GoBMePb0lvznThMlDWH2h:QomwpPa55nmwQjBaWn1CqAXBMDHhMt

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

65.109.90.47:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud (TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

amadey

Version

4.17

http://5.42.64.4

Attributes

install_dir
9957a16fd4
install_file
Dctooux.exe
strings_key
49e9744e07f068c648f8ab3dc20aea53
url_paths
/jPdsj3d4M/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-96-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe	family_zgrat_v1
behavioral2/memory/3904-216-0x00000000009F0000-0x0000000000A72000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-605-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-96-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral2/memory/4440-181-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/1084-250-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe	family_redline
behavioral2/memory/3064-257-0x0000000000A20000-0x0000000000A74000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lada.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lada.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lada.exe

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4452-573-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-574-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-576-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-577-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-578-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-579-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-580-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4452-649-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeschtasks.exe

flow pid process

61 3704 rundll32.exe
90 4452 schtasks.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2212 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
61	3704	rundll32.exe
90	4452	schtasks.exe

pid	process
2212	netsh.exe

.NET Reactor proctector 8 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4000-170-0x0000000002520000-0x0000000002582000-memory.dmp	net_reactor
behavioral2/memory/4000-172-0x0000000004A10000-0x0000000004A70000-memory.dmp	net_reactor
behavioral2/memory/1648-648-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor
behavioral2/memory/1648-667-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor
behavioral2/memory/1648-675-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor
behavioral2/memory/1648-680-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor
behavioral2/memory/1648-684-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor
behavioral2/memory/1648-653-0x0000000005760000-0x0000000005905000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exelada.exemoto.exeiojmibhyhiws.exeiojmibhyhiws.exeiojmibhyhiws.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	31839b57a4f11171d6abc8bbc4451ee4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	31839b57a4f11171d6abc8bbc4451ee4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorhe.exeworkforroc.exeRegAsm.exeDctooux.exeLogs.exefe5aa71a9083e8e8afe13394c10f01df.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	workforroc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Dctooux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Logs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	fe5aa71a9083e8e8afe13394c10f01df.exe

Executes dropped EXE 44 IoCs

Processes:

explorhe.exeplata.exelada.execrypted.exe1233213123213.exe1234pixxxx.exeConhost.exefsdfsfsfs.exesadsadsadsa.exesc.exeqemu-ga.exeleg221.exe55555.exeworkforroc.exeInstallSetup9.exetoolspub1.exeBroomSetup.exe31839b57a4f11171d6abc8bbc4451ee4.exerty25.exeredline1234.exe2024.exensqD3EC.tmpmrk1234.exeWerFault.exemoto.exealex.exeiojmibhyhiws.exeWerFault.execmd.exeolehps.exeLogs.exeiojmibhyhiws.exeDctooux.exeInstallSetup9.exeexplorhe.exeiojmibhyhiws.exetoolspub1.exeqemu-ga.exerty25.exe31839b57a4f11171d6abc8bbc4451ee4.exeiojmibhyhiws.execsrss.exe

pid	process
2784	explorhe.exe
548	plata.exe
4372	lada.exe
1692	crypted.exe
3424	1233213123213.exe
4556	1234pixxxx.exe
4000	Conhost.exe
3904	fsdfsfsfs.exe
3064	sadsadsadsa.exe
1708	sc.exe
1540	qemu-ga.exe
1056	leg221.exe
3404	55555.exe
1592	workforroc.exe
3896	InstallSetup9.exe
5000	toolspub1.exe
1472	BroomSetup.exe
4964	31839b57a4f11171d6abc8bbc4451ee4.exe
2760	rty25.exe
3240	redline1234.exe
4516	2024.exe
4624	nsqD3EC.tmp
2956	mrk1234.exe
2752	WerFault.exe
4436	moto.exe
1648	alex.exe
3396	iojmibhyhiws.exe
2288	WerFault.exe
3716	cmd.exe
1524	olehps.exe
1016	Logs.exe
4564	iojmibhyhiws.exe
1052	Dctooux.exe
4128	InstallSetup9.exe
2036	explorhe.exe
4224	iojmibhyhiws.exe
2924	toolspub1.exe
4868	qemu-ga.exe
4544
5088	rty25.exe
1228	31839b57a4f11171d6abc8bbc4451ee4.exe
1228	31839b57a4f11171d6abc8bbc4451ee4.exe
4784	iojmibhyhiws.exe
2972	csrss.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lada.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine lada.exe
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeInstallSetup9.exensqD3EC.tmp

pid process

3704 rundll32.exe
3896 InstallSetup9.exe
3896 InstallSetup9.exe
4624 nsqD3EC.tmp
4624 nsqD3EC.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine	lada.exe

pid	process
3704	rundll32.exe
3896	InstallSetup9.exe
3896	InstallSetup9.exe
4624	nsqD3EC.tmp
4624	nsqD3EC.tmp

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4452-566-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-570-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-567-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-571-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-572-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-573-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-574-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-576-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-577-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-578-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-579-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-580-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4452-649-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000735001\\lada.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org

flow	ioc
23	api.ipify.org
24	api.ipify.org

Drops file in System32 directory 5 IoCs

Processes:

