redline | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

redline rhadamanthys sectoprat stealc xmrig logsdiller cloud (tg: @logsdillabot)rave credential_access discovery evasion execution infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

rave

http://185.215.113.103

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

rhadamanthys

https://94.131.99.108:8899/e2eb98731b48eb55a/b8fkfuft.w7s34

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

193.233.255.84:4284

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3736-801-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral3/memory/3660-910-0x00000000048F0000-0x0000000004960000-memory.dmp	family_redline
behavioral3/memory/3660-908-0x0000000004610000-0x0000000004682000-memory.dmp	family_redline
behavioral3/memory/10052-2556-0x0000000000850000-0x0000000000894000-memory.dmp	family_redline
behavioral3/memory/10052-2555-0x0000000001F70000-0x0000000001FB6000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2744-464-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral3/memory/2744-463-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rar.exe

description pid process target process

PID 3316 created 1176 3316 rar.exe Explorer.EXE
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ game.exe

description	pid	process	target process
PID 3316 created 1176	3316	rar.exe	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	game.exe

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/2396-502-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-504-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-506-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-510-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-512-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-508-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-507-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-505-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-503-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-501-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-515-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-516-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-514-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-513-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-517-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral3/memory/2396-518-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral3/memory/3660-910-0x00000000048F0000-0x0000000004960000-memory.dmp	net_reactor
behavioral3/memory/3660-908-0x0000000004610000-0x0000000004682000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

game.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	game.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	game.exe

Executes dropped EXE 29 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exegame.exe66eaee5323f5d_setup3.exe231.exe231.tmp231.exe231.tmpAutoIt3.exe66ea645129e6a_jacobs.exeAutoIt3.exeorpqcnvisucm.exeonePackage.exerandom.exegefox.exegefox.tmp66e9b62daa62d_xin.exerar.exe66e98ff1d44e2_crypted.exe66e6ea133c92f_crypted.exe66e57a08ef022_crypted.exe66e57196bb898_111.exe1.exe2.exe66e805302f63c_otr.exe66e8771a651d2_voewgngr.exezabardast-movie2024.mp3.exejekkyvideoeditor32_64.exe

pid	process
2600	66eb0d09c9f08_Gads.exe
672	66eaf17e9bd9e_Softwarepaxck.exe
2904	game.exe
1464	66eaee5323f5d_setup3.exe
2344	231.exe
2396	231.tmp
1168	231.exe
2216	231.tmp
1828	AutoIt3.exe
2980	66ea645129e6a_jacobs.exe
2804	AutoIt3.exe
476
2472	orpqcnvisucm.exe
1692	onePackage.exe
876	random.exe
696	gefox.exe
2032	gefox.tmp
2360	66e9b62daa62d_xin.exe
3316	rar.exe
3360	66e98ff1d44e2_crypted.exe
3436	66e6ea133c92f_crypted.exe
3596	66e57a08ef022_crypted.exe
3244	66e57196bb898_111.exe
3532	1.exe
3660	2.exe
10052	66e805302f63c_otr.exe
10200	66e8771a651d2_voewgngr.exe
4456	zabardast-movie2024.mp3.exe
4616	jekkyvideoeditor32_64.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine game.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	game.exe

Loads dropped DLL 31 IoCs

Processes:

66eaee5323f5d_setup3.exe231.exe231.tmp231.exe231.tmpNew Text Document mod.execmd.exegefox.exegefox.tmp66e57196bb898_111.exeRegAsm.exe

pid	process
1464	66eaee5323f5d_setup3.exe
1464	66eaee5323f5d_setup3.exe
1464	66eaee5323f5d_setup3.exe
2344	231.exe
2396	231.tmp
2396	231.tmp
1168	231.exe
2216	231.tmp
2216	231.tmp
2152	New Text Document mod.exe
2152	New Text Document mod.exe
2724	cmd.exe
476
696	gefox.exe
2032	gefox.tmp
2032	gefox.tmp
2032	gefox.tmp
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
3244	66e57196bb898_111.exe
2152	New Text Document mod.exe
2152	New Text Document mod.exe
3764
2032	gefox.tmp
3536	RegAsm.exe
3536	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AutoIt3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x"	AutoIt3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

22 bitbucket.org
23 bitbucket.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2004 powercfg.exe
2920 powercfg.exe
2896 powercfg.exe
2620 powercfg.exe
2160 powercfg.exe
980 powercfg.exe
3040 powercfg.exe
576 powercfg.exe

flow	ioc
22	bitbucket.org
23	bitbucket.org

pid	process
2004	powercfg.exe
2920	powercfg.exe
2896	powercfg.exe
2620	powercfg.exe
2160	powercfg.exe
980	powercfg.exe
3040	powercfg.exe
576	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\random.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2204 tasklist.exe
2184 tasklist.exe
2800 tasklist.exe
2856 tasklist.exe
1736 tasklist.exe
1660 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

game.exe

pid process

2904 game.exe

pid	process
2204	tasklist.exe
2184	tasklist.exe
2800	tasklist.exe
2856	tasklist.exe
1736	tasklist.exe
1660	tasklist.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

AutoIt3.exeorpqcnvisucm.exe66e9b62daa62d_xin.exe66e6ea133c92f_crypted.exe66e98ff1d44e2_crypted.exe66e57a08ef022_crypted.exe1.exe66e8771a651d2_voewgngr.exe

description	pid	process	target process
PID 2804 set thread context of 2744	2804	AutoIt3.exe	MSBuild.exe
PID 2472 set thread context of 2168	2472	orpqcnvisucm.exe	conhost.exe
PID 2472 set thread context of 2396	2472	orpqcnvisucm.exe	svchost.exe
PID 2360 set thread context of 3216	2360	66e9b62daa62d_xin.exe	RegAsm.exe
PID 3436 set thread context of 3508	3436	66e6ea133c92f_crypted.exe	RegAsm.exe
PID 3360 set thread context of 3664	3360	66e98ff1d44e2_crypted.exe	RegAsm.exe
PID 3596 set thread context of 3736	3596	66e57a08ef022_crypted.exe	RegAsm.exe
PID 3532 set thread context of 9880	3532	1.exe	RegAsm.exe
PID 10200 set thread context of 3536	10200	66e8771a651d2_voewgngr.exe	RegAsm.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1716 sc.exe
1504 sc.exe
2304 sc.exe
484 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1716	sc.exe
1504	sc.exe
2304	sc.exe
484	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

