dcrat | d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76

Resubmissions

03-02-2024 11:37

240203-nrgycaaecm 10

02-02-2024 19:15

240202-xyamaaddb7 10

01-02-2024 20:32

240201-zbg4ysdgc7 10

01-02-2024 19:55

240201-ym4lnaddf5 10

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

6.3MB
MD5

c67cb967230036816fd0cbbfd96959c6
SHA1

d2fe988a302dce4bc0f34a1003a623f96a06b250
SHA256

d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
SHA512

2f51046e44bdfa470f676071c69da8c05d50d8f79e748748f25ac13ec53d346f1c3988148000fea3ece38623fd629d1b3dcc943006e80b7bee95da7f1f42920c
SSDEEP

196608:GHqO3grg0lAc4G+JCJjsP8BXkf/hmzJzFYngA13jvHKvj4:GHzCOc4G+oB0BmdFY31zq

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0846ASdw

rsa_pubkey.plain

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

file.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	file.exe
1492	schtasks.exe
1096	schtasks.exe
5104	schtasks.exe
4972	schtasks.exe
1844	schtasks.exe
8052	schtasks.exe

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3896-369-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3896-375-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3896-367-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3896-408-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3492-433-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3492-435-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3492-437-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/756-42-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral1/memory/756-43-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/756-84-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/756-149-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral1/memory/756-168-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1664-169-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1664-241-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1664-328-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3428-428-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3428-484-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6CC2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6CC2.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5068 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6CC2.exe

pid	process
5068	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6CC2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6CC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6CC2.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsk9F30.tmp2537.exeRegAsm.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	nsk9F30.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	2537.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

Executes dropped EXE 23 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exeInstallSetup9.exetoolspub1.exeBroomSetup.exensk9F30.tmpd21cbe21e38b385a41a68c5e6dd32f4c.exe1047.execsrss.exe2537.exe2537.exe2537.exe2537.exeinjector.exe6677.exe6CC2.exewindefender.exewindefender.exe8106.exe8106.tmp8889.exeqtziroutine.exeqtziroutine.exeqemu-ga.exe

pid	process
756	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3836	InstallSetup9.exe
1880	toolspub1.exe
4212	BroomSetup.exe
4376	nsk9F30.tmp
1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
964	1047.exe
3428	csrss.exe
5072	2537.exe
3896	2537.exe
4732	2537.exe
3492	2537.exe
5028	injector.exe
3752	6677.exe
2696	6CC2.exe
3656	windefender.exe
3284	windefender.exe
4652	8106.exe
3800	8106.tmp
1444	8889.exe
4072	qtziroutine.exe
4608	qtziroutine.exe
1824	qemu-ga.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6CC2.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Wine 6CC2.exe
Loads dropped DLL 8 IoCs

Processes:

InstallSetup9.exensk9F30.tmp8106.tmp

pid process

3836 InstallSetup9.exe
3836 InstallSetup9.exe
4376 nsk9F30.tmp
4376 nsk9F30.tmp
3836 InstallSetup9.exe
3800 8106.tmp
3800 8106.tmp
3800 8106.tmp
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3280 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Wine	6CC2.exe

pid	process
3836	InstallSetup9.exe
3836	InstallSetup9.exe
4376	nsk9F30.tmp
4376	nsk9F30.tmp
3836	InstallSetup9.exe
3800	8106.tmp
3800	8106.tmp
3800	8106.tmp

pid	process
3280	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/3656-519-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6CC2.exed21cbe21e38b385a41a68c5e6dd32f4c.exe2537.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	6CC2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1e0a46db-42a6-4336-a40b-a10ee77a5687\\2537.exe\" --AutoStart"	2537.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

110 ipinfo.io
112 ipinfo.io
51 api.2ip.ua
53 api.2ip.ua
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
110	ipinfo.io
112	ipinfo.io
51	api.2ip.ua
53	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\gP3PmY07RTW1I0FdMLYE.exe	autoit_exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6CC2.exe

pid process

2696 6CC2.exe

pid	process
2696	6CC2.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2537.exe2537.exe8889.exe

description	pid	process	target process
PID 5072 set thread context of 3896	5072	2537.exe	2537.exe
PID 4732 set thread context of 3492	4732	2537.exe	2537.exe
PID 1444 set thread context of 4816	1444	8889.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4452 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4452	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3940	4376	WerFault.exe	nsk9F30.tmp
2028	3492	WerFault.exe	2537.exe
3020	3752	WerFault.exe	6677.exe
6908	2696	WerFault.exe	6CC2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1047.exetoolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1047.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1047.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsk9F30.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsk9F30.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsk9F30.tmp

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1844 schtasks.exe
8052 schtasks.exe
1492 schtasks.exe
1096 schtasks.exe
5104 schtasks.exe
4972 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2700 timeout.exe

pid	process
1844	schtasks.exe
8052	schtasks.exe
1492	schtasks.exe
1096	schtasks.exe
5104	schtasks.exe
4972	schtasks.exe

pid	process
2700	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exewindefender.exed21cbe21e38b385a41a68c5e6dd32f4c.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exepowershell.exe

pid	process
1880	toolspub1.exe
1880	toolspub1.exe
852	powershell.exe
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
852	powershell.exe
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248
3248

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspub1.exe1047.exe

pid process

1880 toolspub1.exe
964 1047.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exed21cbe21e38b385a41a68c5e6dd32f4c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	852	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	756	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	756	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	724	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeSystemEnvironmentPrivilege	3428	csrss.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeSecurityPrivilege	4452	sc.exe
Token: SeSecurityPrivilege	4452	sc.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeDebugPrivilege	4816	RegAsm.exe
Token: SeShutdownPrivilege	3248
Token: SeCreatePagefilePrivilege	3248
Token: SeShutdownPrivilege	3248