WerFault.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	WerFault.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

explorhe.exelada.exeplata.exe

pid	process
2784	explorhe.exe
4372	lada.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe
2784	explorhe.exe
548	plata.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

crypted.exeConhost.exefsdfsfsfs.exesc.exemrk1234.exeWerFault.exeiojmibhyhiws.exeWerFault.exealex.exeiojmibhyhiws.exeiojmibhyhiws.exe31839b57a4f11171d6abc8bbc4451ee4.exeiojmibhyhiws.exe

description	pid	process	target process
PID 1692 set thread context of 744	1692	crypted.exe	WerFault.exe
PID 4000 set thread context of 4440	4000	Conhost.exe	conhost.exe
PID 3904 set thread context of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 1708 set thread context of 1900	1708	sc.exe	RegAsm.exe
PID 2956 set thread context of 2580	2956	mrk1234.exe	RegAsm.exe
PID 2752 set thread context of 4452	2752	WerFault.exe	schtasks.exe
PID 3396 set thread context of 4440	3396	iojmibhyhiws.exe	conhost.exe
PID 3396 set thread context of 4828	3396	iojmibhyhiws.exe	Conhost.exe
PID 2288 set thread context of 2172	2288	WerFault.exe	WerFault.exe
PID 1648 set thread context of 4112	1648	alex.exe	RegAsm.exe
PID 4564 set thread context of 4376	4564	iojmibhyhiws.exe	conhost.exe
PID 4224 set thread context of 3352	4224	iojmibhyhiws.exe	conhost.exe
PID 4544 set thread context of 1980	4544		conhost.exe
PID 1228 set thread context of 2192	1228	31839b57a4f11171d6abc8bbc4451ee4.exe	conhost.exe
PID 4784 set thread context of 4476	4784	iojmibhyhiws.exe	conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 3 IoCs

Processes:

cmd.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	cmd.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3100 sc.exe
4436 sc.exe
496 sc.exe
2148 sc.exe
1180 sc.exe
1232 sc.exe
1084 sc.exe
1708 sc.exe
432 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3100	sc.exe
4436	sc.exe
496	sc.exe
2148	sc.exe
1180	sc.exe
1232	sc.exe
1084	sc.exe
1708	sc.exe
432	sc.exe

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1708	3404	WerFault.exe	55555.exe
1044	5000	WerFault.exe	toolspub1.exe
3508	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4416	3404	WerFault.exe	55555.exe
2384	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1784	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1404	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4296	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3508	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2292	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2084	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3608	2580	WerFault.exe	RegAsm.exe
2104	2580	WerFault.exe	RegAsm.exe
4312	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4544	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3020	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
808	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4980	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3920	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2264	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1524	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2724	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3012	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2444	4964	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3344	2924	WerFault.exe	toolspub1.exe
4248	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4872	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2100	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3584	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3100	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1180	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2292	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4032	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3508	1228	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2968	2972	WerFault.exe	csrss.exe
4308	2972	WerFault.exe	csrss.exe
3888	2972	WerFault.exe	csrss.exe
1964	2972	WerFault.exe	csrss.exe
4444	2972	WerFault.exe	csrss.exe
1012	2972	WerFault.exe	csrss.exe
2928	2972	WerFault.exe	csrss.exe
3460	2972	WerFault.exe	csrss.exe
4024	2972	WerFault.exe	csrss.exe
4468	2972	WerFault.exe	csrss.exe
2292	2972	WerFault.exe	csrss.exe
868	2972	WerFault.exe	csrss.exe
4772	2972	WerFault.exe	csrss.exe
3508	2972	WerFault.exe	csrss.exe
4840	2972	WerFault.exe	csrss.exe
4092	4624	WerFault.exe	nsqD3EC.tmp

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exetoolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsqD3EC.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsqD3EC.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsqD3EC.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4696 schtasks.exe
2476 schtasks.exe
1196 schtasks.exe
4428 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4844 timeout.exe

pid	process
4696	schtasks.exe
2476	schtasks.exe
1196	schtasks.exe
4428	schtasks.exe

pid	process
4844	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exesc.exeWerFault.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lada.exe1233213123213.exeWerFault.exeRegAsm.exeleg221.exesc.exetoolspub1.exeredline1234.execonhost.exeWerFault.exe2024.exemoto.exeiojmibhyhiws.exeConhost.exeiojmibhyhiws.exeLogs.exeiojmibhyhiws.exeWerFault.exepowershell.exetoolspub1.exensqD3EC.tmp

pid	process
4372	lada.exe
4372	lada.exe
3424	1233213123213.exe
744	WerFault.exe
3380
3380
1900	RegAsm.exe
1900	RegAsm.exe
1056	leg221.exe
1056	leg221.exe
1084	sc.exe
1084	sc.exe
1084	sc.exe
1084	sc.exe
5000	toolspub1.exe
5000	toolspub1.exe
3240	redline1234.exe
1084	sc.exe
1084	sc.exe
4440	conhost.exe
4440	conhost.exe
4440	conhost.exe
4440	conhost.exe
3240	redline1234.exe
4440	conhost.exe
4440	conhost.exe
3240	redline1234.exe
3240	redline1234.exe
4440	conhost.exe
2752	WerFault.exe
4516	2024.exe
4516	2024.exe
4436	moto.exe
4436	moto.exe
4436	moto.exe
4436	moto.exe
4436	moto.exe
3396	iojmibhyhiws.exe
3396	iojmibhyhiws.exe
4828	Conhost.exe
4828	Conhost.exe
4828	Conhost.exe
4828	Conhost.exe
4516	2024.exe
4440	conhost.exe
4564	iojmibhyhiws.exe
4516	2024.exe
4516	2024.exe
4516	2024.exe
4516	2024.exe
1016	Logs.exe
1016	Logs.exe
4440	conhost.exe
4224	iojmibhyhiws.exe
2172	WerFault.exe
2172	WerFault.exe
4628	powershell.exe
4628	powershell.exe
2924	toolspub1.exe
2924	toolspub1.exe
4440	conhost.exe
4628	powershell.exe
4544
4624	nsqD3EC.tmp

