redline | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
92s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

redline rhadamanthys sectoprat stealc logsdiller cloud (tg: @logsdillabot)rave credential_access discovery evasion execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

rave

http://185.215.113.103

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

rhadamanthys

https://94.131.99.108:8899/e2eb98731b48eb55a/b8fkfuft.w7s34

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

193.233.255.84:4284

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1644-718-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral5/memory/1644-720-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral5/memory/1644-719-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral5/memory/1644-715-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral5/memory/1644-713-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral5/memory/4024-830-0x0000000004780000-0x00000000047F0000-memory.dmp	family_redline
behavioral5/memory/4024-829-0x0000000004710000-0x0000000004782000-memory.dmp	family_redline
behavioral5/memory/9812-2466-0x0000000001ED0000-0x0000000001F16000-memory.dmp	family_redline
behavioral5/memory/9812-2467-0x0000000002040000-0x0000000002084000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2252-577-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral5/memory/2252-576-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rar.exe

description pid process target process

PID 1924 created 1204 1924 rar.exe Explorer.EXE
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ game.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

6428 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	pid	process	target process
PID 1924 created 1204	1924	rar.exe	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	game.exe

pid	process
6428	powershell.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral5/memory/4024-830-0x0000000004780000-0x00000000047F0000-memory.dmp	net_reactor
behavioral5/memory/4024-829-0x0000000004710000-0x0000000004782000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

game.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	game.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	game.exe

Executes dropped EXE 32 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exegame.exe66eaee5323f5d_setup3.exe231.exe231.tmp231.exe231.tmpAutoIt3.exe66ea645129e6a_jacobs.exeonePackage.exeAutoIt3.exerandom.exegefox.exegefox.tmp66e9b62daa62d_xin.exerar.exe66e98ff1d44e2_crypted.exe66e6ea133c92f_crypted.exe66e57a08ef022_crypted.exeorpqcnvisucm.exe66e57196bb898_111.exe1.exe2.exe66e805302f63c_otr.exe66e8771a651d2_voewgngr.exezabardast-movie2024.mp3.exejekkyvideoeditor32_64.exetrueburner.exe66e9359d801ce_sbgfds.exevtrwh12.exe

pid	process
2508	66eb0d09c9f08_Gads.exe
2096	66eaf17e9bd9e_Softwarepaxck.exe
2892	game.exe
2628	66eaee5323f5d_setup3.exe
1336	231.exe
2168	231.tmp
1992	231.exe
1988	231.tmp
944	AutoIt3.exe
1496	66ea645129e6a_jacobs.exe
1708	onePackage.exe
2832	AutoIt3.exe
2200	random.exe
2568	gefox.exe
2912	gefox.tmp
1720	66e9b62daa62d_xin.exe
1924	rar.exe
1524	66e98ff1d44e2_crypted.exe
1660	66e6ea133c92f_crypted.exe
1868	66e57a08ef022_crypted.exe
476
3608	orpqcnvisucm.exe
3692	66e57196bb898_111.exe
3920	1.exe
4024	2.exe
9812	66e805302f63c_otr.exe
10012	66e8771a651d2_voewgngr.exe
3308	zabardast-movie2024.mp3.exe
3728	jekkyvideoeditor32_64.exe
7116	trueburner.exe
7280	66e9359d801ce_sbgfds.exe
7872	vtrwh12.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine game.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	game.exe

Loads dropped DLL 34 IoCs

Processes:

66eaee5323f5d_setup3.exe231.exe231.tmp231.exe231.tmpNew Text Document mod.execmd.exegefox.exegefox.tmp66e57196bb898_111.exeWerFault.exe

pid	process
2628	66eaee5323f5d_setup3.exe
2628	66eaee5323f5d_setup3.exe
2628	66eaee5323f5d_setup3.exe
1336	231.exe
2168	231.tmp
2168	231.tmp
1992	231.exe
1988	231.tmp
1988	231.tmp
1976	New Text Document mod.exe
1976	New Text Document mod.exe
1868	cmd.exe
2568	gefox.exe
2912	gefox.tmp
2912	gefox.tmp
2912	gefox.tmp
476
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
3692	66e57196bb898_111.exe
1976	New Text Document mod.exe
1976	New Text Document mod.exe
3344
2912	gefox.tmp
7648	WerFault.exe
7648	WerFault.exe
7648	WerFault.exe
7648	WerFault.exe
7648	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AutoIt3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x"	AutoIt3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