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8106.tmp

pid process

3800 8106.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

4212 BroomSetup.exe

pid	process
3800	8106.tmp

pid	process
4212	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstallSetup9.exeBroomSetup.execmd.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exensk9F30.tmpcmd.execsrss.exe2537.exe

description	pid	process	target process
PID 3732 wrote to memory of 756	3732	file.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3732 wrote to memory of 756	3732	file.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3732 wrote to memory of 756	3732	file.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3732 wrote to memory of 3836	3732	file.exe	InstallSetup9.exe
PID 3732 wrote to memory of 3836	3732	file.exe	InstallSetup9.exe
PID 3732 wrote to memory of 3836	3732	file.exe	InstallSetup9.exe
PID 3732 wrote to memory of 1880	3732	file.exe	toolspub1.exe
PID 3732 wrote to memory of 1880	3732	file.exe	toolspub1.exe
PID 3732 wrote to memory of 1880	3732	file.exe	toolspub1.exe
PID 3836 wrote to memory of 4212	3836	InstallSetup9.exe	BroomSetup.exe
PID 3836 wrote to memory of 4212	3836	InstallSetup9.exe	BroomSetup.exe
PID 3836 wrote to memory of 4212	3836	InstallSetup9.exe	BroomSetup.exe
PID 3836 wrote to memory of 4376	3836	InstallSetup9.exe	nsk9F30.tmp
PID 3836 wrote to memory of 4376	3836	InstallSetup9.exe	nsk9F30.tmp
PID 3836 wrote to memory of 4376	3836	InstallSetup9.exe	nsk9F30.tmp
PID 4212 wrote to memory of 2592	4212	BroomSetup.exe	cmd.exe
PID 4212 wrote to memory of 2592	4212	BroomSetup.exe	cmd.exe
PID 4212 wrote to memory of 2592	4212	BroomSetup.exe	cmd.exe
PID 2592 wrote to memory of 3640	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 3640	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 3640	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 1492	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 1492	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 1492	2592	cmd.exe	schtasks.exe
PID 756 wrote to memory of 852	756	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 756 wrote to memory of 852	756	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 756 wrote to memory of 852	756	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 1052	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 1052	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 1052	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 1468	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1664 wrote to memory of 1468	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1468 wrote to memory of 5068	1468	cmd.exe	netsh.exe
PID 1468 wrote to memory of 5068	1468	cmd.exe	netsh.exe
PID 1664 wrote to memory of 4292	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 4292	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 4292	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 4376 wrote to memory of 4780	4376	nsk9F30.tmp	cmd.exe
PID 4376 wrote to memory of 4780	4376	nsk9F30.tmp	cmd.exe
PID 4376 wrote to memory of 4780	4376	nsk9F30.tmp	cmd.exe
PID 4780 wrote to memory of 2700	4780	cmd.exe	timeout.exe
PID 4780 wrote to memory of 2700	4780	cmd.exe	timeout.exe
PID 4780 wrote to memory of 2700	4780	cmd.exe	timeout.exe
PID 1664 wrote to memory of 5024	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 5024	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 1664 wrote to memory of 5024	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	powershell.exe
PID 3248 wrote to memory of 964	3248		1047.exe
PID 3248 wrote to memory of 964	3248		1047.exe
PID 3248 wrote to memory of 964	3248		1047.exe
PID 1664 wrote to memory of 3428	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 1664 wrote to memory of 3428	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 1664 wrote to memory of 3428	1664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 3428 wrote to memory of 3520	3428	csrss.exe	powershell.exe
PID 3428 wrote to memory of 3520	3428	csrss.exe	powershell.exe
PID 3428 wrote to memory of 3520	3428	csrss.exe	powershell.exe
PID 3248 wrote to memory of 5072	3248		2537.exe
PID 3248 wrote to memory of 5072	3248		2537.exe
PID 3248 wrote to memory of 5072	3248		2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe
PID 5072 wrote to memory of 3896	5072	2537.exe	2537.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1096

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5028

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:5104

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:4504

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:3640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1492

C:\Users\Admin\AppData\Local\Temp\nsk9F30.tmp
C:\Users\Admin\AppData\Local\Temp\nsk9F30.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsk9F30.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 2620
4⤵
- Program crash
PID:3940

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4376 -ip 4376
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\1047.exe
C:\Users\Admin\AppData\Local\Temp\1047.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:964

C:\Users\Admin\AppData\Local\Temp\2537.exe
C:\Users\Admin\AppData\Local\Temp\2537.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\2537.exe
C:\Users\Admin\AppData\Local\Temp\2537.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3896

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1e0a46db-42a6-4336-a40b-a10ee77a5687" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3280

C:\Users\Admin\AppData\Local\Temp\2537.exe
"C:\Users\Admin\AppData\Local\Temp\2537.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4732

C:\Users\Admin\AppData\Local\Temp\2537.exe
"C:\Users\Admin\AppData\Local\Temp\2537.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 568
5⤵
- Program crash
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3492 -ip 3492
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\6677.exe
C:\Users\Admin\AppData\Local\Temp\6677.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1064
2⤵
- Program crash
PID:3020

C:\Users\Admin\AppData\Local\Temp\6CC2.exe
C:\Users\Admin\AppData\Local\Temp\6CC2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
2⤵
- DcRat
- Creates scheduled task(s)
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
2⤵
- DcRat
- Creates scheduled task(s)
PID:1844