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

668
668
668
668
668
668
668
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1233213123213.exe

pid process

3424 1233213123213.exe

pid	process
668
668
668
668
668
668
668

pid	process
3424	1233213123213.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeRegAsm.exeleg221.exe

description	pid	process
Token: SeDebugPrivilege	744	WerFault.exe
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeDebugPrivilege	1900	RegAsm.exe
Token: SeDebugPrivilege	1056	leg221.exe
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fe5aa71a9083e8e8afe13394c10f01df.execmd.exe

pid process

3916 fe5aa71a9083e8e8afe13394c10f01df.exe
3716 cmd.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

fe5aa71a9083e8e8afe13394c10f01df.exeexplorhe.exeplata.exeBroomSetup.exeexplorhe.exe

pid process

3916 fe5aa71a9083e8e8afe13394c10f01df.exe
2784 explorhe.exe
548 plata.exe
1472 BroomSetup.exe
2036 explorhe.exe

pid	process
3916	fe5aa71a9083e8e8afe13394c10f01df.exe
3716	cmd.exe

pid	process
3916	fe5aa71a9083e8e8afe13394c10f01df.exe
2784	explorhe.exe
548	plata.exe
1472	BroomSetup.exe
2036	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fe5aa71a9083e8e8afe13394c10f01df.exeexplorhe.execrypted.exeConhost.exefsdfsfsfs.exeWerFault.exesc.exe

description	pid	process	target process
PID 3916 wrote to memory of 2784	3916	fe5aa71a9083e8e8afe13394c10f01df.exe	explorhe.exe
PID 3916 wrote to memory of 2784	3916	fe5aa71a9083e8e8afe13394c10f01df.exe	explorhe.exe
PID 3916 wrote to memory of 2784	3916	fe5aa71a9083e8e8afe13394c10f01df.exe	explorhe.exe
PID 2784 wrote to memory of 4428	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 4428	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 4428	2784	explorhe.exe	schtasks.exe
PID 2784 wrote to memory of 548	2784	explorhe.exe	plata.exe
PID 2784 wrote to memory of 548	2784	explorhe.exe	plata.exe
PID 2784 wrote to memory of 548	2784	explorhe.exe	plata.exe
PID 2784 wrote to memory of 4372	2784	explorhe.exe	lada.exe
PID 2784 wrote to memory of 4372	2784	explorhe.exe	lada.exe
PID 2784 wrote to memory of 4372	2784	explorhe.exe	lada.exe
PID 2784 wrote to memory of 1692	2784	explorhe.exe	crypted.exe
PID 2784 wrote to memory of 1692	2784	explorhe.exe	crypted.exe
PID 2784 wrote to memory of 1692	2784	explorhe.exe	crypted.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 1692 wrote to memory of 744	1692	crypted.exe	WerFault.exe
PID 2784 wrote to memory of 3424	2784	explorhe.exe	1233213123213.exe
PID 2784 wrote to memory of 3424	2784	explorhe.exe	1233213123213.exe
PID 2784 wrote to memory of 4556	2784	explorhe.exe	1234pixxxx.exe
PID 2784 wrote to memory of 4556	2784	explorhe.exe	1234pixxxx.exe
PID 2784 wrote to memory of 4556	2784	explorhe.exe	1234pixxxx.exe
PID 2784 wrote to memory of 4000	2784	explorhe.exe	Conhost.exe
PID 2784 wrote to memory of 4000	2784	explorhe.exe	Conhost.exe
PID 2784 wrote to memory of 4000	2784	explorhe.exe	Conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 4000 wrote to memory of 4440	4000	Conhost.exe	conhost.exe
PID 2784 wrote to memory of 3904	2784	explorhe.exe	fsdfsfsfs.exe
PID 2784 wrote to memory of 3904	2784	explorhe.exe	fsdfsfsfs.exe
PID 2784 wrote to memory of 3904	2784	explorhe.exe	fsdfsfsfs.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 2784 wrote to memory of 3064	2784	explorhe.exe	sadsadsadsa.exe
PID 2784 wrote to memory of 3064	2784	explorhe.exe	sadsadsadsa.exe
PID 2784 wrote to memory of 3064	2784	explorhe.exe	sadsadsadsa.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 3904 wrote to memory of 1084	3904	fsdfsfsfs.exe	sc.exe
PID 2784 wrote to memory of 1708	2784	explorhe.exe	sc.exe
PID 2784 wrote to memory of 1708	2784	explorhe.exe	sc.exe
PID 2784 wrote to memory of 1708	2784	explorhe.exe	sc.exe
PID 744 wrote to memory of 1540	744	WerFault.exe	qemu-ga.exe
PID 744 wrote to memory of 1540	744	WerFault.exe	qemu-ga.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe
PID 1708 wrote to memory of 1900	1708	sc.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe
"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4428

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:548

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3424

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
3⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"
3⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
3⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
3⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1072
4⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1120
4⤵
- Program crash
PID:4416

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3896

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:4696

C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:4200

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2364
6⤵
- Program crash
PID:4092

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 348
5⤵
- Program crash
PID:1044

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 372
5⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 396
5⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 408
5⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
5⤵
- Program crash
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
5⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
5⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 752
5⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 760
5⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 772
5⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 900
5⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 876
5⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 796
5⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 916
5⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 716
5⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 820
5⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 936
5⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764
5⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 924
5⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 660
5⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 340
6⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 356
6⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 368
6⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 652
6⤵
- Program crash
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696
6⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696
6⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 720
6⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 728
6⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 744
6⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2352

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 372
7⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 388
7⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 392
7⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 676
7⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
7⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
7⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
7⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 760
7⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 784
7⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2104

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
- Blocklisted process makes network request
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 800
7⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 640
7⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 888
7⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 956
7⤵
- Program crash
PID:4772

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:4000

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 952
7⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1012
7⤵
- Program crash
PID:4840

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:3144

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Modifies data under HKEY_USERS
PID:432

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:2760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3704

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3240

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
4⤵
- Launches sc.exe
PID:1180

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
4⤵
- Launches sc.exe
PID:4436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:1232

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1188
5⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1200
5⤵
- Program crash
PID:2104

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:496

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
4⤵
PID:1720

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2148

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
PID:4112

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe"
6⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:4448

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
3⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
3⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3404 -ip 3404
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5000 -ip 5000
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4964 -ip 4964
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3404 -ip 3404
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4964 -ip 4964
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4964 -ip 4964
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964
1⤵
PID:1648

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
PID:2752

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2580 -ip 2580
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2580 -ip 2580
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4964 -ip 4964
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4964 -ip 4964
1⤵
PID:3344

