amadey | fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

413KB
MD5

d467222c3bd563cb72fa49302f80b079
SHA1

9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256

fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512

484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
SSDEEP

6144:0UorLrzMYSnDyTtDOYtf3J7+YZIPcrPJruPWeX2/e1Cw+GOpumhauZef6P5rwmx:0vcYZD17DMPWev1Cb3umhauZef6a

Score

10^/10

amadey glupteba discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/592-73-0x0000000002F00000-0x00000000037EB000-memory.dmp	family_glupteba
behavioral2/memory/3476-74-0x0000000002A20000-0x0000000002E26000-memory.dmp	family_glupteba
behavioral2/memory/2912-76-0x0000000002FD0000-0x00000000038BB000-memory.dmp	family_glupteba
behavioral2/memory/2912-79-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/592-81-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3476-91-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2912-235-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3476-255-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/592-259-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3476-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2912-274-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/592-470-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3476-471-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2912-472-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5700-579-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4364-578-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5700-635-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4364-661-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4432-691-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4432-734-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5684-785-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5684-802-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5684-811-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

eVQiQV7zHN9vRjKSniIFHd4B.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eVQiQV7zHN9vRjKSniIFHd4B.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

113 5428 rundll32.exe
130 2584 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

5060 netsh.exe
4424 netsh.exe
4916 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eVQiQV7zHN9vRjKSniIFHd4B.exe

flow	pid	process
113	5428	rundll32.exe
130	2584	rundll32.exe

pid	process
5060	netsh.exe
4424	netsh.exe
4916	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eVQiQV7zHN9vRjKSniIFHd4B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eVQiQV7zHN9vRjKSniIFHd4B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eVQiQV7zHN9vRjKSniIFHd4B.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

chrosha.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation chrosha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	chrosha.exe

Drops startup file 6 IoCs

Processes:

installutil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NhyZZnSuTt0CvaCackIoNiHg.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oMRcUlKSLIGwKamT1hKFk8lf.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NV8DMatnCiUY3Si88QmDKjCd.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wbAI0zKpiG1cClAa0yofPft1.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BLLvGZf1PSQfKCGazJmPTZF6.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MIveaOojccgDNHRHPU4iQ1iG.bat	installutil.exe

Executes dropped EXE 21 IoCs

Processes:

chrosha.exeun300un.exejbTaxnCCbJNjXa55WvOgVQPK.exexizhpn716a7N0zUyHhvLvKfQ.exe3N9gUwxxysc7AYeKDBsNTOp3.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exeeVQiQV7zHN9vRjKSniIFHd4B.exe3N9gUwxxysc7AYeKDBsNTOp3.exexizhpn716a7N0zUyHhvLvKfQ.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exejbTaxnCCbJNjXa55WvOgVQPK.execsrss.exeinjector.exewindefender.exewindefender.exe

pid	process
4836	chrosha.exe
948	un300un.exe
592	jbTaxnCCbJNjXa55WvOgVQPK.exe
3476	xizhpn716a7N0zUyHhvLvKfQ.exe
2912	3N9gUwxxysc7AYeKDBsNTOp3.exe
3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe
1480	scbwpeDE3KZUYtxcUeZUV0NJ.exe
4800	scbwpeDE3KZUYtxcUeZUV0NJ.exe
3240	scbwpeDE3KZUYtxcUeZUV0NJ.exe
4648	scbwpeDE3KZUYtxcUeZUV0NJ.exe
60	eVQiQV7zHN9vRjKSniIFHd4B.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5400	Assistant_108.0.5067.20_Setup.exe_sfx.exe
5712	assistant_installer.exe
1664	assistant_installer.exe
4432	jbTaxnCCbJNjXa55WvOgVQPK.exe
5684	csrss.exe
2748	injector.exe
6016	windefender.exe
6060	windefender.exe

Loads dropped DLL 12 IoCs

Processes:

scbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exerundll32.exerundll32.exerundll32.exeassistant_installer.exeassistant_installer.exe

pid	process
3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe
1480	scbwpeDE3KZUYtxcUeZUV0NJ.exe
4800	scbwpeDE3KZUYtxcUeZUV0NJ.exe
3240	scbwpeDE3KZUYtxcUeZUV0NJ.exe
4648	scbwpeDE3KZUYtxcUeZUV0NJ.exe
5368	rundll32.exe
5428	rundll32.exe
2584	rundll32.exe
5712	assistant_installer.exe
5712	assistant_installer.exe
1664	assistant_installer.exe
1664	assistant_installer.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe	themida
C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe	themida
behavioral2/memory/60-141-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-144-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-143-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-147-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-149-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-150-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-151-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-154-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida
behavioral2/memory/60-300-0x00007FF639050000-0x00007FF639A67000-memory.dmp	themida