66eaee5323f5d_setup3.exe231.tmp66e57a08ef022_crypted.exeRegAsm.exe66eaf17e9bd9e_Softwarepaxck.exe231.exerandom.exerar.exe66e57196bb898_111.exegame.exePING.EXERegAsm.exedialer.exe2.exejekkyvideoeditor32_64.execmd.exe1.exe66e8771a651d2_voewgngr.exeRegAsm.exeAutoIt3.exegefox.exeRegAsm.exe66e805302f63c_otr.exeMSBuild.exe231.tmpAutoIt3.exegefox.tmp66e9b62daa62d_xin.exe231.exe66e98ff1d44e2_crypted.exeRegAsm.exeRegAsm.exe66e6ea133c92f_crypted.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaee5323f5d_setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e57a08ef022_crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaf17e9bd9e_Softwarepaxck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e57196bb898_111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jekkyvideoeditor32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e8771a651d2_voewgngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e805302f63c_otr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gefox.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e9b62daa62d_xin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e98ff1d44e2_crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e6ea133c92f_crypted.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2724 cmd.exe
2792 PING.EXE

pid	process
2724	cmd.exe
2792	PING.EXE

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AutoIt3.exefirefox.exefirefox.exefirefox.exeRegAsm.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 4 IoCs

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exeNew Text Document mod.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	New Text Document mod.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2792 PING.EXE

pid	process
2792	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

game.exe231.tmp66ea645129e6a_jacobs.exeMSBuild.exeorpqcnvisucm.exerar.exedialer.exeRegAsm.exeRegAsm.exeRegAsm.exe66e805302f63c_otr.exeRegAsm.exe

pid	process
2904	game.exe
2216	231.tmp
2216	231.tmp
2980	66ea645129e6a_jacobs.exe
2744	MSBuild.exe
2744	MSBuild.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2980	66ea645129e6a_jacobs.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2472	orpqcnvisucm.exe
2744	MSBuild.exe
3316	rar.exe
3316	rar.exe
3952	dialer.exe
3952	dialer.exe
3952	dialer.exe
3952	dialer.exe
3536	RegAsm.exe
3536	RegAsm.exe
3536	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe
3508	RegAsm.exe
3508	RegAsm.exe
3508	RegAsm.exe
3508	RegAsm.exe
3508	RegAsm.exe
10052	66e805302f63c_otr.exe
3664	RegAsm.exe
3664	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

New Text Document mod.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeMSBuild.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exefirefox.exeRegAsm.exeRegAsm.exe2.exe66e805302f63c_otr.exeRegAsm.exeRegAsm.exefirefox.exeRegAsm.exefirefox.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2152	New Text Document mod.exe
Token: SeDebugPrivilege	1660	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeDebugPrivilege	2856	tasklist.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	2744	MSBuild.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeShutdownPrivilege	2896	powercfg.exe
Token: SeShutdownPrivilege	576	powercfg.exe
Token: SeShutdownPrivilege	2920	powercfg.exe
Token: SeShutdownPrivilege	3040	powercfg.exe
Token: SeShutdownPrivilege	2160	powercfg.exe
Token: SeShutdownPrivilege	2620	powercfg.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeLockMemoryPrivilege	2396	svchost.exe
Token: SeDebugPrivilege	2664	firefox.exe
Token: SeDebugPrivilege	2664	firefox.exe
Token: SeDebugPrivilege	3216	RegAsm.exe
Token: SeBackupPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeDebugPrivilege	3508	RegAsm.exe
Token: SeBackupPrivilege	3508	RegAsm.exe
Token: SeSecurityPrivilege	3508	RegAsm.exe
Token: SeSecurityPrivilege	3508	RegAsm.exe
Token: SeSecurityPrivilege	3508	RegAsm.exe
Token: SeSecurityPrivilege	3508	RegAsm.exe
Token: SeDebugPrivilege	3660	2.exe
Token: SeBackupPrivilege	10052	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	10052	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	10052	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	10052	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	10052	66e805302f63c_otr.exe
Token: SeDebugPrivilege	10052	66e805302f63c_otr.exe
Token: SeDebugPrivilege	3736	RegAsm.exe
Token: SeDebugPrivilege	3664	RegAsm.exe
Token: SeDebugPrivilege	4780	firefox.exe
Token: SeDebugPrivilege	4780	firefox.exe
Token: SeDebugPrivilege	9880	RegAsm.exe
Token: SeDebugPrivilege	7316	firefox.exe
Token: SeDebugPrivilege	7316	firefox.exe
Token: SeDebugPrivilege	2416	firefox.exe
Token: SeDebugPrivilege	2416	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

231.tmprandom.exefirefox.exegefox.tmpfirefox.exefirefox.exefirefox.exe

pid	process
2216	231.tmp
876	random.exe
876	random.exe
2664	firefox.exe
2664	firefox.exe
2664	firefox.exe
2664	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
2032	gefox.tmp
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
4780	firefox.exe
4780	firefox.exe
4780	firefox.exe
4780	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
7316	firefox.exe
7316	firefox.exe
7316	firefox.exe
7316	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
2416	firefox.exe
2416	firefox.exe
2416	firefox.exe
2416	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

random.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
876	random.exe
876	random.exe
2664	firefox.exe
2664	firefox.exe
2664	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
4780	firefox.exe
4780	firefox.exe
4780	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
7316	firefox.exe
7316	firefox.exe
7316	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
2416	firefox.exe
2416	firefox.exe
2416	firefox.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe
876	random.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2744 MSBuild.exe

pid	process
2744	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exe231.exe231.tmp231.exe231.tmpcmd.execmd.exe