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:4376

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:3352

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
PID:4544

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:1980

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
PID:1228

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:2192

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:4476

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4964 -ip 4964
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"
2⤵
- Executes dropped EXE
PID:4128

C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 348
3⤵
- Program crash
PID:3344

C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"
2⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4964 -ip 4964
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2924 -ip 2924
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1228 -ip 1228
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1228 -ip 1228
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1228 -ip 1228
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1228 -ip 1228
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1228 -ip 1228
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1228 -ip 1228
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1228 -ip 1228
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1228 -ip 1228
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1228 -ip 1228
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2972 -ip 2972
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2288

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2972 -ip 2972
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
1⤵
PID:60

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4624 -ip 4624
1⤵
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
1015KB

MD5
97650dcd02840df3d852404dbcd7b6fe

SHA1
89dfe504c083d9b6ef13dc03708ac4c626b2199d

SHA256
3df2467733d9ec8420449d9fa074927afdac005b35da2c028a57decfd49be1e1

SHA512
dcad292278471b3f007edddff6d72e1bd01f74e9a03986620033831d5f0695644781f8540e62dd39ab4d3237a83c4412b0d337b0ed339e0a850e8bcfebf64213

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
106KB

MD5
008f67b36b9be44885346e2b58aa8fdd

SHA1
748d68315388cb0874ddfedee3dca5c235ced7d3

SHA256
651502e37667ad19128bb7e92365b5421150e4b64ef1108f0486ab9681579166

SHA512
a207a8f618d989613ba3daac6d5bec99f7193c36bea6aaa7bfab91a1e1f7edac820278e3e103f01f4fb7265fa87890fe2db0fc9d0ef868e1bebab16b14db0c2a

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
601KB

MD5
9edebe77d8a38db11eaa01aea66c0bfe

SHA1
b1e8ae274513d903672dd8d9a564bcfd51b393ef

SHA256
1faca181d7856ea9eda636d8791a9a45b58fbf1ac22d041dd2c444ec4fbe60a4

SHA512
bd22d71e51bbb472ee763ba06fa1b452badd34e4a5460270ac5c37f70348a5b8ff57f5e56dcaa25e96841fc8e9e0b02ed366bbf6750c59a09336dc6c01600157

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
682KB

MD5
a54e442c0ba096e239ae84b881ac5431

SHA1
b6a2a0bdda4fcf342170647e9950ef2d3faacb05

SHA256
e1fd64dc0919fc314f81422b0ce8da5358b2e7f304bc87bc7a6eb21f66bdeaa3

SHA512
2a7d19558633d011673a26e8664f78c8aa6a0a7205fe33772325640522d6f0fd78d31b779670cac3533c2f367fb561e5caa85ee4eadd9e08748c9936bfcfae7a

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c39c4a68c1baf0a4b7e4691e3eeab4d3
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1305705ab4eb7a8ff5a73874670d91f4

SHA1
a118cf0ba2d4ac47473b9140c0aa7745efc6aac7

SHA256
d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b

SHA512
27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
Filesize
208KB

MD5
3459e4e3b8c2023cb721b547fda205f6

SHA1
c4cc7eb4d2e016b762e685a87b16144fda258f9c

SHA256
9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd

SHA512
eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
Filesize
298KB

MD5
5fd7aff48d27771ca0aec6776afefb93

SHA1
5d57e1e85a836b736d3b3c2056d500d1d2b92dd2

SHA256
a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b

SHA512
aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
Filesize
1.1MB

MD5
00fb5f05cc6a22902de878ee3bbefbd5

SHA1
21d3958b179d18c64483d8c59dda67d07dc6588e

SHA256
b9ce041fddf5072392de32ea719cf2b2b6f69b4cdf8837ee57ae8097510c1a09

SHA512
05bedf542a21ef882af6b20fa92e8f16ab43885b00afef527850709d9518c819769fc80aee9b1495f8e74d572f1b608e76a05bdc4962881fd394b098619a3729

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
Filesize
2.2MB

MD5
783c514fa6189d91ac625ac6f16a7c6c

SHA1
96d0e6a06eaeec0b37ead78c097c0d623f592102

SHA256
20e9e19afba5b79ceeb2ac276295f12a0b966860ba07fe6b80a8b69da857f98d

SHA512
5d3a5ffb5f8bfc7de16e75298166d1b77e0f90770dfba8463deeead11d86e971ea12ccd456db1624b1309c70aeae20d86582cf029c8b0f05503aa193fd7b2974

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
856KB

MD5
33cbaa6d2a1b610ed621fb711da014df

SHA1
cd0b04aa27b9121a1fb8b367dcbf91ffc14dd159

SHA256
d50fb42d9f0298c85b07c107bbfc54e272edd97d713452a677ebf3d2d55ea7f1

SHA512
8134fd33c31d765f4cbde5b9ab0300f1c6c12a9245669906166b2692a00621311d93b5ecd3d771fdc2410797aa24e5345839679a57706ec30c3b03b9eeefcf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
232KB

MD5
5ad4f386075b6c455ad7e7de4213dc56

SHA1
be468fc950b2fb5a90a715ee1c621a3fb81c8751

SHA256
1e2e6411cc5c8d8b8d7643035a24a841c11dca60e5d1b332a17394e08b45a9e3

SHA512
5444875e85b85e71256dcbd7d33f81ff9c4b2c719f97d710dc344d6563684a7e4dceb68059d99fa7430b6764433bbfcb087d9680f06fa0567b24b4e233fe86b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
Filesize
534KB

MD5
8068fd90488c53533435b207e687ed39

SHA1
0712715635fc8245d0f828ea9fb8929c1e287195

SHA256
cb622ff0142517c9b3e146e0cd249026bb882e4058f3f4802f626ad91adbbc1c

SHA512
adfeb3e636b937c4652986593b4683ad3dd03df9b6847e08a74718ef2a880e4b194e92956f15989501a8fc1d64227f822cb78b55edb25dd7639fbb18a152539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
1.1MB