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
behavioral2/memory/3984-95-0x0000000000EB0000-0x00000000013E8000-memory.dmp	upx
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
behavioral2/memory/4800-113-0x0000000000720000-0x0000000000C58000-memory.dmp	upx
behavioral2/memory/4800-110-0x0000000000720000-0x0000000000C58000-memory.dmp	upx
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe	upx
behavioral2/memory/3240-137-0x0000000000EB0000-0x00000000013E8000-memory.dmp	upx
behavioral2/memory/4648-140-0x0000000000EB0000-0x00000000013E8000-memory.dmp	upx
behavioral2/memory/1480-105-0x0000000000EB0000-0x00000000013E8000-memory.dmp	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/6016-801-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/6060-812-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xizhpn716a7N0zUyHhvLvKfQ.exe3N9gUwxxysc7AYeKDBsNTOp3.exejbTaxnCCbJNjXa55WvOgVQPK.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	xizhpn716a7N0zUyHhvLvKfQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3N9gUwxxysc7AYeKDBsNTOp3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	jbTaxnCCbJNjXa55WvOgVQPK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

eVQiQV7zHN9vRjKSniIFHd4B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eVQiQV7zHN9vRjKSniIFHd4B.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exe

description	ioc	process
File opened (read-only)	\??\F:	scbwpeDE3KZUYtxcUeZUV0NJ.exe
File opened (read-only)	\??\D:	scbwpeDE3KZUYtxcUeZUV0NJ.exe
File opened (read-only)	\??\F:	scbwpeDE3KZUYtxcUeZUV0NJ.exe
File opened (read-only)	\??\D:	scbwpeDE3KZUYtxcUeZUV0NJ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

48 pastebin.com
51 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

100 api.myip.com
102 api.myip.com
104 ipinfo.io
105 ipinfo.io
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
48	pastebin.com
51	pastebin.com

flow	ioc
100	api.myip.com
102	api.myip.com
104	ipinfo.io
105	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 17 IoCs

Processes:

eVQiQV7zHN9vRjKSniIFHd4B.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	eVQiQV7zHN9vRjKSniIFHd4B.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	eVQiQV7zHN9vRjKSniIFHd4B.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	eVQiQV7zHN9vRjKSniIFHd4B.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	eVQiQV7zHN9vRjKSniIFHd4B.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

eVQiQV7zHN9vRjKSniIFHd4B.exe

pid process

60 eVQiQV7zHN9vRjKSniIFHd4B.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

un300un.exe

description pid process target process

PID 948 set thread context of 2924 948 un300un.exe installutil.exe

pid	process
60	eVQiQV7zHN9vRjKSniIFHd4B.exe

description	pid	process	target process
PID 948 set thread context of 2924	948	un300un.exe	installutil.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

3N9gUwxxysc7AYeKDBsNTOp3.exexizhpn716a7N0zUyHhvLvKfQ.exejbTaxnCCbJNjXa55WvOgVQPK.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	3N9gUwxxysc7AYeKDBsNTOp3.exe
File opened (read-only)	\??\VBoxMiniRdrDN	xizhpn716a7N0zUyHhvLvKfQ.exe
File opened (read-only)	\??\VBoxMiniRdrDN	jbTaxnCCbJNjXa55WvOgVQPK.exe

Drops file in Windows directory 9 IoCs

Processes:

xizhpn716a7N0zUyHhvLvKfQ.exe3N9gUwxxysc7AYeKDBsNTOp3.exejbTaxnCCbJNjXa55WvOgVQPK.execsrss.exetmp.exe

description	ioc	process
File opened for modification	C:\Windows\rss	xizhpn716a7N0zUyHhvLvKfQ.exe
File opened for modification	C:\Windows\rss	3N9gUwxxysc7AYeKDBsNTOp3.exe
File opened for modification	C:\Windows\rss	jbTaxnCCbJNjXa55WvOgVQPK.exe
File created	C:\Windows\rss\csrss.exe	jbTaxnCCbJNjXa55WvOgVQPK.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\chrosha.job	tmp.exe
File created	C:\Windows\rss\csrss.exe	xizhpn716a7N0zUyHhvLvKfQ.exe
File created	C:\Windows\rss\csrss.exe	3N9gUwxxysc7AYeKDBsNTOp3.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5836 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5664 schtasks.exe
5388 schtasks.exe

pid	process
5836	sc.exe

pid	process
5664	schtasks.exe
5388	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

3N9gUwxxysc7AYeKDBsNTOp3.exewindefender.exexizhpn716a7N0zUyHhvLvKfQ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	3N9gUwxxysc7AYeKDBsNTOp3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	xizhpn716a7N0zUyHhvLvKfQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

scbwpeDE3KZUYtxcUeZUV0NJ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	scbwpeDE3KZUYtxcUeZUV0NJ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	scbwpeDE3KZUYtxcUeZUV0NJ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	scbwpeDE3KZUYtxcUeZUV0NJ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exerundll32.exepowershell.exe3N9gUwxxysc7AYeKDBsNTOp3.exejbTaxnCCbJNjXa55WvOgVQPK.exexizhpn716a7N0zUyHhvLvKfQ.exepowershell.exepowershell.exe3N9gUwxxysc7AYeKDBsNTOp3.exexizhpn716a7N0zUyHhvLvKfQ.exepowershell.exepowershell.exepowershell.exe

pid	process
1788	powershell.exe
1788	powershell.exe
920	powershell.exe
920	powershell.exe
2472	powershell.exe
2472	powershell.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
1788	powershell.exe
2472	powershell.exe
920	powershell.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
5428	rundll32.exe
6000	powershell.exe
6000	powershell.exe
6000	powershell.exe
2912	3N9gUwxxysc7AYeKDBsNTOp3.exe
2912	3N9gUwxxysc7AYeKDBsNTOp3.exe
592	jbTaxnCCbJNjXa55WvOgVQPK.exe
592	jbTaxnCCbJNjXa55WvOgVQPK.exe
3476	xizhpn716a7N0zUyHhvLvKfQ.exe
3476	xizhpn716a7N0zUyHhvLvKfQ.exe
6008	powershell.exe
6008	powershell.exe
5996	powershell.exe
5996	powershell.exe
6008	powershell.exe
5996	powershell.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
4364	3N9gUwxxysc7AYeKDBsNTOp3.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
5700	xizhpn716a7N0zUyHhvLvKfQ.exe
592	jbTaxnCCbJNjXa55WvOgVQPK.exe
592	jbTaxnCCbJNjXa55WvOgVQPK.exe
5992	powershell.exe
5992	powershell.exe
4776	powershell.exe
4776	powershell.exe
5320	powershell.exe
5320	powershell.exe
5992	powershell.exe
4776	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