description	pid	process	target process
PID 2152 wrote to memory of 2600	2152	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 2152 wrote to memory of 2600	2152	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 2152 wrote to memory of 2600	2152	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 2152 wrote to memory of 2600	2152	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 2152 wrote to memory of 672	2152	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 2152 wrote to memory of 672	2152	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 2152 wrote to memory of 672	2152	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 2152 wrote to memory of 672	2152	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 2152 wrote to memory of 2904	2152	New Text Document mod.exe	game.exe
PID 2152 wrote to memory of 2904	2152	New Text Document mod.exe	game.exe
PID 2152 wrote to memory of 2904	2152	New Text Document mod.exe	game.exe
PID 2152 wrote to memory of 2904	2152	New Text Document mod.exe	game.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 1464	2152	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 2152 wrote to memory of 2344	2152	New Text Document mod.exe	231.exe
PID 2152 wrote to memory of 2344	2152	New Text Document mod.exe	231.exe
PID 2152 wrote to memory of 2344	2152	New Text Document mod.exe	231.exe
PID 2152 wrote to memory of 2344	2152	New Text Document mod.exe	231.exe
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2344 wrote to memory of 2396	2344	231.exe	231.tmp
PID 2396 wrote to memory of 1168	2396	231.tmp	231.exe
PID 2396 wrote to memory of 1168	2396	231.tmp	231.exe
PID 2396 wrote to memory of 1168	2396	231.tmp	231.exe
PID 2396 wrote to memory of 1168	2396	231.tmp	231.exe
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 1168 wrote to memory of 2216	1168	231.exe	231.tmp
PID 2216 wrote to memory of 1668	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 1668	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 1668	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 1668	2216	231.tmp	cmd.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	tasklist.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	tasklist.exe
PID 1668 wrote to memory of 1660	1668	cmd.exe	tasklist.exe
PID 1668 wrote to memory of 2420	1668	cmd.exe	find.exe
PID 1668 wrote to memory of 2420	1668	cmd.exe	find.exe
PID 1668 wrote to memory of 2420	1668	cmd.exe	find.exe
PID 2216 wrote to memory of 2276	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 2276	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 2276	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 2276	2216	231.tmp	cmd.exe
PID 2276 wrote to memory of 2204	2276	cmd.exe	tasklist.exe
PID 2276 wrote to memory of 2204	2276	cmd.exe	tasklist.exe
PID 2276 wrote to memory of 2204	2276	cmd.exe	tasklist.exe
PID 2276 wrote to memory of 2864	2276	cmd.exe	find.exe
PID 2276 wrote to memory of 2864	2276	cmd.exe	find.exe
PID 2276 wrote to memory of 2864	2276	cmd.exe	find.exe
PID 2216 wrote to memory of 2468	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 2468	2216	231.tmp	cmd.exe
PID 2216 wrote to memory of 2468	2216	231.tmp	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe"
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:672
- - C:\Users\Admin\AppData\Local\Temp\a\game.exe
    "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\a\231.exe
    "C:\Users\Admin\AppData\Local\Temp\a\231.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\is-SL5VP.tmp\231.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SL5VP.tmp\231.tmp" /SL5="$60158,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\a\231.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Users\Admin\AppData\Local\Temp\is-VT854.tmp\231.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VT854.tmp\231.tmp" /SL5="$70158,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        8⤵
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        8⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        7⤵
        
        PID:2468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        8⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        7⤵
        
        PID:3048
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        8⤵
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        7⤵
        
        PID:2832
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        8⤵
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        7⤵
        
        PID:2752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        8⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\0R2Ytlb.a3x && del C:\ProgramData\\0R2Ytlb.a3x
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        AutoIt3.exe C:\ProgramData\\0R2Ytlb.a3x
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2744
- - C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:576
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RRTELIGS"
      4⤵
      Launches sc.exe
      PID:484
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1716
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1504
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RRTELIGS"
      4⤵
      Launches sc.exe
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe
    "C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe"
    3⤵
    - Executes dropped EXE
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:876
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:2288
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2664
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.0.1437299894\1949576225" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6d421a2-1c0c-43dc-97df-77ffadfba842} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 1304 10ff9b58 gpu
        6⤵
        
        PID:2768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.1.793943918\1712447927" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceef5f7e-d675-430a-8054-afe96e5a3d53} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 1500 c4fa258 socket
        6⤵
        
        PID:2740
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.2.477039165\1071293923" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfec880a-2d3f-43d5-bac8-f7b7bc0a8627} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2100 18897e58 tab
        6⤵
        
        PID:2804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.3.2111785699\1984614278" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cefd3e3d-d397-46e4-88d9-08c0c3cbabe1} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2908 1aa1e058 tab
        6⤵
        
        PID:1972
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.4.514416190\1959589812" -childID 3 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f804810d-65e7-4dc4-b8ef-4174941733e6} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3704 1e9a4c58 tab
        6⤵
        
        PID:2408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.5.525683063\348514619" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c8fba8a-5d94-4eda-adf4-2594561ffbcf} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3848 1e9a5558 tab
        6⤵
        
        PID:2292
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.6.2134152256\1681080889" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7ea0848-47d0-46c2-b71d-2c82508512e8} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 4012 1e9a2b58 tab
        6⤵
        
        PID:748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:9536
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:4092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:4772
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4780
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.0.972957389\1173215312" -parentBuildID 20221007134813 -prefsHandle 1200 -prefMapHandle 1192 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f2dad7-5607-406a-a6bd-cb9fb65243b0} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 1312 1078ce58 gpu
        6⤵
        
        PID:5044
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.1.1806343445\657396488" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbbd4451-ff60-4c54-a165-2e0827bb9477} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 1488 f1da258 socket
        6⤵
        
        PID:5224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.2.1068861971\315579214" -childID 1 -isForBrowser -prefsHandle 1876 -prefMapHandle 1716 -prefsLen 21927 -prefMapSize 233548 -jsInitHandle 640 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d87cb-fe3b-4177-a466-6335eda83edd} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 1752 1a5a0158 tab
        6⤵
        
        PID:5668
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.3.116914933\1353757699" -childID 2 -isForBrowser -prefsHandle 624 -prefMapHandle 520 -prefsLen 26275 -prefMapSize 233548 -jsInitHandle 640 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e360e7d-245f-408c-8a52-5f9cd14736e2} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2624 1e94e458 tab
        6⤵
        
        PID:5856
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.4.188060918\738872622" -childID 3 -isForBrowser -prefsHandle 3388 -prefMapHandle 3384 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 640 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58907bfd-638c-4611-9fa9-1a5ba5ab1ecf} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 3400 19789258 tab
        6⤵
        
        PID:6380
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.5.1512673874\1036621436" -childID 4 -isForBrowser -prefsHandle 3500 -prefMapHandle 3512 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 640 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d56d470-1f05-42ba-af22-fd2076de701e} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 3420 20d0c858 tab
        6⤵
        
        PID:6528
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.6.845472741\386873672" -childID 5 -isForBrowser -prefsHandle 3716 -prefMapHandle 3720 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 640 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1b49c25-54eb-47f5-9257-fe5c0b6f8b3d} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 3704 20d0a758 tab
        6⤵
        
        PID:6540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:7296
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7316
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.0.1872186604\1338509072" -parentBuildID 20221007134813 -prefsHandle 1092 -prefMapHandle 1088 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf7597d-e68e-4dee-8fe6-94b8c76ba873} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 1316 137c7e58 gpu
        6⤵
        
        PID:7500
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.1.68066334\1917635400" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49dfe845-cd57-4d40-a506-3c7d2260b8e9} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 1476 f2dcc58 socket
        6⤵
        