MD5
87bac70c88db5a4f6022e72cf400c61b

SHA1
d9470f4f7bbdce18f7a9feafaaac820a2580096b

SHA256
048132b1fb9567f03f424971a16832c4c95d94fd568500fa4ccd66becd5a6be5

SHA512
c52a87fd7e282f88487249dc30add581c486cd091b8b205540222aaa83808ccab355e083543b6f266c6499b8134b4c6eb6a3d333b1679ca54970e073939252b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
1.2MB

MD5
7557bc6b88318b8ca26d1b467e2e45c8

SHA1
5aabdf7d08d3e087c255ab15ba20b36710c3f12c

SHA256
e5014ac1e7c1e0ac672c131857a8dd818eba40af641b601687f20db61ec9d522

SHA512
f999c4c0c2e7483890842b6e903012db5dde69c9552a2e0e50497fb01d093e5b68d27b0c7728b3207e732d0c9d88030029da725536a46c72e6cc018a0ad87c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
771KB

MD5
52b664f21bdfc3981881dabe4eb1d1a7

SHA1
d28f126945db84b2b83f8e72042e26401dd7916b

SHA256
a7e4e6d52e10a44eee97a065543d4c0c1e9c2bc6e1347a2bf0f4afa4d6f939d9

SHA512
d554ded13f051b4ca076f30305e964e8107dc1a49751b3b45ea7827d466ac727b8fc1c9739504313175cc1be6f8583e75031131b9b1c975878791db9bf500590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
Filesize
471KB

MD5
810da00c69d55e89dca3bfe9a6f6a420

SHA1
ca02bdce48ac20f7b40ab720079009894f369990

SHA256
64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

SHA512
453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
Filesize
373KB

MD5
e955394816239fb3e4142ff955e88bfc

SHA1
e62f7cda63e9cd19cbf4baf6513474d6f6495797

SHA256
7a39eb239f9c42ae2edc541a56921783378a0ada9d2f86cb6aada8539897a7ca

SHA512
5ff3f48ec882c0f5eda30c78b949e7ee2afafaa724a55ee477dfd2a1dcd549cbce0fd0b3683c686f56eb4ebe172c2a19a2746ede0d9e23a06d3e429548683d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
Filesize
57KB

MD5
81d642b6b5ce82dd48b4b652be33ef0b

SHA1
3ca39aef5f56839895a6b802bc05cce464ea89d5

SHA256
07cf174b1309fcd24b03e2252449799c72c70826d692ce65f5e1c4aa9ee06031

SHA512
9267a78e24bf70d7569e553bf37c9919907016cbe8ccd33887e446c06fb453e8af3e11e31d4a199de61cc3a1ace13a2bba0ca40e73db601cfc483f48ea45cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
Filesize
498KB

MD5
b2f3f214e959043b7a6b623b82c95946

SHA1
4924ee55c541809f9ba20fd508f2dd98168ffdc7

SHA256
73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29

SHA512
c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
Filesize
128KB

MD5
c53008e60ad81bdabdc16eb8d27b0b18

SHA1
5239d012b6d701c903ba326e27fc5ca220a9b8d6

SHA256
2cb5be789fbf15a8521fdac7253f19c2416fde182e2427d7f7a47f08f67ab6ac

SHA512
49f45c027067ac9cdc8463ffe29549d84c234d3681073666c0f150beac824bbfed5ef5106fd3ab067347d192149857d6b5e6d3b1b2cfd11b0c2e5340aa374d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
306KB

MD5
51f06b46b3a0d18378ced767d82ab29a

SHA1
b9a14a18c4f5447e7a4092fe67df5488837004e0

SHA256
3b4b7a94afbad56a690b3244665e86179be635d78d97fb29fd263be3d445f691

SHA512
8425edb84a89b3e2547306ee7e2660a984538d411088b9e407b6a402ca38c7356ff8ef0fc29b5d89be06b66d6cfe5786721abbc1bd5df5fc341d76c97e41e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
309KB

MD5
4d4dfb48b507912cde25efd6234d7dac

SHA1
d775bdceb80792a462e96b67edd0be34ee6c67ee

SHA256
7c9e03d2bb488bda0ae8d30cec7b147a42a9b80e461617d12975e6a947947fd5

SHA512
3b936f5843665091d19b5f8047fcd2cc7e232e07c9706f866d3f66731f3bcd8fd15196d054b5416dfd516918a6c89129033141cc08c47bc6b716488114e6324a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
Filesize
280KB

MD5
0056fa740e7bdb737c7ef1699eae57a3

SHA1
9910bedef4e5c2b1727f8cbe2032ae6bade6a7e4

SHA256
fcf7ac7a28e4b059ba60026a04c30c759c2ad4bc86f11dbf42d965ab31ad877e

SHA512
8a22a845b8183918f05e31f36edaafbd84031f9266bd573dd87611c92cd20e5afd423a3bfac7385121ade1bbf83337c8d166e20df249416f0fbe33a063ee8bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
1.4MB

MD5
5310ec6a08a2439e3d1f95171fd80377

SHA1
5d06c04524b152799b85d9f265abb8d9082e1fb4

SHA256
7f2fa496fe5d905f7e103f747416753751e7950ff4c52f58097269c75e4fd2ab

SHA512
3374eb77ed1ed33e3bb3cb2cdeececb79f8ffa00ed9cd4c97d30b2b3da2909d2611df928afbf5c6c39d9eed6c2755383713fe21f5d06a6f2202423cb4d2dfb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
314KB

MD5
f8395be734a1e57d14bfa8004dad040d

SHA1
9a38ae0a38e1d9a8ee2d3818505a8301ca392f82

SHA256
ba315b8ece56ea78cf7504a7cbaffec6bfa7cac0a040e38fb517d059a3fba0ad

SHA512
d410b067c9851490c7e6887d5f0cea6e790faea297d150cca817ec82f68d20cf39a0984a980453f415e9d683f0a28ec646608d87063e5379e94880caa00ce815