installutil.exepowershell.exepowershell.exepowershell.exepowershell.exe3N9gUwxxysc7AYeKDBsNTOp3.exejbTaxnCCbJNjXa55WvOgVQPK.exexizhpn716a7N0zUyHhvLvKfQ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2924	installutil.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	6000	powershell.exe
Token: SeDebugPrivilege	2912	3N9gUwxxysc7AYeKDBsNTOp3.exe
Token: SeDebugPrivilege	592	jbTaxnCCbJNjXa55WvOgVQPK.exe
Token: SeImpersonatePrivilege	2912	3N9gUwxxysc7AYeKDBsNTOp3.exe
Token: SeImpersonatePrivilege	592	jbTaxnCCbJNjXa55WvOgVQPK.exe
Token: SeDebugPrivilege	3476	xizhpn716a7N0zUyHhvLvKfQ.exe
Token: SeImpersonatePrivilege	3476	xizhpn716a7N0zUyHhvLvKfQ.exe
Token: SeDebugPrivilege	6008	powershell.exe
Token: SeDebugPrivilege	5996	powershell.exe
Token: SeDebugPrivilege	592	jbTaxnCCbJNjXa55WvOgVQPK.exe
Token: SeImpersonatePrivilege	592	jbTaxnCCbJNjXa55WvOgVQPK.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeSystemEnvironmentPrivilege	5684	csrss.exe
Token: SeSecurityPrivilege	5836	sc.exe
Token: SeSecurityPrivilege	5836	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrosha.exeun300un.exeinstallutil.exescbwpeDE3KZUYtxcUeZUV0NJ.exescbwpeDE3KZUYtxcUeZUV0NJ.exe3N9gUwxxysc7AYeKDBsNTOp3.exexizhpn716a7N0zUyHhvLvKfQ.exejbTaxnCCbJNjXa55WvOgVQPK.exerundll32.exerundll32.exexizhpn716a7N0zUyHhvLvKfQ.exe3N9gUwxxysc7AYeKDBsNTOp3.exe

description	pid	process	target process
PID 4836 wrote to memory of 948	4836	chrosha.exe	un300un.exe
PID 4836 wrote to memory of 948	4836	chrosha.exe	un300un.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 948 wrote to memory of 2924	948	un300un.exe	installutil.exe
PID 2924 wrote to memory of 592	2924	installutil.exe	jbTaxnCCbJNjXa55WvOgVQPK.exe
PID 2924 wrote to memory of 592	2924	installutil.exe	jbTaxnCCbJNjXa55WvOgVQPK.exe
PID 2924 wrote to memory of 592	2924	installutil.exe	jbTaxnCCbJNjXa55WvOgVQPK.exe
PID 2924 wrote to memory of 3476	2924	installutil.exe	xizhpn716a7N0zUyHhvLvKfQ.exe
PID 2924 wrote to memory of 3476	2924	installutil.exe	xizhpn716a7N0zUyHhvLvKfQ.exe
PID 2924 wrote to memory of 3476	2924	installutil.exe	xizhpn716a7N0zUyHhvLvKfQ.exe
PID 2924 wrote to memory of 2912	2924	installutil.exe	3N9gUwxxysc7AYeKDBsNTOp3.exe
PID 2924 wrote to memory of 2912	2924	installutil.exe	3N9gUwxxysc7AYeKDBsNTOp3.exe
PID 2924 wrote to memory of 2912	2924	installutil.exe	3N9gUwxxysc7AYeKDBsNTOp3.exe
PID 2924 wrote to memory of 3984	2924	installutil.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 2924 wrote to memory of 3984	2924	installutil.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 2924 wrote to memory of 3984	2924	installutil.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 1480	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 1480	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 1480	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 4800	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	cmd.exe
PID 3984 wrote to memory of 4800	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	cmd.exe
PID 3984 wrote to memory of 4800	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	cmd.exe
PID 3984 wrote to memory of 3240	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 3240	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3984 wrote to memory of 3240	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3240 wrote to memory of 4648	3240	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3240 wrote to memory of 4648	3240	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 3240 wrote to memory of 4648	3240	scbwpeDE3KZUYtxcUeZUV0NJ.exe	scbwpeDE3KZUYtxcUeZUV0NJ.exe
PID 2924 wrote to memory of 60	2924	installutil.exe	eVQiQV7zHN9vRjKSniIFHd4B.exe
PID 2924 wrote to memory of 60	2924	installutil.exe	eVQiQV7zHN9vRjKSniIFHd4B.exe
PID 2912 wrote to memory of 1788	2912	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 2912 wrote to memory of 1788	2912	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 2912 wrote to memory of 1788	2912	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 3476 wrote to memory of 920	3476	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 3476 wrote to memory of 920	3476	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 3476 wrote to memory of 920	3476	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 592 wrote to memory of 2472	592	jbTaxnCCbJNjXa55WvOgVQPK.exe	powershell.exe
PID 592 wrote to memory of 2472	592	jbTaxnCCbJNjXa55WvOgVQPK.exe	powershell.exe
PID 592 wrote to memory of 2472	592	jbTaxnCCbJNjXa55WvOgVQPK.exe	powershell.exe
PID 4836 wrote to memory of 5368	4836	chrosha.exe	rundll32.exe
PID 4836 wrote to memory of 5368	4836	chrosha.exe	rundll32.exe
PID 4836 wrote to memory of 5368	4836	chrosha.exe	rundll32.exe
PID 5368 wrote to memory of 5428	5368	rundll32.exe	rundll32.exe
PID 5368 wrote to memory of 5428	5368	rundll32.exe	rundll32.exe
PID 5428 wrote to memory of 5504	5428	rundll32.exe	netsh.exe
PID 5428 wrote to memory of 5504	5428	rundll32.exe	netsh.exe
PID 5428 wrote to memory of 6000	5428	rundll32.exe	powershell.exe
PID 5428 wrote to memory of 6000	5428	rundll32.exe	powershell.exe
PID 4836 wrote to memory of 2584	4836	chrosha.exe	rundll32.exe
PID 4836 wrote to memory of 2584	4836	chrosha.exe	rundll32.exe
PID 4836 wrote to memory of 2584	4836	chrosha.exe	rundll32.exe
PID 5700 wrote to memory of 5996	5700	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 5700 wrote to memory of 5996	5700	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 5700 wrote to memory of 5996	5700	xizhpn716a7N0zUyHhvLvKfQ.exe	powershell.exe
PID 4364 wrote to memory of 6008	4364	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 4364 wrote to memory of 6008	4364	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 4364 wrote to memory of 6008	4364	3N9gUwxxysc7AYeKDBsNTOp3.exe	powershell.exe
PID 3984 wrote to memory of 5400	3984	scbwpeDE3KZUYtxcUeZUV0NJ.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
PID:3452