C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\gP3PmY07RTW1I0FdMLYE.exe
"C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\gP3PmY07RTW1I0FdMLYE.exe"
2⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
3⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
4⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
4⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
4⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
4⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
4⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
4⤵
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
4⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
4⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
4⤵
PID:6688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
4⤵
PID:7400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
4⤵
PID:7328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
4⤵
PID:7864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
4⤵
PID:8008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
4⤵
PID:9204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
4⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
4⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,8753032032459304558,7881276627745347694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
4⤵
PID:7140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
3⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6386269012381198080,14327272191921697289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
4⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6386269012381198080,14327272191921697289,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
4⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,8136608688517273721,13943816652047524044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
4⤵
PID:7032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
3⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,4484123762915112001,18343923113287615284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
4⤵
PID:6916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account
3⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,415106244735126153,1881515996422979950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
4⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
3⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1bf046f8,0x7ffe1bf04708,0x7ffe1bf04718
4⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
3⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe2a919758,0x7ffe2a919768,0x7ffe2a919778
4⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1996,i,4706533941301991636,4875268778398185858,131072 /prefetch:8
4⤵
PID:8036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1996,i,4706533941301991636,4875268778398185858,131072 /prefetch:2
4⤵
PID:8028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
3⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2a919758,0x7ffe2a919768,0x7ffe2a919778
4⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3256 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:8132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3700 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3284 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:8140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:8
4⤵
PID:7936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:8
4⤵
PID:7880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:2
4⤵
PID:7872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4548 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:8360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3768 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:8544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5016 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:1
4⤵
PID:9192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:8
4⤵
PID:8852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4988 --field-trial-handle=1980,i,3053670067417672264,2581173791111338246,131072 /prefetch:8
4⤵
PID:8496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
3⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1968,i,13824393842608059064,2663638799100439603,131072 /prefetch:8
4⤵
PID:8420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1968,i,13824393842608059064,2663638799100439603,131072 /prefetch:2
4⤵
PID:8412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
3⤵
PID:5292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
4⤵
PID:5628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.0.1127155728\914212863" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83bbe741-794f-4333-832a-fd128fbab171} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 1800 1fccd7d9258 gpu
5⤵
PID:6980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.1.781781381\302888816" -parentBuildID 20221007134813 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5833810a-f919-44fa-85c0-f599322f762c} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 2316 1fccd2e5058 socket
5⤵
PID:6032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.2.135783055\544103455" -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 3316 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5660886-a05d-44b0-ab3f-e3237ae5094c} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 3332 1fcd0e35858 tab
5⤵
PID:7740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.3.361424096\247863199" -childID 2 -isForBrowser -prefsHandle 2924 -prefMapHandle 2900 -prefsLen 21766 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0794d9f7-2071-4289-88e4-921de2cf33e3} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 2948 1fcd2685a58 tab
5⤵
PID:8376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.4.119617318\1134945627" -childID 3 -isForBrowser -prefsHandle 3984 -prefMapHandle 3980 -prefsLen 21766 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {950a4b3b-7a25-43f7-ab33-92438fd0e647} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 3988 1fcd2686658 tab
5⤵
PID:8580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.5.1297031389\534757429" -childID 4 -isForBrowser -prefsHandle 4364 -prefMapHandle 4360 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82253445-1f45-4f10-b1eb-caab0b525b62} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 4404 1fcc1967558 tab
5⤵
PID:9100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
3⤵
PID:6016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
4⤵
PID:6088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
3⤵
PID:6000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
4⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\7c8nbjOZdhoa8okHNJ7N.exe
"C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\7c8nbjOZdhoa8okHNJ7N.exe"
2⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\04eslg3A_7p0BmZynWhm.exe
"C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\04eslg3A_7p0BmZynWhm.exe"
2⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\cn7CjuUUyShLpLwTBBMR.exe
"C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\cn7CjuUUyShLpLwTBBMR.exe"
2⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\vZ46aqGy12i5cqiGaBQi.exe
"C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\vZ46aqGy12i5cqiGaBQi.exe"
2⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
3⤵
PID:7108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:8052

C:\Users\Admin\AppData\Local\Temp\1000813001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000813001\lada.exe"
4⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe"
4⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2320
2⤵
- Program crash
PID:6908

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3284

C:\Users\Admin\AppData\Local\Temp\8106.exe
C:\Users\Admin\AppData\Local\Temp\8106.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\AppData\Local\Temp\is-ROEAP.tmp\8106.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ROEAP.tmp\8106.tmp" /SL5="$11006A,7069030,54272,C:\Users\Admin\AppData\Local\Temp\8106.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
"C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe" -i
3⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
"C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe" -s
3⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Temp\8889.exe
C:\Users\Admin\AppData\Local\Temp\8889.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
3⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3752 -ip 3752
1⤵
PID:4824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2496

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2a919758,0x7ffe2a919768,0x7ffe2a919778
1⤵
PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2696 -ip 2696
1⤵
PID:6272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7488

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:8204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\DeliveryStatusFields_68\DeliveryStatusFields_68.exe
Filesize
2.4MB

MD5
7ed67c3dde471fec78c0dc5cd0cac64b

SHA1
bcd498c973b2552483e167b3434d441a139b2192

SHA256
61bb39e15be7a6794ca8bf48d07015290beff01d47f8c70a3ed84689d26750ea

SHA512
588afc9c4279eeb2ce6ea2908354bcf367ceb7373d24340653b94e36f4187e85f9803c8a32c565587718571d73cf717ab580191cae754db60f3a3ff57de3a442

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
88979a1699fde16b4c698f9cd10ee87e

SHA1
8a61fb3cde8d379bb8a461a7be8dc2e93b5ad2f4

SHA256
d147732816cd1a5a493235680728ef3dd4fb9be1713d565f63d72c0cdbf1a898

SHA512
fe0de028e0285c3dd5c4e37be64c6a5985ead36423345de1eeb6d3f5d961a3a811e14878e9d3c42de87744be3b5ed32d07a78e78ce5b0eca4edcb6d84333e3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4bec008f72b6f23f5f2c9f66adbb1e69

SHA1
f80bf7909c625b075a3c80c60908814831887c44

SHA256
4a1aa0870f828f3e4c207f1eb08928a9070ff34964e993de13ac5168fe265e77

SHA512
7616b6440c9ce19f8ce4f679333c077c1a3d49956dd1c5b4db811288a518a9913f5c93734ad8d6d36b444c50f4cabfb0861426c6b04413c0e9840b6e3798be62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
231KB

MD5
45ae10a2854f23c511a90824db6e9da7

SHA1
b38f88ddc3cfd3cc87e7cbd79081c11f9a4fe7c2

SHA256
0524f39e7553bcd1f429a22ab16cbb07b61fa80f4e93fac288cd03dde1a78b77

SHA512
08186cd22150db08048cd457284b0c721915961da380cf5c614d9a031e205bf848cdba271e6e8de3e27a942f3898b21ba0ba55f16522ad0aff1b4809210d0468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
e9bb41ab1e8ec455e41624178e2cc1cd

SHA1
08d95a6335f18ee245128e6285838e955b9a847e

SHA256
941bc759f6ff26d7e93e9880404c98fed1ee90b4eeaca74dae05b3c7f33e9f51

SHA512
64c50ca7316ff5749822e0256db3aeff20df78f0b0908cb72fd7140e22c4bb0ed458ce5b9dbc3155b8e57164378656695333b79a14b0b3d97f01df715d90bda8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
f6acb156b9bc3d65a79b43f54e3a04c8