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
Filesize
281KB

MD5
f22b0415c679ea3cdbc04055ba495d10

SHA1
4fa9dc29069fb282d5750df4d7c9e7956082d08b

SHA256
53fca573963e6776b7c41ae86d655e6315bb4580b4f2dcdb1eb1350047b9b522

SHA512
942ebd7e802094cffda1796cd596fec19af7212ae742fec05657f44a29b41db71294cacf6e4f8df0819dfd0fb956d8620a26d84d4dc865f3545808a448370037

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
Filesize
958KB

MD5
06085332e3f39811251ad4c3a04bf5ee

SHA1
d82effd0fa041013cb46e95f240a3f0efd23d877

SHA256
0f5b20e005a51310f375077bf14f19c8a19e38734c125db7f6c6b41117708217

SHA512
65373110edc3af7bd92bb0bafa48d45e83f0eb2142ae2283d31a7b8e69d66509203f7a5ef1cfbb6b18112a0a9931e210134e4ab53bd35dca3ee9073e5262cf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
Filesize
1.1MB

MD5
b5c71e949a63ca8386a33c851002d51f

SHA1
7b5b97c75aceb0eb7f8d137ee449fec23e06404d

SHA256
23d9cdbf7e44149a1cb1aaf4aa096b293c5cc5045a805f4fbfadb7cfc9637259

SHA512
b9132a7b51b223d684fafc0c135d91f378e220d75a6da7a8169f4f1d5faf3570a44d662497b66d1e2571eb63546ad0fcbede74c0d355dd1cfb688f12382499c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
Filesize
1.3MB

MD5
f39190b7b1b71c46422bda88310fc7ea

SHA1
6896e5307f7cbbba35ca8328db82325458122dfc

SHA256
2db182f76ad1f6c00daba3e80bc78756739e7005873ba3c73eb17eb0aa1d5881

SHA512
6c3a76fa005f30384c4191339bb2980c01a9bd9556a0dd50f113423b49e7fd9162e80623b2445131540ab93b186d971b8e5d077dd40c2a0527e884c0bc9c8625

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
Filesize
256KB

MD5
b8449f91ecd64b2e6fe9c8607f348669

SHA1
1b288d0d2a6a04c8f704ad95640e01596521e5f7

SHA256
aa10dc154d1d230bfb428ea04dacc89c7076f5a6658e36e34f1cdde9190a6a54

SHA512
41e6e0939a4afd84a446e4e65f420c09b6c026afca826b85178e464fbe2584e2a61f651d8a029a07bd8a77fb8bc4ba915b756e8fdddd697b72b813fe1ae9c418

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
Filesize
698KB

MD5
bf2a3e48b0ea897e1cb01f8e2d37a995

SHA1
4e7cd01f8126099d550e126ff1c44b9f60f79b70

SHA256
207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3

SHA512
78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
Filesize
107KB

MD5
07d72a32daa65d79cb4a475c8563b65b

SHA1
6b89a42b2690641d2b52f7a76ff9243fc4b3ea42

SHA256
5715ba704a64082291960f971600e57d1bee120365c0f832fc6cb5f8e9a7335d

SHA512
8a4c9888859c494b64faee165b0340af894418528f069b4b9835cc46db994a3b84c6a30d2bd19696bff448f201db2f8f0750a0b8543347bd6fa0cfbbf937befe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
Filesize
897KB

MD5
f0148aace93a5d316fcaab79eb9a52a1

SHA1
05708ed64cbdca02904cf81ed80cd6b5af6fb099

SHA256
4d696f6d8f6b0e158e56c123f91a3da3a1665b5acbe38db686dfa54bc41745db

SHA512
fcbec064d97d9812d405b0a2a9e9fb9df78beb60ffc92fb112bbdba740602ce5c018a2f6a93d281d4864d6281e36b451ef68551d7d258cf4cd687e38611022cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
Filesize
1.3MB

MD5
e67cbb5370aa1e0cc7df4ce62dc5f82d

SHA1
d470d4a877c84b009a5ea438b95e92fac7d4911c

SHA256
50847dadf9e3065478f004cd35e99f3ddc6032f97c01cb2e1ecb9a81da1eccc6

SHA512
4891fb2d3dc7e1d82e5d87b7537a8ac805eb9199b6a248513968803fab5a15b1d1788dcca8f879add5bd6fadd2adc46b1904f04181182d5ea04e0a977f3adf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
Filesize
226KB

MD5
2ee8ae9a18ae8148086566c941472012

SHA1
8abea4bc078bdbf191f587073604ad20bc0205e3

SHA256
6e4168ccd4846a770dde9433ab2ada4b525528e90f4f0a4536d37497cb483824

SHA512
b1b7a22f398900279530ba417de07c5266459763cb28f3480507ae581b24dfe0f3e4993a4330d88b855f3353690887318616d928b87d98a76270734d95b41291

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
Filesize
826KB

MD5
9455125717632ae8f21a2172a2610eee

SHA1
67f13bf6cef3da84a9c746fabe5b3c08c31152d6

SHA256
aff4a80096c94459486e953fd57dc0ffb39ba340b9cbf7548fada58a4deef42e

SHA512
78791a44f260a01202894ad9d7de4d637a11e35f0ce07ab58a73f3a8c7d9dfa373532b9928f57b31c2851944ee37f7bd5b8f0d600570504fe36f150e2886eac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
Filesize
660KB

MD5
150aaf12e9400bdbaa61ae427215a49a

SHA1
61f448c80bc48362d3c1a74051b7922f3ade206c

SHA256
2e9d5d086395519d605c03a5113921e630a3bc45a3f439dbdf04908d4ec8bf9e

SHA512
fa33c3bc45f2fa430c89d30afd1a94c967c9d1c585cbb089bab59d668fad7214467e92fcdc130524255e6b195588061e7c7a2cf52f735a93be2abbc449452f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
Filesize
372KB