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
"C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
"C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2284

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
"C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
"C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4080

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5664

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:5516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:2748

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5388

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:6016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:2284

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
"C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
"C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4800

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:5060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
"C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --silent --allusers=0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6fdc21f8,0x6fdc2204,0x6fdc2210
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4800

C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
"C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3984 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240326012909" --session-guid=92242c2a-ed5f-4157-b360-481320ce9188 --server-tracking-blob=YzU1YmQzZTliOWU3ZjBlNDg3YTIyZjY1YjA2MzdkZDc1YzBhZTIzYzNlNmYyZjYwYmNiMWFmNzllODFmYzgxNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTQxNjU0Ny4xNjE0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJkMTBiOTkyNS0zMjZjLTRmMjEtOTdkMi1iNTY2OTE4MDg3NTQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6f1421f8,0x6f142204,0x6f142210
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4648

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
- Executes dropped EXE
PID:5400

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5712

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x710040,0x71004c,0x710058
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664

C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
"C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:60

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5368

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5428

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3500

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
95e523caac223aac8420d006025dbc14

SHA1
3428cb1a4796d5720e67f1d70b56a20b29c1b7ec

SHA256
7cea2599974d6e840f5ca176f90001dbe7e4f64e47a7dc2dae515b4b470e2bba

SHA512
c8a3aee8e8f6b8cb51a4a5ff8d6ae8424b34d2ad8b57340f28c14f63f1bc24e03643a23255c4bf78df9e1e3475e5ffebafb4726b50ce4b88e2461b29badd80ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
b3f05009b53af6435e86cfd939717e82

SHA1
770877e7c5f03e8d684984fe430bdfcc2cf41b26

SHA256
3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

SHA512
d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\dbgcore.DLL
Filesize
166KB

MD5
8b6f64e5d3a608b434079e50a1277913

SHA1
03f431fabf1c99a48b449099455c1575893d9f32

SHA256
926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

SHA512
c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\assistant\dbghelp.dll
Filesize
1.7MB

MD5
925ea07f594d3fce3f73ede370d92ef7

SHA1
f67ea921368c288a9d3728158c3f80213d89d7c2

SHA256
6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

SHA512
a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403260129091\opera_package
Filesize
8.1MB

MD5
407f9d4f7a6112f056a8bb7198dbc521

SHA1
edec58ebe573724325139a25322678a029f4a71f

SHA256
fd3f43ac261a25eb2cc6231998a2d1227ba59011be2cfa5e3d0b3269eb38554a

SHA512
8d42470e9044d009d1d99ef3448a2c6246d091af6f47295bc362e8261177cf311e30c6f2a811d2fff856c107710bae22cab6950d7472c16aeebb004689a1054c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
960KB

MD5
b0b3efa48df9e27c04fbbc1671f21ded

SHA1
c70cc984b46e3dcc219f581d9f261537b8fc3dd0

SHA256
6428a93acf31b4015c242cefbc93d71a8920c11fa90798145736762460a3ea2a

SHA512
c827d07e7d7a12a456abb4cfaac93b56404a0fb93e79f63180be731717c9f3b2baf36a098ec608d3ca8629cdd75485deb058626b11e84049055bfdb84096adc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\un300un.exe
Filesize
4.1MB

MD5
8803d74d52bcda67e9b889bd6cc5823e

SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25

SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129095013984.dll
Filesize
1.3MB

MD5
5b7750160c2fd0381a655cde5f69c124

SHA1
93c373652aaf69155622a515a29f89095d539e45

SHA256
6642a85184eec3fdb0f9ab26b5b58ef453d6a612f20938b10125dea83326de7c

SHA512
41615c4eca3c8ebf948036fdd7ce352a84cde04816987832f9d36831af97b02ac933ab5bf21074670bfc0a9ef9fa91de0ae06ce84fd5a223a6797561bcca9545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129096241480.dll
Filesize
969KB