233 pastebin.com
236 pastebin.com
22 bitbucket.org
23 bitbucket.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3432 powercfg.exe
3424 powercfg.exe
10176 powercfg.exe
10168 powercfg.exe
10160 powercfg.exe
10152 powercfg.exe
3448 powercfg.exe
3440 powercfg.exe

flow	ioc
233	pastebin.com
236	pastebin.com
22	bitbucket.org
23	bitbucket.org

pid	process
3432	powercfg.exe
3424	powercfg.exe
10176	powercfg.exe
10168	powercfg.exe
10160	powercfg.exe
10152	powercfg.exe
3448	powercfg.exe
3440	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\random.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2712 tasklist.exe
2704 tasklist.exe
2604 tasklist.exe
2972 tasklist.exe
876 tasklist.exe
2656 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

game.exe

pid process

2892 game.exe

pid	process
2712	tasklist.exe
2704	tasklist.exe
2604	tasklist.exe
2972	tasklist.exe
876	tasklist.exe
2656	tasklist.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

AutoIt3.exe66e9b62daa62d_xin.exe66e6ea133c92f_crypted.exe66e57a08ef022_crypted.exe66e98ff1d44e2_crypted.exe1.exe66e8771a651d2_voewgngr.exeorpqcnvisucm.exevtrwh12.exe

description	pid	process	target process
PID 2832 set thread context of 2252	2832	AutoIt3.exe	MSBuild.exe
PID 1720 set thread context of 2940	1720	66e9b62daa62d_xin.exe	RegAsm.exe
PID 1660 set thread context of 2532	1660	66e6ea133c92f_crypted.exe	RegAsm.exe
PID 1868 set thread context of 1644	1868	66e57a08ef022_crypted.exe	RegAsm.exe
PID 1524 set thread context of 3236	1524	66e98ff1d44e2_crypted.exe	RegAsm.exe
PID 3920 set thread context of 3080	3920	1.exe	RegAsm.exe
PID 10012 set thread context of 10140	10012	66e8771a651d2_voewgngr.exe	RegAsm.exe
PID 3608 set thread context of 10184	3608	orpqcnvisucm.exe	conhost.exe
PID 3608 set thread context of 2100	3608	orpqcnvisucm.exe	svchost.exe
PID 7872 set thread context of 8028	7872	vtrwh12.exe	RegAsm.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3572 sc.exe
3564 sc.exe
3456 sc.exe
3528 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7648 7280 WerFault.exe 66e9359d801ce_sbgfds.exe

pid	process
3572	sc.exe
3564	sc.exe
3456	sc.exe
3528	sc.exe

pid	pid_target	process	target process
7648	7280	WerFault.exe	66e9359d801ce_sbgfds.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

66eaf17e9bd9e_Softwarepaxck.exerar.exe66e57a08ef022_crypted.exeRegAsm.exe66e8771a651d2_voewgngr.exe231.tmpAutoIt3.exe66e57196bb898_111.exe1.exe66e805302f63c_otr.exetrueburner.exe231.exe231.tmpAutoIt3.exejekkyvideoeditor32_64.exevtrwh12.exeRegAsm.exe66eaee5323f5d_setup3.exegefox.exegefox.tmpRegAsm.exe66e9359d801ce_sbgfds.exeRegAsm.exe2.exeRegAsm.exegame.exe231.exeMSBuild.exe66e9b62daa62d_xin.execmd.exerandom.exe66e98ff1d44e2_crypted.exeRegAsm.exeRegAsm.exePING.EXE66e6ea133c92f_crypted.exedialer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaf17e9bd9e_Softwarepaxck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e57a08ef022_crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e8771a651d2_voewgngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e57196bb898_111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e805302f63c_otr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trueburner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jekkyvideoeditor32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtrwh12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaee5323f5d_setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gefox.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e9359d801ce_sbgfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e9b62daa62d_xin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e98ff1d44e2_crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e6ea133c92f_crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1868 cmd.exe
1336 PING.EXE

pid	process
1868	cmd.exe
1336	PING.EXE

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exeAutoIt3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 4 IoCs