SHA1
16738b298f4b46c0df850f06751cab93184c16a3

SHA256
9ae62422e870703432958679a13e9639bf872982849f9a03650d8d99d29a3bfe

SHA512
37851e9666c62a26c55290956902b28ebdd989120d2965c319e6b6e4c65ebf2a39faaf297e14ae65b8efda31e7e3117522be6686da628158d12253f677a89a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b281a92708bb89c32ae0438a32c99a38

SHA1
39857562b5fa0b3d466c1ab16b77105ce9c46196

SHA256
46610193ebc49f21f2fe7a6409ca137e57edff2765ed4d4a5f67dad3e2092278

SHA512
33c9a8fc92693f38551cbdab0de5e3c22613158651c404502c13ffc58c48a865c2e1e74f8586f32fb1d6eb5f6f1457aa3f0102ea9de8aba4a49dd62fececf5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e872165f1806b3285e2c2cfeb9787d4e

SHA1
b3cf477542e75768af4b537c5d89cfea638c73ad

SHA256
dbb532c705b2e6899fc49659d9ddcbf8c157892dd9a6d22c3937575fa231345e

SHA512
6cc671627867c98232609f746f0c886c2ef627f076a9785e90675ed5cebac5b012280859200d97f9e72f9cf931177890ec43f04b0f7d159b7bddd992641d82a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
4bae8c49d5af55f593f60bd9dff23d0a

SHA1
899a77656e246448b80e44ed32681cf4c7dbdf9c

SHA256
f981631c26644ca5273f3c0112e09ed7494332cc516838d7bb6f7e3c5045804f

SHA512
dfb919a3f5fc6f5471b1eab90ed8dcf740f78c3a57f9d13b6618432befdbb5de7acd8a04e109c1069f587510b7c0426690fac4fbf3ad10b271e14724782f3e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f29971ec37d789cbf52e3c85f793aca3

SHA1
f448452a8546f9511c9ada76557d31a7ea37e53f

SHA256
bf2a1d1db3ce641d99f3fbbc42b2308709b3b637c81d9cdb3fb6a6cc4362cf20

SHA512
cf038da5761616bedf46cb6ec25033da5d39156fe401cb0149c2d91e805e1b6c2265ac5360fdff8645bf1e27e05fec0d73aacde00cd587f486a3df233ad70b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
aaa7c715f44c0ecf50ff07c0b352d83f

SHA1
6edb2ae7a1c06fbaa1b7423fa667d972786dd3fa

SHA256
ef53621ee514a05d7cc47cf86ca1ffb234cb79f13144b2d32f98e7c090ae698f

SHA512
27401f3cceb2debe4c8f4cc5ac449f8fe434c88b8e0bc707f3dd22f34f5e48b63637316a1196a3cd5e9d6fbf66d4c59339a85c8c24a6e84fabebe2ac18b3a88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
53f150c62651db714193b86cb2e08375

SHA1
a2f6d24856930b08de61ce7cf7d77ca43c1513c8

SHA256
30e59ee21804958da430e17a4e75d1544ec57fae4594730dde43ba389d5b85ca

SHA512
bf632fe79bfd5b510ceacc6de927c7444e5c91a493a7e9e5d7a5c8031d6965ca7e0cfda316dd85f2857f9f5a1f2ce841c9e17e26b6d53c964b5ef885066af677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
30cfa6d6a9b0058d01c2056a58ba12c1

SHA1
70d9385b6a844750d5c189d8fed38f7179c7df07

SHA256
d2c6e304ec16a2eae4d6322667b2de15b3e9f883bcbc34335b0ac906e0d419ba

SHA512
e6b795713e2e737cb9eceebd25f0365f0fa1e9a94fa6954391b4818b33e3eb3528929382c00c4cf586a8fe379c27448fbdfa323f0bc7e8f8aaa00db30e80b742

Download Submit
C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
Filesize
1.9MB

MD5
da519a5801bec1b2503c0d8e022d3048

SHA1
0961227f14eaf759a214af94c682e57fe9288d09

SHA256
10916a0a1e2a19603ef0285a099d376095ee128f436ecaba0c8f150ba0903b3f

SHA512
8e3e1c8ec4f61fa45809a9578201a651e90f6606e0300c8a89457d029f3d3c2ff755f9befacfb3dea1ee89c17493bc402ac690be512b63fb1ebd8382638dddfc

Download Submit
C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
Filesize
1.6MB

MD5
321224257ef780d24db2316ac2ad8e5e

SHA1
17a2f184319f4ec6dadbd4d4881caa291686d628

SHA256
a15504a75703f7d2ef1651ba21f01ad2379e61a0093d2be4798684df0c42d73b

SHA512
807221b0e713e54baea954f85f45aa0299219004328d0bd9a435035b7d89cf1d2e96c67288ed4dd0d40672582ca2969be23b6e820e9766ba60e097ae82b09498

Download Submit
C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
Filesize
1.7MB

MD5
dc06533ccbd772ca3842ee68602f59e1

SHA1
c6815a171cb1842736920a18f62c2608980c44d4

SHA256
086f0e33cfe7c730eefa6c7d7f028f26995cf9c941e5b0db0b618bdd18d53682

SHA512
4f90577e2d900f9296d2c9e5845ff885e07db9c55af9cbc5d1714e8b412bb53238a5f3b02232a648f783084dd9a9c5e45931ef96700428fec674557917876e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1047.exe
Filesize
171KB

MD5
857fdde6b83fa03775ec6b64e7463c83

SHA1
1e34cace8f18d4bc6f295229ae368530a5265d69

SHA256
d2072a1af4a4ddbc05bdced2be76cdd8f3c4fd9fed080d624773920992439f20

SHA512
34708c85d72ad7a5df673c659951ba21824ecb87ba7fb5170eac6a6ecd1c9eaa929e7fb940e5e04e74511168a95e94e671c682ce14d782326e45c8be82f9223e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2537.exe
Filesize
673KB