MD5
2d0d87231cb35b21c6cb173bf374be88

SHA1
c7029f19867172baab9118c24b8036aa16f718f0

SHA256
444a27d475285af141ada3cec2572e7c09b149e47998b2a8342f2306bc7c97da

SHA512
33aa607e8635433f5eb3e68bcb1558f2be083d0facdcbc500fc38c319c5518782345a7ced71a84565466225ada6dce63c0e34c364a00937bffa45457a3ccdb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129098054800.dll
Filesize
980KB

MD5
766a1567762332c8e23c4b8e74699ff4

SHA1
40e4d676e7a82a0efd8a231b3f9375d8a4eb1325

SHA256
a2aa6427f15a1db06a27d7ccf210416e4a4d1eb56fdea560cf88dfd180dc47e3

SHA512
4aa784dd5f56c7ae2444b72295b956a0c9e1f4e28ef3aa72b567a2c6330fcfc31022a61e21a32611fad450531db4eed5248afa2239156f5fe8768e05c2b9614d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129098054800.dll
Filesize
865KB

MD5
2e4fe8984b1d1fd3b500be1bd1704721

SHA1
201b57ae48307d9e7c7ae5a15e3208b2dc7dbfd5

SHA256
955f197ed3f1d06df6d5439680132900f6d964d613521982e9da5abf1cbe30f4

SHA512
e48227131175e585c55c9664cce9990a5d145d1152d72541527a6f650ee6426d7e04d5c70972b3f7165f2cef0c6c297ea06b234ace53678c3ec86dce2c6c1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129099993240.dll
Filesize
912KB

MD5
e62e4bf1326d4660a4ef76e0973f58fb

SHA1
3b945a6b93fe793345a5e8860e1c1e587832f97a

SHA256
8a20ddb665e8592a683d1c028a9d87ef87f712a3cb38659e0a59b582efaeb769

SHA512
8469ba1173f3e99ecd5825a0ba413cd85cd12194c8ba60b78f426eb559f46512a3ab7636916acf025a1c313bcb02652eb331bf4e8dbf9991f3f6ecc4811683c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403260129100624648.dll
Filesize
640KB

MD5
d3edf5bfea32dd835282ef83bd2e79c9

SHA1
7f18ab500f5d846eceb47fd47d12010d1b74d84d

SHA256
6d9eb448f00b0764b7f383bafb72198b5dc7f4b34e690ff18a07052f4b714637

SHA512
e261222841709e3a5b63ad248a9f67e7e82ccc754493e8d2ddf1b8ab4f36d84b98d1cf8ac3d706c620cebdecf5576dc237a121b34f5adc6824abe1a0c79c2f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmhye4ic.r5x.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
d201b8aee0ffb9d9049bc551abc46d64

SHA1
133b078d61d079f8d8ae57b6789b49dedb883c90

SHA256
ae3fdba7f1a41d435f46791af76f8c720b17d13ce3c44a8c395daf5f87148d81

SHA512
8d31231e7d4ab10dd686c5b870f26485348863739f58bdf3b5cd2807109d0fef1030c250d4a11d794c1a57a0a00cbfc1691f0d12e2cb45f16b2a88cce105834f

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.0MB

MD5
b0977410c4aebed9c773892b952b512f

SHA1
dbb2c2234c0ac3dbf9a6a83791750d7d9b640e29

SHA256
e8570b1ea127178b358a7de0d6ecedf89eaa8f8698392bd27161e4cc671da362

SHA512
829d583b72080077dc311ada553890484904056321311d566b055f950950dbe95110c5efeb1031466305edb9cfcfc11d986a2e75a535fd420d670030157bf00f

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
994KB

MD5
a317ff918eb4339af25002952b367f7a

SHA1
e9734b1abf485a990f3ce753682f213bcf7c36f7

SHA256
a81c471017effba5f932cb65c609e29aafcfb73aca47acc775a4f88d55c7cdb0

SHA512
3ea62fcba5a07b21beeda8f6dea447d35dd3c034abee2bdfa1b3df740d012cf8ef0eafb05e10be50bc38c87f74855ee68ae0aa054ef6bda60537d4b6c309a637

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
6f05b6e9be788120933b83f9ff72f046

SHA1
34b8ad78ecae26322cb67c9a06b58018a250640a

SHA256
cf08f06de9a442491c48f3c158556f106f11942ace061195b9b0c936288749ec

SHA512
9c78666e95a66b8d1e1c1efb6c17257801169f4015e5ea73df0e65d7271872918f0b673f4a51528e3186d0d56f753576d59ac4560dd70701280d271678639c4f

Download Submit
C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
Filesize
1.6MB

MD5
5c7a49ab917745dcd77eb9ab1b6d5c71

SHA1
7810b368471b1d8baf4df7207e7f996533258508

SHA256
e0565478f501d8028fa601399f5d598a136747d1d645483bf2c974087593457a

SHA512
df2f0dc30bc34f7218c7e9fa42004d3e9e7ceefb0a7c09454773a5f222c7f345de854583d1e1c0fe4ebd696d83e4efbc077a8a28a791e0f85a31316a4fa4b37c

Download Submit
C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
Filesize
1.4MB

MD5
c205b8026ea20e76151ab617b7504921

SHA1
95dc96e68af7c8ff9f2689d2d3328d8ba9e4fd31

SHA256
c9084c6b48175fbc19b1a7e2bf1a197296d9f3013efec593e2bff68097fc9290

SHA512
73b67f83bd66b4a8c8368621edd3736281b835ff77380eee403e2b8ab92715722b385dffc1d11ce4c7279f3d5fec417b5645494fe51d4d0066a6a223acf219cc