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

New Text Document mod.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1336 PING.EXE

pid	process
1336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

game.exe231.tmp66ea645129e6a_jacobs.exerar.exedialer.exeMSBuild.exeorpqcnvisucm.exeRegAsm.exeRegAsm.exegefox.tmpRegAsm.exeRegAsm.exe

pid	process
2892	game.exe
1988	231.tmp
1988	231.tmp
1496	66ea645129e6a_jacobs.exe
1924	rar.exe
1924	rar.exe
3192	dialer.exe
3192	dialer.exe
3192	dialer.exe
3192	dialer.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
1496	66ea645129e6a_jacobs.exe
2252	MSBuild.exe
2252	MSBuild.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
3608	orpqcnvisucm.exe
10140	RegAsm.exe
10140	RegAsm.exe
10140	RegAsm.exe
3608	orpqcnvisucm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2912	gefox.tmp
2912	gefox.tmp
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe
3236	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

New Text Document mod.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exefirefox.exeMSBuild.exeRegAsm.exeRegAsm.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe2.exe66e805302f63c_otr.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exeRegAsm.exeRegAsm.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	1976	New Text Document mod.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	2656	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeDebugPrivilege	2604	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	2716	firefox.exe
Token: SeDebugPrivilege	2716	firefox.exe
Token: SeDebugPrivilege	2252	MSBuild.exe
Token: SeDebugPrivilege	2940	RegAsm.exe
Token: SeBackupPrivilege	2940	RegAsm.exe
Token: SeSecurityPrivilege	2940	RegAsm.exe
Token: SeSecurityPrivilege	2940	RegAsm.exe
Token: SeSecurityPrivilege	2940	RegAsm.exe
Token: SeSecurityPrivilege	2940	RegAsm.exe
Token: SeDebugPrivilege	2532	RegAsm.exe
Token: SeBackupPrivilege	2532	RegAsm.exe
Token: SeSecurityPrivilege	2532	RegAsm.exe
Token: SeSecurityPrivilege	2532	RegAsm.exe
Token: SeSecurityPrivilege	2532	RegAsm.exe
Token: SeSecurityPrivilege	2532	RegAsm.exe
Token: SeShutdownPrivilege	3432	powercfg.exe
Token: SeShutdownPrivilege	3440	powercfg.exe
Token: SeShutdownPrivilege	3424	powercfg.exe
Token: SeShutdownPrivilege	3448	powercfg.exe
Token: SeDebugPrivilege	4024	2.exe
Token: SeBackupPrivilege	9812	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	9812	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	9812	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	9812	66e805302f63c_otr.exe
Token: SeSecurityPrivilege	9812	66e805302f63c_otr.exe
Token: SeShutdownPrivilege	10152	powercfg.exe
Token: SeShutdownPrivilege	10160	powercfg.exe
Token: SeShutdownPrivilege	10176	powercfg.exe
Token: SeShutdownPrivilege	10168	powercfg.exe
Token: SeLockMemoryPrivilege	2100	svchost.exe
Token: SeDebugPrivilege	9812	66e805302f63c_otr.exe
Token: SeDebugPrivilege	3236	RegAsm.exe
Token: SeDebugPrivilege	1644	RegAsm.exe
Token: SeDebugPrivilege	5340	firefox.exe
Token: SeDebugPrivilege	5340	firefox.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

231.tmprandom.exefirefox.exegefox.tmpfirefox.exe

pid	process
1988	231.tmp
2200	random.exe
2200	random.exe
2716	firefox.exe
2716	firefox.exe
2716	firefox.exe
2716	firefox.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2912	gefox.tmp
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
5340	firefox.exe
5340	firefox.exe
5340	firefox.exe
5340	firefox.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

random.exefirefox.exefirefox.exe

pid	process
2200	random.exe
2200	random.exe
2716	firefox.exe
2716	firefox.exe
2716	firefox.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
5340	firefox.exe
5340	firefox.exe
5340	firefox.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe
2200	random.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2252 MSBuild.exe