MD5
e192ed56e9f5156b30ac5b5764f1eea1

SHA1
cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5

SHA256
be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3

SHA512
a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
Filesize
416KB

MD5
26b0e1817c946b08d79bf5fa9463e09c

SHA1
fe1fe0eea55a567351cc00df77f4c814a0fb61bd

SHA256
c027c16cad90e9445faa2e1c0e220dac7adc8fe813f30fdc026ae90abcf7acd6

SHA512
b5d0fd44d0394dc94723cdc36c1e6534ff6d718a0ac18fcb78545fee878f8d41f7b7ac2e4dca86ca415ff1413970b2d033a51ae204b6f351f6de09e18d7e8896

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
Filesize
241KB

MD5
7dfc17f5285ffc263ad707fb6961be7b

SHA1
74682ac3e422945a2877cb9d929f0ff5a468a3fd

SHA256
247a2246e66716badcd95844b6343f753819a1a9e6c4612027a8515208e97bd9

SHA512
46bc4bf05c58d171fbfdac739c0d0c4ea03b36fd2fc8f542b8f018dba6bffcd28b5f2ae1497a78a0ae83794e05231790cdae56af4ada82e3a1a0c04ad0ed5d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.5MB

MD5
2706e54160f0d13f18e16b179a9ff54f

SHA1
a1371674239cd0dabfab6e7d99d119d75eb8d120

SHA256
f4e4a1493eda761d98ff91b56f5a2d741410a04d8c01cb6a3df180a5d6078280

SHA512
e81007bd177857b1d94813719522dedd965c56e8836221598488ca5d8ef02345a7b7df18dfd16b0b61559ba5e44c0c5fac483bf9aaae0d93522bc87d5754e4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.2MB

MD5
5fc3833765e0d0a94d226bc480931a19

SHA1
239778d5c4dddba969c7c10f3697f690e01814e2

SHA256
c1c48c533ea6736332f9c6906f13b18cab5ed3ea5e81a1aa472044d43e7abdb6

SHA512
f6d9b45cb5008a1bc9de01f1da215a82383d4768f07c0357bb82307554091c52655ecd006ed43b702c2282c136582394757e64862622614ec425dd1b68a74e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.6MB

MD5
3e30790cc9414db7223b841be88ad4d1

SHA1
df8449db29ea69fd7deb60984cb36642ebe9af7b

SHA256
55caf366eed404b54ecea7d5c910d089e9dd2c3edae826b537e8ef16c7063abe

SHA512
843785fd2b969f614df800e48ff2b0efd8707bfe820adb88fb84fc12cd775d51e406fc9e24da1f67e4884402dbc50edb3329f3124d6426fd7e38c79cf718a9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\398549320365
Filesize
81KB

MD5
c7c53db43db6390c4d099dde400d765a

SHA1
3e5723809205beaae9fba0daf5a939578d03bc4f

SHA256
fad0910cb41893dcef4d10bbaa2dc8a6767cb4708de262475a23bbd29c94ac4b

SHA512
60056f908ef781433efa3f6e3f85a21070a7718708b185da6ca07713600cf5403e28cefb2ed82670a61dd43da199b8540af881e4e6a887c4176aaf48d408ea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1.0MB

MD5
3228b50902bf06fd90c7ec763c6c55a9

SHA1
07a2c29a6e2bdb4c8b210c45430e0aa18ca20829

SHA256
6b51a6e0d464e5266d6cdfa269ee27ca4c57a34191402d1c1849a6f03186fcd8

SHA512
3e94fab45a81149b2a11b66ee328d482c2d7b471145cadb4ae8a97ff8fae8d51c031822e2e400aaedaea90d205c1d910aae0c1ed00010b4be2b7c0aed69b6ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
1.4MB

MD5
f0b1dbf7b7f27ba5b7177724f80293fd

SHA1
6451089babcd465ef366d7a7ba07a297ec5188a1

SHA256
baf727506df169762669ea9298bb83849abfd4dac035b20af4e42688406d6dd8

SHA512
adeaf336b6ef16728ac529c9a7025768442cc4ac68fe386191ebfaeef04c00af7813f36ff20e8d603b03ea8042a673757f1c7120835d24236487a5b17f2f7890

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
1.6MB

MD5
09bb58965bc904f65f2c288f3449ffa3

SHA1
d6d302cd48b739d13b37963a06e3732d44a97f1d

SHA256
819e94c0a1930dd569acc17d8931a1a378532288430dd68073d6b235224638d6

SHA512
13e698c88121fd8cd56c7554a8efa43ea08dbafe3f80c458a2aaa307e0670289a7561e98e6929f8253e928883b12c5aaff91ae10888fefde28080e2f7f253a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
1.1MB

MD5
d35abde6c7161184ea22b6d383f881a0

SHA1
6b44b715837335cad97e6fb3b55e61772aeffe54

SHA256
2bfae2d6e94c33ca29dbf420b8b77356529e7416414a83e272cbd8b9f2f2e521

SHA512
a05a70907f4d5370de584cb093cf39e8a72844eb3fb5d390864ac83b410876ccb58702baa092252573aee8e0c3580f6c4921502c0d9f00cba2fdc24e2a8c696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agnuvtpu.ewz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
790KB

MD5
fe5aa71a9083e8e8afe13394c10f01df

SHA1
62111b0428acfc13dd5f8d6b23c14c56f7c20e06

SHA256
f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e

SHA512
6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
Filesize
177KB

MD5
4d1536443c0c72543ce312195f21e784

SHA1
b10e6254076b4a2ccc137baedd64f9d6605d12e8

SHA256
0371fbd1376855c5dc8e6202ed99834a4a085e5d9c0a180084a4513303b6ae70

SHA512
7932e6530c64e6c4ed2d401f7334ca5adcfb17b01d5101244863a12dc79b70f3b789e2ae02ca458503c5cb9abe2823bad06df709bd0dbf4131955faa192ba103

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
715KB

MD5
0b374be36fee0eae8b1e305f1e4073f5

SHA1
3e5f24441b9f00c3e5beb7ef2438d1868259d852

SHA256
bbd48c58bc41696a56c317d9650057c725642e5c1dee71a8b4f0b9cbd9095ad4

SHA512
f8abf77020dfe9cba6c8afb6535a86338a8923dac7d3a81ce78110302708611109c3b80104178ec6dcd95ce7d9e60829fa8b88c7411aa726699aec04eaaccb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
332KB