Download Submit
C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
Filesize
1.3MB

MD5
dee8eb90b51bdf00af484072ad743c62

SHA1
23f40281f1502cfdfddea8e8a0631e641c37e8a8

SHA256
34694302c8a726be524070d70af78be6e0894e8ca8e0600a854e4bc371b9e527

SHA512
a86b79ac22e689f4b249feb5dc0a4a7c4d9badf2e0988c6af0846ab52a90b5cd7989325d9d3e4bfb77280e5cdf2ee1f3dc426743ff03f7c2cae11f64b50b554e

Download Submit
C:\Users\Admin\Pictures\3N9gUwxxysc7AYeKDBsNTOp3.exe
Filesize
1.2MB

MD5
7c358ffa5eec3685abb86214b3eaefbc

SHA1
b7871f8e62b0fa7e026f9bf0e7fc27826ea44d35

SHA256
2da66febbd915a1bf7c0763d199d51dd6f9c030c1983a641ac6b4465a7b3b45a

SHA512
eb81cbf37158a790eee44c8c9c8624a78698669304bdd08e810c987d92eafc4b17a2ad7dbc43d1db50884dbb09b91680a6c1e1a9c5bd23c0504ba083e66baeb9

Download Submit
C:\Users\Admin\Pictures\928bRb1JmS4sUtGXt1c5xOjO.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
Filesize
492KB

MD5
553b5636aabaffff3589612862e1e110

SHA1
3b2f837cf09fe1c685050bfeea3c6ab92e2748a8

SHA256
bfedc6e4052e841a0da52618d371beb06d29d370d3a9de5c41ff5cac545ad6a9

SHA512
13ff05e65937f104fdc77d44fb22b9a195d2faf227a65dcbe735d9201da9187d714edd084d21ff8167a01e889768d6e2688bc923a122af57f2c00ec093c93d3f

Download Submit
C:\Users\Admin\Pictures\eVQiQV7zHN9vRjKSniIFHd4B.exe
Filesize
495KB

MD5
fb61d88e515be87617b3cca551ec6103

SHA1
f1e7c28f9e632498af122b868e554fddd49ae5a1

SHA256
b084ecef366211753006a93069d98a0ec36c2f3447966aa4bfd0af1abd207f37

SHA512
c040ae036180373ade687cddda08676f080ebb33b830399e9a704a7d50316c4fdea192ebaa6ee86a7bdafecf60004da938e86c8e2b2b5651948453296b580654

Download Submit
C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
Filesize
4.2MB

MD5
16ba0152d22360d4e1c2b782cde6dc52

SHA1
26a0cbce35fbd6ed02ff8d59e59656ecfd799da1

SHA256
28048e60571fa0ae2c5703a500f9b83d7427c376a6d44b13bf2d13df26c6a9e5

SHA512
7b3fb5c0065ae788a86f5ae439f6ad1f6bbb38b1f9039077f73fed84d57282bf331118a88eed5750c44a781a7ff231d2297e333d22b8e03353987513d0bb56e5

Download Submit
C:\Users\Admin\Pictures\jbTaxnCCbJNjXa55WvOgVQPK.exe
Filesize
3.9MB

MD5
7db27ef22b49b8bab99285cd9447c700

SHA1
1be93278e97954d8634d77c04b752d3c521b59ac

SHA256
279920c847e2abb523eb7a51979b48b5007e818f4b24e8d64da2649717a868f9

SHA512
f89688bbc7ef95fdf3e556d64dca93371000bffe8e54205c43ae3f1de504735e7358326cc43b6039ad2836f6a8a7855f54c771f049e0a709a289d94d6bd1c66e

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
1024KB

MD5
e5b17b4bfb9ac31189176e4f0965a626

SHA1
f9ded3ec7297625c343e1ec05dbe2a554076f193

SHA256
176f88a7023bcd2c146a6187c14854bd57f8cd13637ad97cb39f5f6d0c8b8a6b

SHA512
6e74344a5b816ac119a6988d148e1701effd29dde9705109976f42d559b867bd8d77096f50cc7eadb59aa656bf4b25440f2c3fcc6da54dba04146b411c1ce4c3

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
740KB

MD5
3eca91b2667fbf2e9350e4d35e7237b2

SHA1
12be2e5913109dc714b825dd37a374be34a4d43b

SHA256
61bdd4bda3fe7b93a29967d736f28e62bd995f5bd73e3e587c49ce9544bbe43a

SHA512
f2f04f9188833ae1c3898bc08a56f9ab786bb1a0b043ba4f93c6ab68f33922bf47a358d40fb292f5cd9db54561d6e08b52f04b294d8ebb422d6251a172b49075

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
453KB

MD5
a8cd93fb0f394bf64944e8a39dc83599

SHA1
8a4b241e3fd9bd11ba3595281071dee46b2cdcc0

SHA256
970aa2bde6d138aaafe3d88090c24270a1251ae3c09ff843dc1e17cbd0cfe131

SHA512
58fb245feff9fc35d79b6126e3b9969f5edc76f84dfa92b599f0404049425cd4083aa8d34f204965487c28cac2199f0e89678f619e00f3d57949b3b56ef51538

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
1.5MB

MD5
4ea6fa7640a56bd0d60752973db8e570

SHA1
0fe8f6b54933928aea3ddb464bd941bf7c6d7897

SHA256
a88caaf2fef9a27fdcf544f5d2d67878be90a44302846d36c1fbb0239b88c1a0

SHA512
b52de46d170c2d854df073071ee5291bd2eb8eb6f1e24dea529a68cfa55df304584718de0c2e47f961ab3de4e58f3f0aa40efcd4f5650d3adab90a8cf9601eb7