pid	process
2252	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exe231.exe231.tmp231.exe231.tmpcmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 2508	1976	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 1976 wrote to memory of 2508	1976	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 1976 wrote to memory of 2508	1976	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 1976 wrote to memory of 2508	1976	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 1976 wrote to memory of 2096	1976	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 1976 wrote to memory of 2096	1976	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 1976 wrote to memory of 2096	1976	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 1976 wrote to memory of 2096	1976	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 1976 wrote to memory of 2892	1976	New Text Document mod.exe	game.exe
PID 1976 wrote to memory of 2892	1976	New Text Document mod.exe	game.exe
PID 1976 wrote to memory of 2892	1976	New Text Document mod.exe	game.exe
PID 1976 wrote to memory of 2892	1976	New Text Document mod.exe	game.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 2628	1976	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1976 wrote to memory of 1336	1976	New Text Document mod.exe	231.exe
PID 1976 wrote to memory of 1336	1976	New Text Document mod.exe	231.exe
PID 1976 wrote to memory of 1336	1976	New Text Document mod.exe	231.exe
PID 1976 wrote to memory of 1336	1976	New Text Document mod.exe	231.exe
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 1336 wrote to memory of 2168	1336	231.exe	231.tmp
PID 2168 wrote to memory of 1992	2168	231.tmp	231.exe
PID 2168 wrote to memory of 1992	2168	231.tmp	231.exe
PID 2168 wrote to memory of 1992	2168	231.tmp	231.exe
PID 2168 wrote to memory of 1992	2168	231.tmp	231.exe
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1992 wrote to memory of 1988	1992	231.exe	231.tmp
PID 1988 wrote to memory of 2260	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 2260	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 2260	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 2260	1988	231.tmp	cmd.exe
PID 2260 wrote to memory of 876	2260	cmd.exe	tasklist.exe
PID 2260 wrote to memory of 876	2260	cmd.exe	tasklist.exe
PID 2260 wrote to memory of 876	2260	cmd.exe	tasklist.exe
PID 2260 wrote to memory of 1764	2260	cmd.exe	find.exe
PID 2260 wrote to memory of 1764	2260	cmd.exe	find.exe
PID 2260 wrote to memory of 1764	2260	cmd.exe	find.exe
PID 1988 wrote to memory of 1708	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 1708	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 1708	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 1708	1988	231.tmp	cmd.exe
PID 1708 wrote to memory of 2656	1708	cmd.exe	tasklist.exe
PID 1708 wrote to memory of 2656	1708	cmd.exe	tasklist.exe
PID 1708 wrote to memory of 2656	1708	cmd.exe	tasklist.exe
PID 1708 wrote to memory of 2664	1708	cmd.exe	find.exe
PID 1708 wrote to memory of 2664	1708	cmd.exe	find.exe
PID 1708 wrote to memory of 2664	1708	cmd.exe	find.exe
PID 1988 wrote to memory of 2740	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 2740	1988	231.tmp	cmd.exe
PID 1988 wrote to memory of 2740	1988	231.tmp	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe"
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\a\game.exe
    "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\a\231.exe
    "C:\Users\Admin\AppData\Local\Temp\a\231.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\is-QM2VO.tmp\231.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QM2VO.tmp\231.tmp" /SL5="$E0152,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\a\231.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\is-V6B65.tmp\231.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V6B65.tmp\231.tmp" /SL5="$F0152,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        8⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        8⤵
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        7⤵
        
        PID:2740
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        8⤵
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        7⤵
        
        PID:2856
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        8⤵
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        7⤵
        
        PID:2528
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        8⤵
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        7⤵
        
        PID:2720
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        8⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\6biXEyjQ.a3x && del C:\ProgramData\\6biXEyjQ.a3x
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        AutoIt3.exe C:\ProgramData\\6biXEyjQ.a3x
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2252
- - C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3424
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3440
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RRTELIGS"
      4⤵
      Launches sc.exe
      PID:3456
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3528
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3564
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RRTELIGS"
      4⤵
      Launches sc.exe
      PID:3572
- - C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe
    "C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe"
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2200
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:2644
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.1868363646\528014439" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1104 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2b2deb0-b206-4c13-a8e4-200086753711} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1276 107fb158 gpu
        6⤵
        
        PID:1564
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.1.1721170431\117032458" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af92ec0-0018-4a30-a090-a7bb9b3a9b65} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1488 40d9658 socket
        6⤵
        
        PID:1456
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.2.1135889585\2010166104" -childID 1 -isForBrowser -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6031a2e7-e798-4170-8edb-91f40a90ae1e} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1948 1075cb58 tab
        6⤵
        
        PID:1632
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.3.847379646\140424637" -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 2760 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50a3f2e0-e6d9-4e0f-bc61-a40db7be4671} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 2776 1d390458 tab
        6⤵
        
        PID:1740
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.4.1970584301\1722105636" -childID 3 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d399bacc-19f0-4c95-982d-ce0fb2e73b4d} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 3756 20c67858 tab
        6⤵
        
        PID:2712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.5.1706853256\1657142453" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {342e18e2-5d65-42b9-a186-04a44bc5fbfe} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 3848 20c67258 tab
        6⤵
        
        PID:1488
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.6.56753065\1761901654" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd117dcc-bde2-4a15-9b3c-ad2117f1ea20} 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 4040 20c66658 tab
        6⤵
        