MD5
a1470335c14e84fd1f158878a5776ae1

SHA1
98ff4297b83233ce26c0a116abe76312af645398

SHA256
8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5

SHA512
cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
135KB

MD5
36cdae10478c115fa64c36d80dd83b2d

SHA1
57de5b99dd48d35569fb12e7454c1b6f4b55e267

SHA256
50755f295af8188d4169790291795a25cf8e73c1d6ace2c27faf62e4cb7f2c34

SHA512
8bc676477cefa732a78f613344cefd04f183b22113779b169beeca57246a0c5bcc7b5296162f72f53a2ecf1b6d12399568d90565086bbbf88e8780af5be6cadd

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
313KB

MD5
5ea776e43112b097b024104d6319b6dc

SHA1
abd48a2ec2163a85fc71be96914b73f3abef994c

SHA256
cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341

SHA512
83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

Download Submit
C:\Windows\Temp\zamrbllfjgdb.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
3853abb35ab617a117144f119cdc9808

SHA1
03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae

SHA256
f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef

SHA512
0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

Download Submit
memory/548-603-0x0000000000FD0000-0x00000000014B0000-memory.dmp

Filesize
4.9MB

Download
memory/548-182-0x0000000000FD0000-0x00000000014B0000-memory.dmp

Filesize
4.9MB

Download
memory/548-36-0x0000000000FD0000-0x00000000014B0000-memory.dmp

Filesize
4.9MB

Download
memory/548-425-0x0000000000FD0000-0x00000000014B0000-memory.dmp

Filesize
4.9MB

Download
memory/548-236-0x0000000000FD0000-0x00000000014B0000-memory.dmp

Filesize
4.9MB

Download
memory/744-177-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/744-113-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/744-220-0x0000000008950000-0x0000000008E7C000-memory.dmp

Filesize
5.2MB

Download
memory/744-147-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/744-157-0x0000000006B90000-0x0000000007134000-memory.dmp

Filesize
5.6MB

Download
memory/744-125-0x0000000005800000-0x000000000583C000-memory.dmp

Filesize
240KB

Download
memory/744-158-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/744-169-0x0000000006790000-0x0000000006806000-memory.dmp

Filesize
472KB

Download
memory/744-114-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/744-218-0x0000000008250000-0x0000000008412000-memory.dmp

Filesize
1.8MB

Download
memory/744-103-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/744-102-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/744-127-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download
memory/744-96-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/744-101-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/744-185-0x0000000007A50000-0x0000000007AA0000-memory.dmp

Filesize
320KB

Download
memory/1084-294-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1084-250-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1084-279-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/1472-604-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1648-684-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1648-653-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1648-675-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1648-680-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1648-667-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1648-648-0x0000000005760000-0x0000000005905000-memory.dmp

Filesize
1.6MB

Download
memory/1692-93-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1692-92-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/1692-100-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1692-99-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/1692-91-0x0000000000120000-0x000000000018C000-memory.dmp

Filesize
432KB

Download
memory/1708-285-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/2580-542-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2580-547-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2784-171-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-569-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-380-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-15-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-16-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-17-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/2784-178-0x0000000000830000-0x0000000000C38000-memory.dmp

Filesize
4.0MB

Download
memory/3064-284-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3064-257-0x0000000000A20000-0x0000000000A74000-memory.dmp

Filesize
336KB

Download
memory/3380-126-0x0000000003120000-0x000000000317E000-memory.dmp

Filesize
376KB

Download
memory/3404-531-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/3404-354-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/3904-241-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3904-269-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/3904-268-0x0000000002CC0000-0x0000000004CC0000-memory.dmp

Filesize
32.0MB

Download
memory/3904-216-0x00000000009F0000-0x0000000000A72000-memory.dmp

Filesize
520KB

Download
memory/3904-225-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/3916-0-0x0000000000960000-0x0000000000D68000-memory.dmp

Filesize
4.0MB

Download
memory/3916-13-0x0000000000960000-0x0000000000D68000-memory.dmp

Filesize
4.0MB

Download
memory/3916-1-0x0000000000960000-0x0000000000D68000-memory.dmp

Filesize
4.0MB

Download
memory/3916-2-0x0000000000960000-0x0000000000D68000-memory.dmp

Filesize
4.0MB

Download
memory/4000-187-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4000-197-0x0000000002590000-0x0000000004590000-memory.dmp

Filesize
32.0MB

Download
memory/4000-170-0x0000000002520000-0x0000000002582000-memory.dmp

Filesize
392KB

Download
memory/4000-172-0x0000000004A10000-0x0000000004A70000-memory.dmp

Filesize
384KB

Download
memory/4000-174-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4000-176-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4000-180-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4000-179-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4372-78-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4372-287-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-67-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4372-80-0x00000000054B0000-0x00000000054B2000-memory.dmp

Filesize
8KB

Download
memory/4372-79-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4372-219-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-283-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-64-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-465-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-66-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/4372-63-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/4372-77-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4372-62-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4372-58-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-65-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4372-630-0x0000000000960000-0x0000000000EED000-memory.dmp

Filesize
5.6MB

Download
memory/4372-61-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4372-60-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/4372-59-0x0000000077734000-0x0000000077736000-memory.dmp

Filesize
8KB

Download
memory/4436-608-0x00007FF672440000-0x00007FF672E7D000-memory.dmp

Filesize
10.2MB

Download
memory/4440-674-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4440-181-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4440-217-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4440-683-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4440-681-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4440-679-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4440-186-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/4440-676-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4440-221-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4452-577-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-573-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-579-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-576-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-649-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-575-0x0000000001080000-0x00000000010A0000-memory.dmp

Filesize
128KB

Download
memory/4452-574-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-578-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-572-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-571-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-567-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-570-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-566-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4452-580-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4964-605-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download