        PID:7660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.2.1052908435\44090835" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21927 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2228b688-1455-4d88-bc52-f8bca247600f} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 2132 18473358 tab
        6⤵
        
        PID:7972
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.3.272751097\1835343830" -childID 2 -isForBrowser -prefsHandle 520 -prefMapHandle 748 -prefsLen 26275 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f45402-8d49-4c47-91b9-446cc190a913} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 744 1e109958 tab
        6⤵
        
        PID:8228
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.4.424364632\1836479197" -childID 3 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e7ac43a-a2d4-449b-9477-2fb5fb82a834} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 3392 202bf758 tab
        6⤵
        
        PID:8616
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.5.2062263292\116672859" -childID 4 -isForBrowser -prefsHandle 3420 -prefMapHandle 2564 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {baa57cbe-f90b-4834-8a05-d54e16137f68} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 3984 21c11c58 tab
        6⤵
        
        PID:9604
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.6.1434782179\1345368299" -childID 5 -isForBrowser -prefsHandle 4160 -prefMapHandle 4168 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2f6ab62-c25f-48f8-a4a6-e9355a0960f0} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 4148 21d73858 tab
        6⤵
        
        PID:2652
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.7.905968012\1597921183" -childID 6 -isForBrowser -prefsHandle 4028 -prefMapHandle 4008 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4286fc99-3ca4-42ba-9a7d-d5300eba983e} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 4076 202c0f58 tab
        6⤵
        
        PID:9764
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.8.2097144223\106150642" -childID 7 -isForBrowser -prefsHandle 3460 -prefMapHandle 3448 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6268f46a-323c-446d-8b0d-bbe07e019907} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 3464 21c10458 tab
        6⤵
        
        PID:9804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7316.9.14096189\1856213353" -childID 8 -isForBrowser -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {377c714d-28f3-4024-b394-834e22c97aa9} 7316 "\\.\pipe\gecko-crash-server-pipe.7316" 4132 21d74a58 tab
        6⤵
        
        PID:9816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:2796
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2416
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.812234816\1056718775" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1140 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8790f516-f115-4415-96b6-afdb0edbf20e} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1312 136f7e58 gpu
        6⤵
        
        PID:2688
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.1663099153\1344238523" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a6747f5-7241-40c9-9e7f-411ae2eba182} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1492 f4dc358 socket
        6⤵
        
        PID:2304
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.758481556\1573351855" -childID 1 -isForBrowser -prefsHandle 1896 -prefMapHandle 1912 -prefsLen 21927 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6cd7210-ec2b-4536-88a3-f4baa3cd9ab1} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1888 180ebc58 tab
        6⤵
        
        PID:2640
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.431587962\1339129959" -childID 2 -isForBrowser -prefsHandle 1916 -prefMapHandle 2724 -prefsLen 26340 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c45ead3-577b-4a79-9b3b-c26d05e40ae3} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2488 e61558 tab
        6⤵
        
        PID:2112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.777072668\813261607" -childID 3 -isForBrowser -prefsHandle 3680 -prefMapHandle 3684 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c666ea9b-7bbd-4077-ace2-26096f29f509} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3700 219a7a58 tab
        6⤵
        
        PID:4328
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.1411195873\1559777670" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3816 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6874762f-8994-42a5-ad7f-fbf751428b40} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3800 219a6e58 tab
        6⤵
        
        PID:4424
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.590761925\222736947" -childID 5 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4134d832-ceb7-4d83-a62a-62f68af579a3} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3960 219a7158 tab
        6⤵
        
        PID:4432
- - C:\Users\Admin\AppData\Local\Temp\a\gefox.exe
    "C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\is-J8U04.tmp\gefox.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J8U04.tmp\gefox.tmp" /SL5="$70170,2784848,56832,C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2032
    - - C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe
        
        "C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
- - C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\a\rar.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rar.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3508
- - C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3244
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9880
  - - C:\Windows\Temp\2.exe
      "C:\Windows\Temp\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:10052
- - C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:10200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3536
- - C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe"
    3⤵
    - Executes dropped EXE
    PID:4456
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3952

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2168
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DAFCAAEGDBKJ\JJJEGC

Filesize
96KB

MD5
d0ef4c918b1e4ac811b1089c06944a73

SHA1
870905a912959ab468e21962b1c010bdbd8a0193

SHA256
be8235cf4819b8685a79fd2acd0bc00a4c7a833b5e31cc3c726a94c59848f618

SHA512
cabfc948c41dbd9cb04ebf0cefb7f282941e8639b2c6a20fd3742ce23ab75db7eb0e6409a676a1155742d30052d8d3581feee5ab97d48d0f59d20af47ceb9b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f23a8e48fe6cd1d31c94552850643a3c

SHA1
4f1bf2cb4b8e1439758603d4fa12188c548aad36

SHA256
591b552406871dac9c2bfb950c14f61e50b8067159eb4bb2ee110411e5fb8644

SHA512
3866fe29b070f4d2c642088ed3d8a29006c9880c010262ffc3f3bc043432e7ea9333498fd9ba98a991014107f3655ebc9a04da9970e246777210021804058ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd2760f1eae92baa2a303405a30d11b4

SHA1
59b86ded463b449b7d8d1a8e73156b14c002d760

SHA256
499e87d10761610515d29dfd17c5fad29a16a840254797056b283b5ddb65ab15

SHA512
6fa23896a5c4a842ef09a9f3f9194023ef4451d556e9c68bc43341c8468e3a369d820f3146400571bbe4533f9951524c22e048c1096e3e7bbd69523027ee79a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
670c4cd7a28d0b6a2e3f57099a5c17fc

SHA1
509000a411ef0214a7d5807d9da4b231a9307d25

SHA256
9105a337ca1be5c9f631195e51e8df9b26c17b89ed295287ee8b3133be67c0ba

SHA512
bfcec24b0495e3d5de63c21dc557df674322224782c0fd289765eec12d2c72d068cccf24b9bce87dbf2475ddd484fa5ec5459c1252df3cf7ad12763e1176c8bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
e0aef9ff29547d27a0f8825a98b5e49f

SHA1
c28c27c7d4439d2811a2a54709333d5a17b7bdb6

SHA256
3ecd2e1918017408b7cbabb946cb42a962594ad6a477ae5af8b0c792eb1e23a0

SHA512
e47ce47135542074ee8062a5b0341df173b43e0548e0f92392a37cbb85de89222bfd728e92f5bf851c0b8f38777141b8fb7ea8b048db49e68df6cb783b98760b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