MD5
9fc34dcafed73fc09be82efc142cac05

SHA1
c214a16b182824f24f78141966d03fdc22e7e71d

SHA256
5fadf7a646b502afae7c751b3a2438acfc8011f35f6a5aa06977166545c1ce60

SHA512
77a1fc103f4b44f49583e74ce799198d1e6b0c173cda3e35bd023ff491a9a153afc5d0ed96e07fcd9b229e9f0c6ef5a48ad1677e962a9f706340067316df8638

Download Submit
C:\Users\Admin\AppData\Local\Temp\6677.exe
Filesize
5.6MB

MD5
978adeacb862253023f9c296c12ea083

SHA1
576fc339b8437045c2a34e568f2aae67f720d333

SHA256
4c917b7d4291d22d757f2bb707513c6e85c51fd268f1518eeba92128b1a0d673

SHA512
6b5049e46235b2d0d7d29fdef1f6977f03b670a822cc200dbb634352894b702624fb201b795e135d4b72e5c6456c24c8fae16a37d8454cdcf86fd25e85205561

Download Submit
C:\Users\Admin\AppData\Local\Temp\6677.exe
Filesize
3.4MB

MD5
dec8fa087fb836823a2a56a4219289c5

SHA1
93a7e9972f535f19fa267a31875f25a216a096b8

SHA256
b21ef0787aab7a15d5325c9b1e32605b6cc3ecdfb1db576b7f99a44f050e4784

SHA512
f39304f00c501871df4598e4256e73ea7d250b318197b14ebf9409c8091dd7f18cb0abc85bf55c9515f53e31bbccf15894704458e5c04db2eb603dee3791473a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CC2.exe
Filesize
2.2MB

MD5
179c131b5d127555c6306e61bb6b402e

SHA1
20d4b6248f38c0bea78a460bdb2bb7ceb7b60414

SHA256
41149d8dc8f71a95243748a57945967406f9fc2929f59ca78dcc5ed7c4b8f021

SHA512
c77c2f695613e864d291e95dedac0a4b9bb93c42b8723b76753eab8b43b5f76d6dc69c85632edb5c58a4533a082fee324a099e47cb6f031d9747341fe38f6097

Download Submit
C:\Users\Admin\AppData\Local\Temp\8106.exe
Filesize
7.0MB

MD5
f652a7ed544d1fdee0c38cd0b43bd593

SHA1
31fa965e39ef6762c2065c13812c4b7a6dbc5a7e

SHA256
251dc20962f6f250ccd72f7bfa8e685ae432213dace54d6b0f045cceebad6bc1

SHA512
31c1d94732d53e9081d2d5aac01cabcb11858b1717303d862c171e7bc4b7bafe251fe616da6a179a46673d9fc7221012da7571504dab3a3ffff9b825375bc030

Download Submit
C:\Users\Admin\AppData\Local\Temp\8889.exe
Filesize
585KB

MD5
455af7b85c5f2f4f7bd03fccc9f38ffe

SHA1
f415c96afd3a66644da6b374ac1dd721d88a472c

SHA256
cb341f04a9d035bac65c5c7538733c06c23a26543dbe64cc6e8a9d9ccd7859e6

SHA512
17f95f98841d72b0eca1ebe51b6a91da86d8d9541721296891a782527e32b52cf374917da40ffb62cf62d49d8a125595967dd7e1e07584e1387116ddd0078d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
4.7MB

MD5
5e94f0f6265f9e8b2f706f1d46bbd39e

SHA1
d0189cba430f5eea07efe1ab4f89adf5ae2453db

SHA256
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

SHA512
473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
320KB

MD5
83419631e3dc1121aae27f8840fdd0fa

SHA1
5490d9440ebf359adadd6aa7d8d0fb913aeb289c

SHA256
82256de24d393f3f09d050e0babc5527a1d86050950e2137053b8cdbc9d90698

SHA512
19c40701c7fd534d89e30245bdff9a90791004b0a7913af44d4ea558e9e279279076ed4aff18044c8cdaa690c49e025cd3936b53db7ae7f48a0cabcb37154461

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
2.0MB

MD5
c7dfcf13b0dc4dd685114a6a2f0233ac

SHA1
ade01a01ce38e49de0136340333aa26f92a6f43f

SHA256
3786f3f45f703b7faa2b971ac1d9cddfa14115b1926a874a294809bf747355dc

SHA512
ff5769daa32508b261d807eaa2a70ff5e942f02b1903523d6cc280ce8c07c0bc58dcc2e555e5d24ddf240570da5f821ba01540904350804dea6eafa7131f9d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxzyykwk.4e2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.1MB

MD5
0f396cc0dba8c2ef01e51ffa06bd2f93

SHA1
05bab98b65b1211b1207936f9e23626c7fd4eeee

SHA256
17dfd514df0d171e7d96202740cdb98cc71444c580f5b317712b58bc8e74be1a

SHA512
4685fb04d756177b28c9b8dd7cac28503d68d72d205869d25d2d8cacc50a2b9c973d2194942f5de1bd4e43e2d543904b0667c57dc9000eb2c1c43bbd47217128

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
2.4MB

MD5
b3315592f1d7b97248aa4d34f406a801

SHA1
685ab18b40d10428fae6aa6c2b7cadd53c8746d1

SHA256
e9016a905a7869718e26ede571fdf9617daf64bb69c5dbf70dfdf738f2964c4e

SHA512
e9e10af3d15761c0cac66aee23693086e87de9a8bfd6559e2f5b90fa5a685c3a8652a98b247f1806efb4740547d0b5fdc902708a1dc910e3862c87963d676357

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
1024KB

MD5
26163cdd7dd84adf5dc65d4de08b8a03

SHA1
477b432f46c99678f4894ae4735f5ffb8b7e748a

SHA256
bbf29918a50ec41e029399a2b1795f74d1fce41fff71cda3005bd6429cc1e888

SHA512
dadfe93ed03dc2f80020cf62ab11a6e81c5d7097d7a01ceb299109c86ea987f88d6b8ad9fd1b7ccba7c3785b31378c788807761cd5bf7b5af5e5b0703a9f4cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J3K0O.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J3K0O.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ROEAP.tmp\8106.tmp
Filesize
692KB