        PID:2904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:3936
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        
        PID:3964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.0.1998247803\1596206325" -parentBuildID 20221007134813 -prefsHandle 1136 -prefMapHandle 1128 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d44737f-fe7b-48a9-a787-39821c58db4b} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 1276 1305b358 gpu
        6⤵
        
        PID:4372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.1.104236474\1153769757" -parentBuildID 20221007134813 -prefsHandle 1456 -prefMapHandle 1452 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb21284c-b322-4d83-826d-38b1768125f1} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 1484 efda258 socket
        6⤵
        
        PID:4492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5332
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5340
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.0.1152846906\553009321" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1140 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd33b62f-92ef-42ed-9c4f-7df9280723d8} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 1288 fbf8758 gpu
        6⤵
        
        PID:5516
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.1.1600222145\497025372" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2f9781-06e8-49a5-91cb-cd10c34df8cf} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 1488 a2ddb58 socket
        6⤵
        
        PID:5580
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.2.2103411658\787503118" -childID 1 -isForBrowser -prefsHandle 1964 -prefMapHandle 1960 -prefsLen 21927 -prefMapSize 233548 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d05d2c1a-e64a-46eb-8b02-fffd5e809d29} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 1936 18a6a758 tab
        6⤵
        
        PID:5912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.3.225136867\1557293430" -childID 2 -isForBrowser -prefsHandle 2820 -prefMapHandle 2816 -prefsLen 26340 -prefMapSize 233548 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62a0cf03-18e8-4576-b740-22a31d7881c3} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 2828 e2d858 tab
        6⤵
        
        PID:6156
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.4.54414067\1280627387" -childID 3 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90ade74d-dff9-41b2-82b8-6b79529b9e52} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 3584 1ffef558 tab
        6⤵
        
        PID:6692
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.5.855343080\1702907460" -childID 4 -isForBrowser -prefsHandle 3720 -prefMapHandle 3724 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcdd9237-1f88-49de-b2e3-f6e626808164} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 3708 1c2c0958 tab
        6⤵
        
        PID:6700
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5340.6.1254386573\1493802382" -childID 5 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfb491d3-202a-42b7-bec6-f3d74064c423} 5340 "\\.\pipe\gecko-crash-server-pipe.5340" 3916 20803e58 tab
        6⤵
        
        PID:6724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:7844
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        
        PID:7852
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.0.1647240635\1632621086" -parentBuildID 20221007134813 -prefsHandle 1180 -prefMapHandle 1020 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d53c223d-5341-499c-b19f-08799e2bdd61} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 1276 126c5e58 gpu
        6⤵
        
        PID:8244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.1.1322481256\534262184" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 21889 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa8a63c3-385e-4121-8d47-1d2bb39a4a01} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 1496 adda258 socket
        6⤵
        
        PID:8304
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.2.874983357\631417959" -childID 1 -isForBrowser -prefsHandle 1880 -prefMapHandle 1888 -prefsLen 21927 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4afd38da-0f68-43f4-9bd8-42026a22f30a} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 1832 19650158 tab
        6⤵
        
        PID:8636
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.3.164665192\1477992929" -childID 2 -isForBrowser -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22033 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe1e134d-7280-45d6-b4fd-3ecad9a2bf70} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 2440 1a4f4458 tab
        6⤵
        
        PID:8948
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.4.792690488\1581747712" -childID 3 -isForBrowser -prefsHandle 2776 -prefMapHandle 2784 -prefsLen 26340 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a350054-8a47-41cd-8c55-7c93fa915b97} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 2876 d62258 tab
        6⤵
        
        PID:9068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.5.1783498559\1954069368" -childID 4 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2648990e-ca9e-4591-bbd0-42857ce5c9dd} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 3796 21b5a458 tab
        6⤵
        
        PID:9976
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.6.2053550853\1481629831" -childID 5 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4180764-8ab1-4430-967c-52d3610371d8} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 3900 21b5a758 tab
        6⤵
        
        PID:9984
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7852.7.1521343302\2103950978" -childID 6 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26399 -prefMapSize 233548 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5193ba5-a03d-4f5e-b5a0-253ed7caf726} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 4112 21b5ad58 tab
        6⤵
        
        PID:10068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:3532
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:3444
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3444.0.1265048027\874778996" -parentBuildID 20221007134813 -prefsHandle 988 -prefMapHandle 980 -prefsLen 21028 -prefMapSize 233548 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a07fa6c4-8374-44b2-80b3-148e3b63a1b0} 3444 "\\.\pipe\gecko-crash-server-pipe.3444" 1068 f1dc058 gpu
        6⤵
        