Filesize
13KB

MD5
b0d893a8dec5b367c7e228c223789c40

SHA1
e14c1e38d84fa5cff6276705b84d252c6b5d5d86

SHA256
94a170e67889a0bee381c49b681dba3e095874a1e66cb0da08bafdd8e5b0c4bc

SHA512
ce300faf3e60e06a9984727ddd3727a9b0a1f6c605cf2dadd2178977264991b576f55f4e3063d8697726c20f8b7dba29d205c2e48f6f762b3ce6f88e8db63b16

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\3F6BAE390F7FB4267066C23DBD35348B57989359

Filesize
292KB

MD5
3dc698b5411092008b242114c454806d

SHA1
1a8492c1f4ab3aea4ebe9b4add2712dfd092aeed

SHA256
17a3e9ec151645ffa4266df75654228214357751e69108cc8ddcbda538502b4d

SHA512
d2b31da7335b31178d59d61b33fcd5d5ac3927cac967cb4a99e6227521697b4540b42dcbe93f600a173c4f2e09e77b940baed4062299473ef20bf0e7613fb7b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\AF6E8AEB5E2F121D5F00F7FC7BC3534F2713C15A

Filesize
829KB

MD5
6a8293a34a3ed7b3e6aeaa90958470f9

SHA1
cb611484d2fd09c29b1e68b84bedd25001c04a6c

SHA256
c2e35a20108ee4e565fcc7c4f8be2b2ff99635bd3685e3e7b111f1b051c98554

SHA512
e379394ea037ef0b3d09070b9cd76cf4648a53828960f0aa841d42e4842adee8f989416d5a45151e81e9f0e8f48536a3157148139868a353c6a8c52005c015dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\D4F319A8948EFA3FDC05EAF28DA1C509BF9FBFF7

Filesize
759KB

MD5
1e09c1c51f04020e6391dc01db2870f7

SHA1
d428604f8981e440956fd5446c913efa67ab1a8d

SHA256
518adb8cdbb69997e9e5752e787e5ea64cce02055fbfc4cad4b8778d148c9a10

SHA512
bb260e508e8ed222dc6f063210721b4e2dea19b718621be8d7ffc055214dd78da17b35f80ce98b3baf375b50afe0798334a273040b188e02342124c25ce01eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAD3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp84E9.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\231.exe

Filesize
11.2MB

MD5
4fa734db8e9f7ce5ecd217b34ecc6969

SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83

SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe

Filesize
887KB

MD5
b2a7b79dd7a9fe2786679a0ee2cddfa1

SHA1
bc86afc382707167791784d5e47089c721e441b3

SHA256
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070

SHA512
a4097ecdc0712ff8b5480e486982516de0a10d9d8c738ae2c7193ea81beacb8ecdc3a33c18416181e226ba9a3548d783d2d4eba2da7dc657c881c6b36e31e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe

Filesize
314KB

MD5
8240da70945e9b8a7844f1f4e2f1c770

SHA1
37c0f67a71107a5821e1e3f98563e8c331f3618d

SHA256
50c33eaa07d5b99a35a9860123e2fd84551a0907170a199ead8f5e1e2b0097c6

SHA512
e8b6f7baa8ce2d0d2cd18ab59f15be033d8785a5b9c89e9b2cbd6abdfd169856ca11860e2f9cdf8c910f332aa26f39c8b093a0c67671fc05016ae3eb56f5c039

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe

Filesize
343KB

MD5
ba0dc71d562da0d40e7f409502daa9e0

SHA1
80618645fc93f72086cf1eaf3c1580fb764c5b27

SHA256
d5dd7234246219e84199d9cf575586760737bed43a6994c2abed41fcee4e1403

SHA512
b0750b985bc39ee54ae5d39860fe69463556eaabae725b2ec11bceda7bdb4b21148cb247c290366d50d4a00f94776bee931c2273ece05f1ae97fbe531b5ad5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe

Filesize
323KB

MD5
a0c6989730b44ee30722feccd86d946b

SHA1
4ef62e701352c7dfdf0807460dc4bb3c22be67f0

SHA256
5669998000fdc457a919dea600b100809d0bb5681cbca6a67b544307233b5915

SHA512
e5c622f22ad40cddae798853d40af4695a37bd75624193c0181504a3ac2a28c146339bf06ae0110a995c90bdfcaab9a3072e18a7f610cbed24d5b1d028fc5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe

Filesize
352KB

MD5
8e3fb69a56d807d7ef1c432ea1590496

SHA1
78843735c41af9906484df7c3e3a1d1cd4a0b83d

SHA256
cb2e830d6df32fd5168d39a10d138a1f724651b7dcc561b2b87b59cc96ebb20a

SHA512
12ee5797845e86768d5a99e45fb7cd93b328f4839031a91ea735f41f0eec373a2fb593bce7bb13201e982ee75bd0bc22ed7c2b6caa954facfa238c2a5bae521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe

Filesize
227KB

MD5
a7d7d48f4a9bb7718ec17d11fba9cad8

SHA1
748fec11d5becea085af46e8197f42ac9a1e011b

SHA256
de74bd2a1d74bfb4f73d97a1e652c2a5bd778ae108df31ede4dd96950485118c

SHA512
98dda258e460098e79b9aaee795dbd0122f4541f9864fcf71d039ada426dff0fb8540725d779412eea52a6e66d45875665f11961fc7d7d3a2d2be061671e2e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe

Filesize
10.8MB

MD5
e4795aedf3d67af6b0cc029d010f7183

SHA1
d29438881071842571f96e658ede500cfba2deb5

SHA256
8f96d1f67c72bf89b1b57433e52a1b193efbc243ee14fb716c7c9b0aa68a3a9f

SHA512
2e6beaf7814e95ea1b425b3783233ae00e4fad44cb360f8e4c129ff97b0bf4d17cebe2dc757988e876463a0962dc8ad636cccdedefaf5325c58b7fb1f139130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe

Filesize
10.7MB

MD5
5fb5e099087ca0db68f8d58ae7555949

SHA1
caafb9713225e958041183455c1113d2018b9879

SHA256
f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353

SHA512
307af716a5fd9ce4c01fcc72618595867c167c8de26c4727fd4595e444fa15af9ae8ddcaf35809effc3148552fb166c57a0dd35e38e2082cb29559b6d90b1116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
2.7MB

MD5
4ce02a77839364d0c6622c43095b2fd2

SHA1
08f5c9628408f6c3fca6f80f112db755d7c0ff62

SHA256
55dae00b91675ae4aeede8d34151a18a10b6b3d37c94d31782800f30eceab373

SHA512
17b4d01c38ecee620d338c049b3efcaa1cab17cc47a98f4bfedd656a81865f918014393650d8ddd66566d5bab27b06bd0c02dff3c0860377fc112dc374311fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gefox.exe