MD5
558517932afff8def7d6c9e9a2a51668

SHA1
69f1830a41bf3c5f9d3e578b85071d05faefc934

SHA256
464ff8248e06554c0d76b162e9c10968648013091c93869b3c93be6d086b632e

SHA512
d23badd9d1dd0bbb370fdb4f46dca6ebf176d42f126d7ebf751f25498a047eda3f1c0e6fd93fcfaba0df29b177961201ab869cf0e14e2f360da47e7a756d69db

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA3PjuJqPjqak44K\information.txt
Filesize
4KB

MD5
dd8801cee6da252c607b6c763a856e1c

SHA1
0cee350e40f9ea072d606b43722ab3268b834a68

SHA256
8a871d6367c0578ccb9c15815efcd2fac8f10542fa43c1b3799d11f87eb2ecb0

SHA512
ca8edb20bbec95a495ef5f19ff0ee537738e83467018bad24018608a7c76055783106c978440f1340b2303a4d013093ff47e0f5df3f79f62c1572f4545a53f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\04eslg3A_7p0BmZynWhm.exe
Filesize
1.1MB

MD5
585e2a12f791cefc76b23178b9bbf1af

SHA1
82b167c5079098503dcd4bb19a5d13b7eb0bf959

SHA256
e7364243f1eca452ed5b43a62538418086db08acecfc3c41a2ea422799399b65

SHA512
d70b7b971157042104777b8f0c231c6600a790006a7676194131cf7d244f9daa1d7f14c895393e5fe608845cf1a8d5d0c37ef29470a72e44b5a040d8312c9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\3b6N2Xdh3CYwplaces.sqlite
Filesize
5.0MB

MD5
eaf7e4f0bdec022727515d4ade159d11

SHA1
bd2f3c1761e64b3bdd0c66cd1455cf367e45672a

SHA256
97bde867f38cb9a0412d24ea15e20ed7a52c88392341b368e7d6ad2b3f3b1a15

SHA512
21fc62d95bd0f0a520356156f3099fd565709c21388881fe4b51180b97e448c34ac28b358509a2da02a00b0fd9323f0410e5c4d329f805b978d2b003ce03000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\7c8nbjOZdhoa8okHNJ7N.exe
Filesize
603KB

MD5
6ebdb42e7397236eb08926d9a607f2e7

SHA1
9cb574a1bdc38b103507ee94486e6e2cc77e6ddc

SHA256
16b3064b201ed7bf19e4b9d1cc5a0ac563c29650237dd6275dfcd5642bb6bb92

SHA512
07c135f873c5b843dc82508689653b869ccb0dc50310099205330067b9660d917b21e735eb416a804f65b36d1dc6fa3cf0147822ab9dc9310fe06ace973361ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\8ghN89CsjOW1Login Data For Account
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\D87fZN3R3jFeWeb Data
Filesize
92KB

MD5
c6c5ad70d4f8fc27c565aae65886d0bd

SHA1
a408150acc675f7b5060bcd273465637a206603f

SHA256
5fc567b8258c2c7cd4432aa44b93b3a6c62cea31e97565e1d7742d0136a540de

SHA512
e2b895d46a761c6bdae176fb59b7a596e4368595420925de80d1fbb44f635e3cf168130386d9c4bb31c4e4b8085c8ed417371752448a5338376cfe8be979191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\UPG2LoPXwc7OWeb Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\cn7CjuUUyShLpLwTBBMR.exe
Filesize
2.3MB

MD5
3ea54300c03942085fa3c4e5f3ac3f18

SHA1
d291d594f61a6d6d46907296bdd0be7c49e30011

SHA256
07ba6ea9c385486c0d8c1cc56737df10180228ac25a17e0beca8a405190d94e0

SHA512
9a28897854e07093d0c2ed68125f32899a8a2586e1f1c7d4ea804f6d2551a4de9b0fcf6960cc3f149c69776bbd6e492e9868ab207921e6174129fed159732dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\gP3PmY07RTW1I0FdMLYE.exe
Filesize
896KB

MD5
a49ee0c85c1aee5d33a5676447d254f7

SHA1
80a026570942d7b032a370d78c6c942c5e28f790

SHA256
722fa6cc35c9dbb10e2ca02ccf3e08a175638a5b8086ced8180d98a02f546436

SHA512
925a45903472913e3d1993e6f7594052101306c571c42a51b339dbd10302eac025342773848d130c51fbc76e620c0df9b8b5c3e623571fd5dd01bbccd4cf4dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4PjuJqPjqak44K\vZ46aqGy12i5cqiGaBQi.exe
Filesize
792KB

MD5
df8d949deacef6768d0820f7d9a2ec02

SHA1
b61d285062171df906815c4970137ec2efa58553

SHA256
5c955d0a5c31352f8ddf6ffb1c028495f20dd5a4fed7bfaa9a4434c8eaf52127

SHA512
0b87bb81403a7e5e30bd0e37145dc8ed44dcbf9576ccecb15e309970e8c3217633a5c361655b2f5ad8b8e21b03bc9eca130a7a8bb3ab5ac08be75a39882cb535

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F30.tmp
Filesize
171KB

MD5
19c7920b7bd3183f826af83e575e71b7

SHA1
812733f295f490436960c62411a25bd792b1fbc4

SHA256
c04c4a41c1c3cb8dc187e064d961260a5be04545980c94ccb0a52e35aa629d93

SHA512
18c7f717718a8a1f09d306f9f139deb6dd5f0cd5564bcdad98f102115a986c42ea5a6b2464b57d615f567498acabc3a5fc6ae50a95b6e82981077f04693df853

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
128KB

MD5
20d84976d907398515ed1dc4f4b5711a

SHA1
9421a26b8ea084d79644d2198cc441595c558c87

SHA256
f7274c407b1872cad2da6e144cb05e37a5ca9283f1f36a44643ffe49fe562a1d

SHA512
8fc184e2e2962120220cd64cfd8cd1dc62d989be14e68543793b91313608641495addf88af29a8f078b8c570465fb338e44a5198d3096fdbef3dfb201362b723

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
64KB

MD5
90e9c05eb12ebb583268dcfc2281d0cc

SHA1
c69461c9163927bebe1971905503d617ba4093cf

SHA256
63913d246931b0f8102e3587b911d98080779224b8cb82538c40afff8f482fec

SHA512
90cb684adcf7a59ecf5461d8144988b269c390d5850341986f9a4f68dee2b7b3f5ae773dd4440f436415783f76fcf86ca02a42b77c0e1475bd0060cc09401195