        PID:2460
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2300
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:1056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:4584
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:4396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5636
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:5656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:6684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:6852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:6064
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
        5⤵
        
        PID:5652
- - C:\Users\Admin\AppData\Local\Temp\a\gefox.exe
    "C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\is-J22P6.tmp\gefox.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J22P6.tmp\gefox.tmp" /SL5="$70204,2784848,56832,C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2912
    - - C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe
        
        "C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
- - C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\a\rar.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rar.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236
- - C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3692
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
  - - C:\Windows\Temp\2.exe
      "C:\Windows\Temp\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:9812
- - C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:10012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:10140
- - C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe"
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe
    "C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7116
- - C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe
    "C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 556
      4⤵
      Loads dropped DLL
      Program crash
      PID:7648
- - C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8028
- - C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe"
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\is-NUH5R.tmp\qm2014chs.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NUH5R.tmp\qm2014chs.tmp" /SL5="$5026A,23530974,254976,C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe"
      4⤵
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\a\Channel2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Channel2.exe"
    3⤵
    PID:4240
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6652
- - C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe"
    3⤵
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\a\anon.exe
    "C:\Users\Admin\AppData\Local\Temp\a\anon.exe"
    3⤵
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe"
      4⤵
      PID:5764
- - C:\Users\Admin\AppData\Local\Temp\a\univ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\univ.exe"
    3⤵
    PID:5556
- - C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
    3⤵
    PID:6368
- - C:\Users\Admin\AppData\Local\Temp\a\setup2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\setup2.exe"
    3⤵
    PID:6936
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3192

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3608
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10152
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10160
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10168
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10176
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:10184
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc2bb3dd873f6e2306537d140dec901a

SHA1
2f065999fed15d473056409feb72502f97a74bac

SHA256
bc6b00fb402071e3862780349e016d22e45117ee5c451e27e1ead814dcc2d5e0

SHA512
2298a661317f086831248a78954fbf3921ab566f941fdbc93a7a063cf6b337c4c3b8628d71d25c9cde8493bbf16865b02c55119552b15bb16269725270eaba28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e80312b7d48dda2b82c63a666acc19a8

SHA1
638c4ad4b842119b03212b1976ab42f66fb1b6ab

SHA256
8479fb0a4f60210432a5d6ee3d2b7a5f5b92649c83718bd3c02256b358d5c3fd

SHA512
72cdfe28445746e1256bacd5430b703b58361c2af6603e8b01121845286a5f883d94f326b5df7d945a7e731ea01497c9cf945afd418e61bf545d2a070f14843b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
affa5e7b5344a2539f442e79e730ed57

SHA1
3ba236ca74b8611d775c880bdafec3cc30827a0b

SHA256
c522f15ad1aa7e52533b27e308a5cad7adba88a7590008fab8e3baafc4f05a47

SHA512
b7eb21e6756bdf8aa403e5e4a5e29b25a5fe204259ae99fa1837655a3b29036e39e32c0a9fdffeac9b75d2bfe8485f98f3fdf8bfe979a6c429905004899b9713

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
4da325ce33bba2300b282d2a94ee9200

SHA1
1699664dd355bb086c1ddaafcecc19006473cf49

SHA256
88e70d220ea14f65a72d9967f682959f54b86e5653f3f5541ad72dc172046f60

SHA512
a114e4710f7bb3bd2a9a2fcb5e1654c758a5b52619621005b4425bdaa0c72adf81d93cbcea88e5d14994a64bb573c76fc38ad634e5cef008933450875d251da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe

Filesize
416KB

MD5
897d350557c45f49b9fd780735b218e2

SHA1
a8cfecfe05ed2d3765bf57178338f8a4e93ad6fb

SHA256
ea4964f3eccefd735166a547f6fed7a123a292fab52f9a810936ccaabce8eaa9

SHA512
b1b322f6b2044ec7a31508190eee60fc9502ad2d6ec302e4cd81f4cc05028f013ecedfabb3dda6037b85e94aebad85df394c00a35b679304328fd5ba4b96bae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab425F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4272.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp623D.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\231.exe

Filesize
11.2MB

MD5
4fa734db8e9f7ce5ecd217b34ecc6969

SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83

SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe

Filesize
887KB

MD5
b2a7b79dd7a9fe2786679a0ee2cddfa1

SHA1
bc86afc382707167791784d5e47089c721e441b3

SHA256
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070

SHA512
a4097ecdc0712ff8b5480e486982516de0a10d9d8c738ae2c7193ea81beacb8ecdc3a33c18416181e226ba9a3548d783d2d4eba2da7dc657c881c6b36e31e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe

Filesize
314KB

MD5
8240da70945e9b8a7844f1f4e2f1c770

SHA1
37c0f67a71107a5821e1e3f98563e8c331f3618d

SHA256
50c33eaa07d5b99a35a9860123e2fd84551a0907170a199ead8f5e1e2b0097c6

SHA512
e8b6f7baa8ce2d0d2cd18ab59f15be033d8785a5b9c89e9b2cbd6abdfd169856ca11860e2f9cdf8c910f332aa26f39c8b093a0c67671fc05016ae3eb56f5c039

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe

Filesize
343KB

MD5
ba0dc71d562da0d40e7f409502daa9e0

SHA1
80618645fc93f72086cf1eaf3c1580fb764c5b27

SHA256
d5dd7234246219e84199d9cf575586760737bed43a6994c2abed41fcee4e1403

SHA512
b0750b985bc39ee54ae5d39860fe69463556eaabae725b2ec11bceda7bdb4b21148cb247c290366d50d4a00f94776bee931c2273ece05f1ae97fbe531b5ad5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe

Filesize
323KB

MD5
a0c6989730b44ee30722feccd86d946b

SHA1
4ef62e701352c7dfdf0807460dc4bb3c22be67f0

SHA256
5669998000fdc457a919dea600b100809d0bb5681cbca6a67b544307233b5915

SHA512
e5c622f22ad40cddae798853d40af4695a37bd75624193c0181504a3ac2a28c146339bf06ae0110a995c90bdfcaab9a3072e18a7f610cbed24d5b1d028fc5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe

Filesize
352KB

MD5
8e3fb69a56d807d7ef1c432ea1590496

SHA1
78843735c41af9906484df7c3e3a1d1cd4a0b83d

SHA256
cb2e830d6df32fd5168d39a10d138a1f724651b7dcc561b2b87b59cc96ebb20a

SHA512
12ee5797845e86768d5a99e45fb7cd93b328f4839031a91ea735f41f0eec373a2fb593bce7bb13201e982ee75bd0bc22ed7c2b6caa954facfa238c2a5bae521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe

Filesize
227KB

MD5
a7d7d48f4a9bb7718ec17d11fba9cad8

SHA1
748fec11d5becea085af46e8197f42ac9a1e011b

SHA256
de74bd2a1d74bfb4f73d97a1e652c2a5bd778ae108df31ede4dd96950485118c

SHA512
98dda258e460098e79b9aaee795dbd0122f4541f9864fcf71d039ada426dff0fb8540725d779412eea52a6e66d45875665f11961fc7d7d3a2d2be061671e2e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe

Filesize
10.8MB

MD5
e4795aedf3d67af6b0cc029d010f7183

SHA1
d29438881071842571f96e658ede500cfba2deb5

SHA256
8f96d1f67c72bf89b1b57433e52a1b193efbc243ee14fb716c7c9b0aa68a3a9f

SHA512
2e6beaf7814e95ea1b425b3783233ae00e4fad44cb360f8e4c129ff97b0bf4d17cebe2dc757988e876463a0962dc8ad636cccdedefaf5325c58b7fb1f139130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe

Filesize
10.7MB

MD5
5fb5e099087ca0db68f8d58ae7555949

SHA1
caafb9713225e958041183455c1113d2018b9879

SHA256
f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353

SHA512
307af716a5fd9ce4c01fcc72618595867c167c8de26c4727fd4595e444fa15af9ae8ddcaf35809effc3148552fb166c57a0dd35e38e2082cb29559b6d90b1116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe

Filesize
2.7MB

MD5
df92abd264b50c9f069246a6e65453f0

SHA1
f5025a44910ceddf26fb3fffb5da28ea93ee1a20

SHA256
bc7d010eb971dbc9cbeedc543f93bb1b6924d57597e213dbe10c2c1efd8d0296

SHA512
a3f48831efa65cea6a2cf313f698b59d84119023196e11b1266d937a5b4c05aa4aab67c6d40450bef5c9245b46316980906fa73196d892f2880abc2b1b863455

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
2.7MB

MD5
4ce02a77839364d0c6622c43095b2fd2

SHA1
08f5c9628408f6c3fca6f80f112db755d7c0ff62

SHA256
55dae00b91675ae4aeede8d34151a18a10b6b3d37c94d31782800f30eceab373

SHA512
17b4d01c38ecee620d338c049b3efcaa1cab17cc47a98f4bfedd656a81865f918014393650d8ddd66566d5bab27b06bd0c02dff3c0860377fc112dc374311fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gefox.exe