Filesize
2.9MB

MD5
75e79e5b6134267e8eaa0af2b2be6952

SHA1
554c9d9d31b6f11e96ac957c7ad6d285a120c8a4

SHA256
0ecc78c8637b4b28d7158a31ee3ca75f07dea64d7bb8c2330ce38189340a4c9e

SHA512
5d1ad17950921fea0a3b08a61df8596200e55db384eabbdd3f2b618cdc472d8529a9933af6461877a0ad021dd4b4ecc73de589b95c2f15d92473cdf16d7ab4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe

Filesize
8.3MB

MD5
6c2db0ef90b27f880a1566de7711e6c6

SHA1
e9e14a284fae52c5c91200f81af4f94b53526816

SHA256
c2588125970db20ac97818d2170eecec857f578d7bf3f24ef8f6a3f303798ac6

SHA512
1a9a1220958cc5b9d32dc70074df174eae7040c53bbf1fa4c97753a9f8c2a9a8c20668fc957d743fb038a97ca0017e333181856a783e10cfae0f557d2aab73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
898KB

MD5
962e9c46f348aa81a85e79849fedcf94

SHA1
3fa3640b949b48d3992b711b1cdc3af93a3924f8

SHA256
6525d9b88628a0e5f7c99d88ebcd88b4e634e7ebd0dfeeb908d6940bd71fc042

SHA512
5a5e7ab961e5b9f506dd196068088975b8af673f9bcde59fe483a489f4105706ce47abad2144996a01eec567a39f5bd9d0b08f9750b84a65034fc57b14284ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rar.exe

Filesize
355KB

MD5
8da6d3f4326ca248d0a99d21d2d8b135

SHA1
45872803f6ccfb405b4383d079c79eff87a3c9c0

SHA256
95897f8814e4c651671799af51c40fbe0a2334827683c82640627e270c57d9d7

SHA512
f1a3f3c3dd87694bd0792e3325887fba197f73f3eaf51bd94ddfc86582eba8539177797fca4d7a7701e2baa541f98043e37925fed08c6de70401d6cad9d69eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe

Filesize
192KB

MD5
cbef9bb615e2bd37d730ed30fde6ae03

SHA1
d62d57a40394bd993d415d2ce95431011171ea13

SHA256
7e60419c0819d6577cbfb9be9e7617704d66159bc63ca3c3d1a3c8e4aef91a01

SHA512
4ba4a27b81127ea0fff9f941266f6377f9e55c3e74ded2f64e9a7d8fd9c6a285b2747a31e8bf63e80d5b2844cf99a0b1f238a2d3689efb6b54750aac6b3ce4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE977.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

Filesize
940KB

MD5
0bc6d1c595e440233c6daa45813657a0

SHA1
3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

SHA256
1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

SHA512
0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

Filesize
62KB

MD5
647d824a19511783d1a011f8b775c1d4

SHA1
46b0213afa55d27a688e9729ac120d4574318cb5

SHA256
8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

SHA512
ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\76b53b3ec448f7ccdda2063b15d2bfc3_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
2KB

MD5
6baa43d7b64c8a44e0c4c97163228b90

SHA1
551ea608ebe51c6b12c9b74508bdbaa445e8e0ab

SHA256
8abed641dd4aeb12f2b48a2b0951728004064a35f42b8b37783f31e3c7b54ad2

SHA512
8467c3a1138a8537a83d68d7dcfda5871932389b2b1ed60747e64594c68d4e416ebd434d3c7ebeee768fc8ca39e99cd9d97b2a69415d451acb758044eab34482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b493af8b3abab3f02e86fee2bff306e7

SHA1
7f3aea7190d9b96be22b91c1e90d38d2e16125bd

SHA256
884e0b713517f5035e63cb841e3e7299ab7db0c42ea7e8d6dbe8cca3d51b841f

SHA512
8942d7bd8c5a5950cb84efdc437d038d454d210cd86b2d9cd5853706c2a50158ced52980ff073d1677281faee2f7221880a06adfa46505a9ef1b7b3aec26e91a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b391280a39ac76de5b874aa1ac727a0a

SHA1
0e553521dc9873d30f0fc7c00c9acd69190310aa

SHA256
e23134c373a3cc7cdf4663e02cb8e62a0331727763df4434ea68cf4b37e4b5bf

SHA512
4e6402d8442cf5826a8c37e296240c7574f0c35e7149b14379226fe17f5bb7bb06719f9063e7902e8147c0af0ab0e76aebae861a850dce80cb454a53d9c61214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0568ca4b4f2f9afae474d4bbaeb56175

SHA1
30b038f91abed54018df5d0a0c377f58a0d62a95

SHA256
750a054f73c4b1de0fe01c2279632a26d0cecb3bbbe278848463ec7c06482586

SHA512
04c394e033423e778f01a29237cd655e9555f9cb7b0a27771ba7217b27ab277509bbd90614d45ccc8b1cbaffbaab9c372a8c0d0deae2cb0ee4424b65d7afdfba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
77d4167e917736c73ed26ae01467b342

SHA1
8c1687e8871a02a9e558f21e293c2092082fa430

SHA256
179ee7cf8d9d4b3f689b08753993aff9af6b8c06976f7f7a115fa08d6760c55e

SHA512
82c3de920eb90f77c30a631890cb8e9a07903d1095acef34603da734cf287dd1feebeca535142550dc07a900e5b44f9874f8310684708aa2619cbfb02ac124da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\1524fed7-b6f0-4a17-b729-ae734b605f67

Filesize
745B

MD5
4f7ada867920c37fab59fa6d85eaa4ed

SHA1
47b868a57be28a39370ed6975c2fa6b518533209

SHA256
f8160c5adfac7547a769f51fab7d0071d4986e90b893d3a245f444286a2f4031

SHA512
f8fb8f24c6f5c56edd8e9cbbbce8d82d6e89f4831c381f4b8d88c89b90d45f9e002ac43d49c99ddd9a9fc328aba949fbb0f4e8d5be320b741572ca63f53a8044

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\1b0bd149-ee9a-4a8d-b36b-c887a9a345a0