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
2.2MB

MD5
0059606018fbabe4f419e9f8de405052

SHA1
de065854167171fb7bce13545cea2b55ba39bbe8

SHA256
2954d6d8803cdd198d28a8b120926f8af0feece16aec32e26f50658e471d3adb

SHA512
8f11b3d17b6c502adb4b6a03a955d54289394fd73016782a76d39805b75c13c018835de459df35c3a99393422ec4ec643787b1b1192f35b7592ff5445a2bb185

Download Submit
C:\Users\Admin\Pictures\scbwpeDE3KZUYtxcUeZUV0NJ.exe
Filesize
1.2MB

MD5
bc6089c5d8d5758596df7bbfd85a4275

SHA1
52939c774425f55c659a040d119d19c328270be5

SHA256
fd8f64dd5a53a97eb21eca39c3068db0c8ee2c72a61696bb45f48ff870827b82

SHA512
29293d1a22bf4d95dc4fa910f979cc9d43e44a71af31be8073bf53d2c938e3b461aca6f9498a53a46fe6645322d0ed789651aba6a7685a85f44556f3fbddc3b4

Download Submit
C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
Filesize
1.2MB

MD5
f40198d55c9b6975ca69d55880731d53

SHA1
f1fb87242191c30e998af41815cabdb90b6bb055

SHA256
d549f4ee639de44d4295e2c6aec22185bc622b57ab2f7de1a9b5a0517da3eedf

SHA512
55501159a6df40a6d6a530ae58144a03465be1577de2363dd288147b6ffaea843f62c139acb703c8c9a002aa3a18bdc01447c94afc07e4ecbf8ca6a7b53a564d

Download Submit
C:\Users\Admin\Pictures\xizhpn716a7N0zUyHhvLvKfQ.exe
Filesize
2.3MB

MD5
0c77b2322dc46452aab82b72755fb83d

SHA1
675cfa35dee3117e63d5f3eb7c0fd732ccc0e29e

SHA256
41d9e0419e5233880417a0ed556cc1c7956dd212112ca9a54aa45278806c10f4

SHA512
97745386a30e1f40e38976b907cc850aab6044bdd6e99361a769294bacb9804298399e71ca32600c628fdd4fedb8d092b7736ab20998078da79f8a981d6f0217

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
255b49b4a1e6d098679f40284dab170c

SHA1
1200b25858d07c98026cd51fa1b06007cbe2d9dd

SHA256
5f673d7a1a72554c114a4239d207166f0e673bc9a498964c897c0ea80d381b17

SHA512
7e4b23e9d63a98f1061009aef2df521b6e3380bcf0a7ff53e042a38df34b707031fdca7b7df007a752b1c6885576f07d33c6091e52a9d229df246e3375ad529c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
9e614a2d3ddf8a7001bfbe8dbeecacb1

SHA1
64fc7db1a777d6921ba8c54b24255945affb0b1a

SHA256
7afb174aafd0f7cdeb1de3444585ccd6170fc36075bf1d4ce9aa5c9b33f8cf5e

SHA512
10308cb3b4d67dba399816f095e078de67308a3645ad741795643aaf05a1ea08e83dd08697f063e59077c42c9f236357f8ba0efaa2802f443f3d63674ba14a88

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
92973bb42d168b7cd86c8fefdf9a2c2e

SHA1
f5bc2a95de12893af3cbaad35548f623af2e7e8e

SHA256
adf68667884b6cb33fde70bd9e52a705ac59176ba2ffbc3d33214dba66dd8931

SHA512
e4c6d736926cfb43a18264a56224c14342d7a52babf930a1df13ce710cee0b20210850f0b4fca0ab0d9894e223951ebbaad5232157f35a0994a8248e0ff87637

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c9333eecddb685bf635eba4da80da705

SHA1
ad7c7bf1b0b9027398bd01283495dcf2e5905a8f

SHA256
103be9f97391cbc9eaad1946a7dcc973f4faf2b9da7410c1a7bd9b3420c04306

SHA512
cb19c406d962b9066bbccd44cdadee987718c3c0537ed7d1763599cdb3968b1e5df78b6e54a751359d4b464a824e5559da51eab469f6779309adc408d3dd53e5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
71c556753ba1890a888adf0897a7a5ad

SHA1
c17d921dd596c227c4483d1973f213596ba94b3b

SHA256
39873a423f61ec6fce8216f85a069920156751b5b738e93868d400bbe927a1e4

SHA512
911242009c776614af00965148d134a4c2a7c4e89035ef1ffe98eff3a64d967d46351d24428fd4bbb4328cd22b52f12e041acfe5aba4b8444c192b0c6ed4a890

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
6b4ae908ea9513d55e422c89d817dc9a

SHA1
fa0aa7a397a6a65f7e5455eda99ceca2fa7165ba

SHA256
552267dc75d58ccd7f2a95c398b151e755db41aba826c265aa28145f9af3d664

SHA512
d636d526459e9cb6c8af6c10a80ef43f2fc902b41350f9618b1d4d7c074be40094e57a2c94ce8a23cc5ca0f3823ce842f2e05c5d5b566035a5d4089e183aaff9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
7a636389abf85cbc2ce06b3ac5ffb098