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
171KB

MD5
4d1a4b3096f4a39f3a91df2f6efd43c6

SHA1
af7b52300363fa6f5ce8b5f99f753a9b1e0af94f

SHA256
ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b

SHA512
d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\db\data.safe.bin
Filesize
4KB

MD5
e75b9d36288e7fb72b69008a843fd76f

SHA1
dd0eacda7f6921556c166aebd27788a89372139e

SHA256
04fb96d7ab8da5dce60fa73d23a13498a10e9e9936e7a8af3c12acb460ff8273

SHA512
5fc59da31d28e6ede7ff33559d6ec617b2288f71deec7a209a0f1d3129579623585d4f99859d32b19d56c4135698451292353cd938efa3b5a709d37a42b97afd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\pending_pings\73fc4d99-e663-465d-a6f0-a0dc7eeac1d6
Filesize
11KB

MD5
aa1e71dec3dc5c0956ba0e783a41d0a1

SHA1
06ba423c8f4a4b84ddd9b202a6163073076afc40

SHA256
d6c0cd693f158dc05a3826b568f1c83d1d01bfbd8307d9b548cf3084368cbfb5

SHA512
dfece4b43b77933b2638a25ac237c09ad9fb4226552fdc22b450f6182284817b5f2837d9429292c2e24e0935fa183ec5638b8cb1c7b7151b61f19c482b44b0d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\pending_pings\75752c8a-9182-4de9-a556-f2e74ffc8d65
Filesize
746B

MD5
01a5a745c942a633f815915c532d765b

SHA1
07abddb3014a5e6a5d7602cfa636a77ff37af1be

SHA256
5f648c0c7f0ce09c519a13eb625fac2ce9f20f6645e8cb74ef60b0f17b82f677

SHA512
d53057de8eeaf06dff74e759965a725c1eba9b41b0d5596aa64ff81cbafa186ac569ae622482c7711c09f5501769249d2f1515cb7f49df496c06b8c42c2cb90d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs-1.js
Filesize
6KB

MD5
cf2481380650fb1c48eb3ffa64286161

SHA1
1aa246cf1966b84383b48ee71c6cc9d132c5e3a5

SHA256
6e4d9e6354426a76cfd45d24fa3a8631b54da154c3ef61a65f304c1bca9fae50

SHA512
fde49b1e132bcae10a37145fd18615b05a04c2f50141d8955d30583bf4245166afc34e38d0c9c86a1977dd8229602d99d9e994b1fcb30ea7d99061102f6c38e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs.js
Filesize
6KB

MD5
386dfc1993887ebcfca650527d034b16

SHA1
4ec4e0fb314a4430f1e5c95e7761e59407e6a050

SHA256
54c30502ff704be4c3c9af57a05e2b47e3477a84dc0ca0d5d443b87a513103db

SHA512
e4ededd85112004fb4aa1a943a426a7d70bba85cae894d0a55145e6376d849dc73899f277213009f15307253a9a8c44108119efcad440306709aec84db534727

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
1664096242ffc96212b548e562d9a52a

SHA1
52a009925fb3820fd35e7021f2e43a814d443723

SHA256
6cde512803fb065fae7266636b1572a5f40377ada058d28e48b663345a34443c

SHA512
c6a54319c7cfc45a6142bf04247305fadbd1950a9a1bb5e4eb575061a088a3b966437c96f39c8144003e9648fe855cc78e8a978648701adde9aa637946f4878c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
1bd251010f40d2f9a5248de5ec953dab

SHA1
2dff8cfcfdf1f8e14436d997340b1616740f0550

SHA256
7f51459d68c89983c9b5327a3cb9e45fc003f403f9696eb8d0e0eba62114f3af

SHA512
9cabef3298a8c9226534025a2be52fa935e69d5320deb0b1a9f8ed509b19ecbe2272f32e0ec539fc50f8bf7f6d40ae5daf6c37a2cf38ce6bdf46cf5bfb94c28d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5d09275cf61da96467f31a7c68ed3199

SHA1
a62d6202c31021941ab3c7388687a43580481c87

SHA256
28bb978eec861f92953f6aed4288938e6b2ca0bd52aa597cdcb435dc8cfa35b3

SHA512
321d752bdcda54a4b0634402d7beb28e7fae801853ec17fdc010211e44ada09966ad3a27f501c2ed1793167904dac2101d7d75bfe2617cd9a9abe32fcf900dc4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d380896d88585b4f34d0d127153be811

SHA1
7c94493bcaccc50fbd343739ff7a71ecd3481901

SHA256
390ee0c2a893d175519d7562a7df2ebc55070c94fa2fdeca071b44c218967577

SHA512
028251c851f1a73774ed450bc023eb540a1fb4d6439e919167091d56a9d4d226ce17c619b9e9cc7926e9d2fd8b42cacaa57af692b68d8ad0cc6bba028ae515a7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
726f352ab2aafa2c755a32187b575740

SHA1
cd93678c9afd6f62513e530aa0efae888e9176e1

SHA256
86f332e66ea6108cb1345e46ceec21bf5521f9667e0c82e75e826b034b4d5a41

SHA512
4b0dabcbbb63663441a44055760f3f0e92d4e719b86f4cef5b6da880c933da5844aa179b61efe911c02a125dcf05f288e66a821c4ceb0fcc79e9b61f72d0a8ad

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
8f0f1b70d5442e74f13ac4045b3fb3d3

SHA1
4c290d4ea4f443b78f0f5b1dcbf4e5fda2104b60

SHA256
12908da5343ccabc07f7d0aae0de53f0743aa2e89a766d368594f1da80a80ec4

SHA512
716f2575e85cb5c78c3f2c6432faf8fe531b0bc9ac6fdd865794fe0ac5e5881a4e9ee26c21cfb440216ffcda8db6c3edb6c9241179476aba87d9faa606ad1099

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
8619404cd8cb772671916f8c5803b388