Filesize
593B

MD5
01e5c9fd24b9cbb54eeebc6f7009ffa6

SHA1
26a9a93ce758406324d8213e6c3acba9c369b701

SHA256
553bbdce81dc69aea7633c650fb35d7fb6f01145ed4e22554dad526de056d5aa

SHA512
34d393f1f03a82f8dc5a75dc33d143f7eb82cf82bc5f8932ebe24c318a252304979f2aff9f43123321d277322ea3ea44843a513ccaffb8abd64603009e3c4034

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\1eddc9f0-caab-4813-986e-d116cbf890f7

Filesize
656B

MD5
00f0004bcd4da3768d9969607fe5b115

SHA1
953fdbe3e688d84e2b89ce1fc62b3404cd947dc1

SHA256
3a954717cfec49225205a8e8f9623723957a5b5330312d3715c0a4122971e286

SHA512
04c59b9b299832cd8b269563c88c9bb85500be4b43c4de99f538b6f30dffb40653d7e3fdc36eb193e90fc0b424b2e0c1db22a98a30c8fe2e90322d9d0559ac01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\20db369d-5ce1-441f-87d4-63038750fc02

Filesize
656B

MD5
1213089eca259895483832538c822df8

SHA1
aaad4ac215293c82bbded3d3813e6072595d785e

SHA256
83ff72e14839a40c362a07019d9d8ef8b809ec3914e10b32d2c80e909347e1fb

SHA512
541a1713b37eb9a26c254350258743e0c9f5bae80a2f83f4d32184562a81fa0a596f32b565ef68e7f3aa0ac339c3839befe008c5520706eb9a381ca4fea830d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\7955cac5-8e25-4748-9a9a-929dcfc4f121

Filesize
656B

MD5
aa09feab38ff38859eb1872fdfabc44a

SHA1
9d53900b54fc3e19890d913adecd3d9efab96331

SHA256
5a91d69b715cd05dacb722df5525a9b9c5dd24cb3c7d3edf81e8ca69fc67590a

SHA512
3ff0789d669bc4d3fbbae3e91e9b17abe7dab72c161cd69c39f02541c994975d588b3e0f5db3a365cd69dea162cd7f07d37a0545d2fb991d9acb952366b4851c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\97f55792-f51d-49ec-85c9-eba8b78e61e7

Filesize
593B

MD5
763dcc0c55c04c104413f92017d6878c

SHA1
376ef3ffa74e7e43de3f077c77b140d79e9289b2

SHA256
8f5ea7ec7b1221a3ca005a3c71c486cd4268076537d4960b72520c91bb028402

SHA512
dedcf6cf69ce76026f279682424ac750bd727ad638c7fd2d0fb78b16a73f150ffcef4d8ca73b36b3184454374a096281fd36a5f40e694fb6202760f8b7602a64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\bc8dc1bf-ebc7-4b0b-aefa-88a73636b35e

Filesize
11KB

MD5
5c2ddd2305173316776d4fb32e75d161

SHA1
af2bfed238b5191da3e1b854158bb7aef708d379

SHA256
774c560f5c9228a52fa24cd38a61d9e2d89cd720cb92abab33544f5c6e8f1e94

SHA512
8131df4af8e652f15bad3f2fc78ecf7f6faee723d99b5147d1101a3fbe87531d13d2c78efb56400aca105f0ce927d10e3b1f61d22b701d06a71dacd70604f839

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\f3928957-8067-4530-a1b6-5467b754d24a

Filesize
593B

MD5
aeabd04af2d3e201aca3593385ee29b8

SHA1
cb303012e183d9c0e1762c6ea8a6f85d4e70b379

SHA256
092c0874b6e934ffbd07eabd5a44690381ed150bcd7dce4cf41f5ad208eb82a4

SHA512
051a0367fd9535a2028980617442c068cf4edd0ff959a1869611d3cf9fa42c7ed883242bdb88499004f943186b66ecc08197143d8bebcd6177afbb42c1240827

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

Filesize
6KB

MD5
473f24f6f74ecd156ae59f73ab014b32

SHA1
8fceba65247163b9aaa49309bc801dfaca390c85

SHA256
f62b7e4b9dc6c714351187f8fe644b4099e78138b64baf61c6555255fe1072cc

SHA512
78ebc9238abadcffe5ee512007e2d3d489936b04e58976a785204f10782a982b8110132acc9293344ce77ccaa96b3683b56cfd6b30fc10026eabf17448e7ed39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

Filesize
6KB

MD5
b737c491027c2ebbb9f37566b375ffef

SHA1
1f476925958fb8fd1f2fdcb81fb1f2d02fa66e8e

SHA256
ac473e035e554a1f8b023ab1fb9b8279a1bbd43ade48f22e2bd713676a0a679c

SHA512
68066d0189fe3f68e6e31c71e2b83feb27406166dbcb2bfbbb4e59116601c6fd2780c63766f66630455881d4c70ca05b04cfb072b487affb295b2aaedb8b064b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

Filesize
6KB

MD5
43314bf2113b1618813886abf44c0cba

SHA1
07e51d494186668c64ba7ddae17935abecae6658

SHA256
934a7f04ae80ac8996b9cfdd5a57dd40c1848ecb9586a40cc96f31d6b5187cf7

SHA512
3a34961552edf4689186ca3c192f335ada8990daede05bcb2c93f5964dd67c146c84933f6958fd2fff7ef672261f40a1fc2a1778f891e6009396c06c364fd02c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

Filesize
6KB

MD5
56680e523d7eeb8381d7f37dd975bb06

SHA1
307d6308af5f9b2eae411a20d80aa4d31d873bae

SHA256
2c533e3e70098b7e086c43b53edb46c52af35e032d1a720eae0b99f774509059

SHA512
ac676c43de0a5f0d385c1fb11bbb5f9012791980ae59bc4d507d29f9d4cabc84519e7aa6b5952230311aa4fc4e05a038dd8bde1b0eaa2410d52b456df3030da8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

Filesize
6KB

MD5
84dc62f7bc5d47bc7ff1d33ae2d25d8f

SHA1
64c391709e88c0469cdfc064e680af20148d3694

SHA256
b75190ec6b29d8333cbd1ddae0d09f0524b137cd5d117393c1a08f38b7911db7

SHA512
cfb639d4b55977144f90ac8be32f0af26ad661809cb1f15a6bf6a8aef51ad4c5356be0cc7f1e55213dc646aec76433af68ea433118703b3d47397ab3f91ddbb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
1d87633c899ebb45778026c301d420f3

SHA1
7931aa594a96450488f4bd2d2be9b60a93dce5e5

SHA256
b1f10b1b2b49f98c914ff552a5421c04140ecad4b2f14c41477b6bf060a73893

SHA512
3f33d00cd23f32a089e283adec5233d802142d256b1ba810c466c379cbdb2b6decb20068256a30bcdca66d731670d135cfc4984dc4cb6791c3653c91915438f2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
39fb20ef7c3bc1023428dec5650bc879