SHA1
6407a5ec22f534e42f77f373178c044b1db87f7a

SHA256
cdff3bf27a0fb8ab99ec0b81b8a78a2ec7545a1680f307cfe30fd06e2ce4bf63

SHA512
e232e90d4df9196f3d19904aba5d77730051bcdba3c6c9208e6ebeb377a55e283373209f8f8b951859704d7038f015d23a92f4920ee252bd5baec6789b1ab8d0

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/60-154-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-144-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-151-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-300-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-146-0x00007FFD20C90000-0x00007FFD20F59000-memory.dmp

Filesize
2.8MB

Download
memory/60-149-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-141-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-169-0x00007FFD23150000-0x00007FFD23345000-memory.dmp

Filesize
2.0MB

Download
memory/60-148-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/60-147-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-143-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/60-145-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/60-150-0x00007FF639050000-0x00007FF639A67000-memory.dmp

Filesize
10.1MB

Download
memory/592-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/592-174-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

Filesize
4.0MB

Download
memory/592-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/592-470-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/592-73-0x0000000002F00000-0x00000000037EB000-memory.dmp

Filesize
8.9MB

Download
memory/592-70-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

Filesize
4.0MB

Download
memory/920-275-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/920-231-0x000000006DFF0000-0x000000006E03C000-memory.dmp

Filesize
304KB

Download
memory/920-176-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/920-271-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/920-272-0x000000007EFF0000-0x000000007F000000-memory.dmp

Filesize
64KB

Download
memory/920-269-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/920-177-0x0000000073A70000-0x0000000074220000-memory.dmp

Filesize
7.7MB

Download
memory/920-233-0x000000006E040000-0x000000006E394000-memory.dmp

Filesize
3.3MB

Download
memory/1480-105-0x0000000000EB0000-0x00000000013E8000-memory.dmp

Filesize
5.2MB

Download
memory/1788-170-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1788-270-0x000000007F700000-0x000000007F710000-memory.dmp

Filesize
64KB

Download
memory/1788-229-0x0000000006840000-0x000000000688C000-memory.dmp

Filesize
304KB

Download
memory/1788-230-0x0000000007650000-0x0000000007682000-memory.dmp

Filesize
200KB

Download
memory/1788-167-0x00000000030D0000-0x0000000003106000-memory.dmp

Filesize
216KB

Download
memory/1788-172-0x0000000073A70000-0x0000000074220000-memory.dmp

Filesize
7.7MB

Download
memory/1788-171-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/1788-245-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/1788-256-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/1788-175-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1788-295-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1788-189-0x00000000057E0000-0x0000000005802000-memory.dmp

Filesize
136KB

Download
memory/1788-232-0x000000006DFF0000-0x000000006E03C000-memory.dmp

Filesize
304KB

Download
memory/1788-234-0x000000006E040000-0x000000006E394000-memory.dmp

Filesize
3.3MB

Download
memory/1788-205-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/1788-209-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/1788-228-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/1788-207-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/2472-206-0x0000000073A70000-0x0000000074220000-memory.dmp

Filesize
7.7MB

Download
memory/2472-276-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/2472-278-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/2472-277-0x0000000007DE0000-0x0000000007E76000-memory.dmp

Filesize
600KB

Download
memory/2472-208-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/2472-290-0x0000000007D40000-0x0000000007D51000-memory.dmp

Filesize
68KB

Download
memory/2472-257-0x000000006DFF0000-0x000000006E03C000-memory.dmp

Filesize
304KB

Download
memory/2472-258-0x000000006E040000-0x000000006E394000-memory.dmp

Filesize
3.3MB

Download
memory/2912-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2912-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2912-472-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2912-75-0x0000000002BC0000-0x0000000002FC4000-memory.dmp

Filesize
4.0MB

Download
memory/2912-202-0x0000000002BC0000-0x0000000002FC4000-memory.dmp

Filesize
4.0MB

Download
memory/2912-76-0x0000000002FD0000-0x00000000038BB000-memory.dmp

Filesize
8.9MB

Download
memory/2912-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-26-0x0000000073A70000-0x0000000074220000-memory.dmp

Filesize
7.7MB

Download
memory/2924-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2924-168-0x0000000073A70000-0x0000000074220000-memory.dmp

Filesize
7.7MB

Download
memory/2924-173-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2924-27-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3240-137-0x0000000000EB0000-0x00000000013E8000-memory.dmp

Filesize
5.2MB

Download
memory/3476-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3476-200-0x0000000002A20000-0x0000000002E26000-memory.dmp

Filesize
4.0MB

Download
memory/3476-471-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3476-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3476-74-0x0000000002A20000-0x0000000002E26000-memory.dmp

Filesize
4.0MB

Download
memory/3476-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3984-95-0x0000000000EB0000-0x00000000013E8000-memory.dmp

Filesize
5.2MB

Download
memory/4364-578-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4364-661-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4432-691-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4432-734-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4648-140-0x0000000000EB0000-0x00000000013E8000-memory.dmp

Filesize
5.2MB

Download
memory/4800-113-0x0000000000720000-0x0000000000C58000-memory.dmp

Filesize
5.2MB

Download
memory/4800-110-0x0000000000720000-0x0000000000C58000-memory.dmp

Filesize
5.2MB

Download
memory/5684-785-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5684-802-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5684-811-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5700-635-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5700-579-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6000-288-0x0000026C12120000-0x0000026C12142000-memory.dmp

Filesize
136KB

Download
memory/6000-292-0x0000026C12100000-0x0000026C1210A000-memory.dmp

Filesize
40KB

Download
memory/6000-291-0x0000026C2AEE0000-0x0000026C2AEF2000-memory.dmp

Filesize
72KB

Download
memory/6016-801-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/6060-812-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download