SHA1
7fcb170c72d82cea036ba51b97b6b8f811dc491f

SHA256
03582e5d6f2e9b938afd286bc62369b4d367fa6dc9c8ac9f65d3b765438959e8

SHA512
9aba5b1585946cb53c6c6061a26b1167fb4902ad58eace475c4c792a7dc39120a16138ac54a703e51d3966869ad5a7ae6bb94b7b3f6ff454557c66679ddb4b61

Download Submit
C:\Windows\rss\csrss.exe
Filesize
576KB

MD5
d4b15b46aacade16f4ce4c07f294420f

SHA1
01e6b5dde1e9021ef8e088f1a6d7ea5cf06f8f1c

SHA256
e20a80461c0c08e22fa3d820c46520dac3d19be5a632a97b4551dd029c115f01

SHA512
b084bed874b124a3d278c0e1a5ed3c1c48e4fcfcd8005bc3c1e068ef3dcd7d1b1ca178a958153d96b03df30e449618b853e0b6aa359e63e1eca311bcdd184ba8

Download Submit
C:\Windows\rss\csrss.exe
Filesize
192KB

MD5
235f585f9352bd645966d9bec2bfafc7

SHA1
3e13afd3a743e7b9b888c3f2801f317796e5dac4

SHA256
63e373f1eead4c67f9a3c8bba2a5b02f803e212e9248f7df26eaa1175f8f0a95

SHA512
9375e0459a763bf7e11f876bec92193c067ea1e70d6cc28bbb197cfeb6b315c8f6ff2d49eff49de1ff190f2044a25ac73fb29c3e8fe0abd88ae124228122dc8c

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
1.4MB

MD5
755796e7780c338d9e8e84b74fff9b85

SHA1
54aaded4477d25901f75d84e5ee0cb9a8453f8d8

SHA256
3800909a16b3ae11a4cd93956ee7314c4db3da87d2bd8f320d8869880ef0631f

SHA512
91c9fff83871148646b9ba20c4be7ccd4eef6a3229bbc3361376e615579d5c490a89e2d86d41279236b658f2b9cb0a3516c08cb378d7fde24d3dd2cf8691a097

Download Submit
\??\c:\users\admin\appdata\local\temp\broomsetup.exe
Filesize
128KB

MD5
1844d76e7d4331107eeb8fc6274fa9b2

SHA1
82ae81925c68a662af3b5243db9ae9d0b1721958

SHA256
0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1

SHA512
2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947

Download Submit
memory/756-84-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/756-43-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/756-42-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/756-149-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/756-41-0x0000000002990000-0x0000000002D95000-memory.dmp

Filesize
4.0MB

Download
memory/756-168-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/756-163-0x0000000002990000-0x0000000002D95000-memory.dmp

Filesize
4.0MB

Download
memory/852-87-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/852-81-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/852-61-0x0000000004AA0000-0x0000000004AD6000-memory.dmp

Filesize
216KB

Download
memory/852-60-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/852-62-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/852-63-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/852-64-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/852-66-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/852-70-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/852-71-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/852-82-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/852-83-0x00000000060E0000-0x000000000612C000-memory.dmp

Filesize
304KB

Download
memory/852-85-0x00000000065E0000-0x0000000006624000-memory.dmp

Filesize
272KB

Download
memory/852-88-0x00000000073B0000-0x0000000007426000-memory.dmp

Filesize
472KB

Download
memory/852-89-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/852-90-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/852-92-0x0000000007610000-0x0000000007642000-memory.dmp

Filesize
200KB

Download
memory/852-93-0x000000007FB70000-0x000000007FB80000-memory.dmp

Filesize
64KB

Download
memory/852-94-0x00000000727E0000-0x000000007282C000-memory.dmp

Filesize
304KB

Download
memory/852-95-0x0000000071CD0000-0x0000000072024000-memory.dmp

Filesize
3.3MB

Download
memory/852-105-0x00000000075F0000-0x000000000760E000-memory.dmp

Filesize
120KB

Download
memory/852-106-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/852-107-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/852-108-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/852-109-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/852-110-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/852-111-0x00000000077B0000-0x00000000077C4000-memory.dmp

Filesize
80KB

Download
memory/852-118-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/852-123-0x00000000077F0000-0x00000000077F8000-memory.dmp

Filesize
32KB

Download
memory/852-138-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/964-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-227-0x0000000007510000-0x0000000007524000-memory.dmp

Filesize
80KB

Download
memory/1052-210-0x00000000727E0000-0x000000007282C000-memory.dmp

Filesize
304KB

Download
memory/1052-209-0x000000007F450000-0x000000007F460000-memory.dmp

Filesize
64KB

Download
memory/1052-223-0x00000000074A0000-0x00000000074B1000-memory.dmp

Filesize
68KB

Download
memory/1052-221-0x0000000007190000-0x0000000007233000-memory.dmp

Filesize
652KB

Download
memory/1052-235-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/1052-211-0x0000000071CD0000-0x0000000072024000-memory.dmp

Filesize
3.3MB

Download
memory/1052-195-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1052-175-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/1052-177-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1052-176-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1664-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1664-328-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1664-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1664-167-0x0000000002970000-0x0000000002D73000-memory.dmp

Filesize
4.0MB

Download
memory/1880-38-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1880-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1880-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1880-39-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/3248-65-0x00000000016D0000-0x00000000016E6000-memory.dmp

Filesize
88KB

Download
memory/3248-371-0x0000000003460000-0x0000000003476000-memory.dmp

Filesize
88KB

Download
memory/3428-484-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3428-428-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3492-437-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-433-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3492-435-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-519-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3732-1-0x0000000000720000-0x0000000000D6A000-memory.dmp

Filesize
6.3MB

Download
memory/3732-28-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/3732-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/3752-487-0x0000000000CA0000-0x00000000017B4000-memory.dmp

Filesize
11.1MB

Download
memory/3752-482-0x0000000000CA0000-0x00000000017B4000-memory.dmp

Filesize
11.1MB

Download
memory/3896-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3896-408-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3896-369-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3896-375-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4212-37-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4212-91-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4212-86-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4292-243-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/4292-242-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4376-228-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4376-59-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4376-58-0x00000000006B0000-0x00000000006CC000-memory.dmp

Filesize
112KB

Download
memory/4376-57-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/4376-173-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/4376-294-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4376-141-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4376-112-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4376-174-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download