SHA1
1db41cefdf921b424e3b108edb25c35007c666c5

SHA256
bb157fd2a365dd7f24bac59796458be72603e0b6ebce4f8dbff090696fb04ee0

SHA512
52551ac48f3b69a05a63e45d91f7eb84729f0ddabe33d2adc9193f6cd02329e1e8e8dc08059c0288a42527de6278e19d7336b6da1f04a1ef2ab5d513a001876c

Download Submit
C:\Windows\Temp\2.exe

Filesize
435KB

MD5
1f3cfcf8aad3e5e3164405d272aa213e

SHA1
96f1c646d19deab4ff071fbc6b3c73c87ce56e49

SHA256
fcdab9639af874cba780e20c21a9bc662b160dc313ddb75e5f82f779f1680101

SHA512
0d2008b613bed0f1bed205ace8e89d13d5b5e0fca924ca1f9d0e322564c7d7610e0e735e3686701d3042fef1c164dcd43e40a67eb60199b885fbcb761fa41b06

Download Submit
\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe

Filesize
11.0MB

MD5
d60d266e8fbdbd7794653ecf2aba26ed

SHA1
469ed7d853d590e90f05bdf77af114b84c88de2c

SHA256
d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2

SHA512
80df5d568e34dfc086f546e8d076749e58a7230ed1aa33f3a5c9d966809becadc9922317095032d6e6a7ecdfbfbce02a72cc82513ab0d132c5ffa6c07682bd87

Download Submit
\Users\Admin\AppData\Local\Temp\is-0L3JH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3OQ4H.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-J8U04.tmp\gefox.tmp

Filesize
690KB

MD5
d306b8eda5654893c88a5822556ad16d

SHA1
ea9dcc67c6043cb4e51683adc09384032fed7fd0

SHA256
c3c4e5b9e999e5959e8d3412588d042d35398c816a10c0138a23192ce8d6bf71

SHA512
da96dc6f68cced888a0b969c0fd3286eb481f147daa7db0dc8993fba75936d59bbf2d45b0a6dbe7f5f39e9c78a5339c3d7cc8f8fbe1475cacb474ad3d1404063

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL5VP.tmp\231.tmp

Filesize
3.1MB

MD5
81636f80b1e7c0b8f946c8ff0081436a

SHA1
9e7b01f8324e089b925cb9050ce74cd099c58370

SHA256
ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

SHA512
67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

Download Submit
\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
\Windows\Temp\1.exe

Filesize
313KB

MD5
a36dc92515ad9a1efd791c57e6b8825b

SHA1
787767c3c8717c4f165adc1b20acc9a8352bab06

SHA256
e3b5a04c8bc029a519b7edb6f32ef05b48e83f8ba5d78957aaff4900c1abbbad

SHA512
74401be47fc01142abd227bc1383958be499dabefff142be673d2b340e17e8944f4ee9d82f07d2380532f7f45eaa1dce2f73b482b17d39da19f9da5d1db0421f

Download Submit
memory/696-644-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1168-112-0x0000000000110000-0x00000000001E4000-memory.dmp

Filesize
848KB

Download
memory/1168-277-0x0000000000110000-0x00000000001E4000-memory.dmp

Filesize
848KB

Download
memory/1464-89-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2032-2704-0x0000000004F00000-0x0000000005198000-memory.dmp

Filesize
2.6MB

Download
memory/2152-58-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-57-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/2168-495-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2168-496-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2168-499-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2168-492-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2168-493-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2168-494-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2216-275-0x0000000000FF0000-0x0000000001324000-memory.dmp

Filesize
3.2MB

Download
memory/2344-95-0x0000000000110000-0x00000000001E4000-memory.dmp

Filesize
848KB

Download
memory/2344-115-0x0000000000110000-0x00000000001E4000-memory.dmp

Filesize
848KB

Download
memory/2360-703-0x0000000000EA0000-0x0000000000EFC000-memory.dmp

Filesize
368KB

Download
memory/2396-503-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-504-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-113-0x0000000000A10000-0x0000000000D44000-memory.dmp

Filesize
3.2MB

Download
memory/2396-510-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-508-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-511-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/2396-507-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-506-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-505-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-512-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-517-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-518-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-502-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-500-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-501-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-515-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-516-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-514-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2396-513-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2472-491-0x0000000140000000-0x0000000141A86000-memory.dmp

Filesize
26.5MB

Download
memory/2744-463-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2744-462-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2744-464-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2904-76-0x0000000001150000-0x0000000001635000-memory.dmp

Filesize
4.9MB

Download
memory/2904-87-0x0000000001150000-0x0000000001635000-memory.dmp

Filesize
4.9MB

Download
memory/2980-327-0x0000000077660000-0x0000000077662000-memory.dmp

Filesize
8KB

Download
memory/2980-325-0x0000000077660000-0x0000000077662000-memory.dmp

Filesize
8KB

Download
memory/2980-329-0x0000000077660000-0x0000000077662000-memory.dmp

Filesize
8KB

Download
memory/2980-330-0x0000000140000000-0x0000000141A86000-memory.dmp

Filesize
26.5MB

Download
memory/3216-723-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-729-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-719-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-721-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-725-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3216-717-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3316-737-0x0000000000AB0000-0x0000000000B1D000-memory.dmp

Filesize
436KB

Download
memory/3316-834-0x0000000000AB0000-0x0000000000B1D000-memory.dmp

Filesize
436KB

Download
memory/3360-744-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/3436-751-0x0000000000FC0000-0x000000000101C000-memory.dmp

Filesize
368KB

Download
memory/3532-909-0x0000000001140000-0x0000000001194000-memory.dmp

Filesize
336KB

Download
memory/3596-774-0x0000000001280000-0x00000000012D4000-memory.dmp

Filesize
336KB

Download
memory/3660-910-0x00000000048F0000-0x0000000004960000-memory.dmp

Filesize
448KB

Download
memory/3660-908-0x0000000004610000-0x0000000004682000-memory.dmp

Filesize
456KB

Download
memory/3736-801-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4616-2705-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/10052-2555-0x0000000001F70000-0x0000000001FB6000-memory.dmp

Filesize
280KB

Download
memory/10052-2556-0x0000000000850000-0x0000000000894000-memory.dmp

Filesize
272KB

Download
memory/10200-2574-0x0000000000ED0000-0x0000000000F1A000-memory.dmp

Filesize
296KB

Download