Filesize
2.9MB

MD5
75e79e5b6134267e8eaa0af2b2be6952

SHA1
554c9d9d31b6f11e96ac957c7ad6d285a120c8a4

SHA256
0ecc78c8637b4b28d7158a31ee3ca75f07dea64d7bb8c2330ce38189340a4c9e

SHA512
5d1ad17950921fea0a3b08a61df8596200e55db384eabbdd3f2b618cdc472d8529a9933af6461877a0ad021dd4b4ecc73de589b95c2f15d92473cdf16d7ab4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe

Filesize
8.3MB

MD5
6c2db0ef90b27f880a1566de7711e6c6

SHA1
e9e14a284fae52c5c91200f81af4f94b53526816

SHA256
c2588125970db20ac97818d2170eecec857f578d7bf3f24ef8f6a3f303798ac6

SHA512
1a9a1220958cc5b9d32dc70074df174eae7040c53bbf1fa4c97753a9f8c2a9a8c20668fc957d743fb038a97ca0017e333181856a783e10cfae0f557d2aab73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
898KB

MD5
42f4943fe59d8eafe5ffd7c99bb0a1e4

SHA1
353113d2518ce00390917a73078e81aa52f644fd

SHA256
56f80df241846ea5b1ef32dfb08f156978f6d5ac80e5982f5d7265585bb9fc83

SHA512
02c8e8e54d56fe6d0b4ac697831235d046db31b55e9ebcf8564bbb233a4fc5e21859b8c4240763d6de54c92e58a707f4d35d81205cfb1084d0ca54d2a2c28e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rar.exe

Filesize
355KB

MD5
8da6d3f4326ca248d0a99d21d2d8b135

SHA1
45872803f6ccfb405b4383d079c79eff87a3c9c0

SHA256
95897f8814e4c651671799af51c40fbe0a2334827683c82640627e270c57d9d7

SHA512
f1a3f3c3dd87694bd0792e3325887fba197f73f3eaf51bd94ddfc86582eba8539177797fca4d7a7701e2baa541f98043e37925fed08c6de70401d6cad9d69eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\univ.exe

Filesize
325KB

MD5
85737d1c7426259423c84f96719e82ea

SHA1
0cc96b89ffc0150d6f28143cac0a1070e7d86e40

SHA256
5aba703ae3636bbd23110d80621643e39f4b924a664f85bd6542f9f10c6b983b

SHA512
5dbeaceb38a1991b539e5c11e31b4fdea806d845466052a0ca2c9de46b2d98af64c80d1fd237218f58770f1b334c09e02dd4a6dc7f4043767911a212d359abcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe

Filesize
192KB

MD5
cbef9bb615e2bd37d730ed30fde6ae03

SHA1
d62d57a40394bd993d415d2ce95431011171ea13

SHA256
7e60419c0819d6577cbfb9be9e7617704d66159bc63ca3c3d1a3c8e4aef91a01

SHA512
4ba4a27b81127ea0fff9f941266f6377f9e55c3e74ded2f64e9a7d8fd9c6a285b2747a31e8bf63e80d5b2844cf99a0b1f238a2d3689efb6b54750aac6b3ce4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68ED4.tmp\Close.png

Filesize
1KB

MD5
3b4d7903c5cae5573c8151045b4648cb

SHA1
d30f6679c151b9fd9c406572612d5761f087ed5c

SHA256
56488c6e80114fcacabb65919ca8309b19096d78e52542f865698b5abdc671f8

SHA512
b7a03405b415e650ebc5db6bd3148a226119d9f13bf3d1441a0f796364fd8c7936fafd3ed780d9a71b92f1fc903661aad83a143ff8c2b1c5a4a0f9703325d1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J22P6.tmp\gefox.tmp

Filesize
690KB

MD5
d306b8eda5654893c88a5822556ad16d

SHA1
ea9dcc67c6043cb4e51683adc09384032fed7fd0

SHA256
c3c4e5b9e999e5959e8d3412588d042d35398c816a10c0138a23192ce8d6bf71

SHA512
da96dc6f68cced888a0b969c0fd3286eb481f147daa7db0dc8993fba75936d59bbf2d45b0a6dbe7f5f39e9c78a5339c3d7cc8f8fbe1475cacb474ad3d1404063

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F13.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81C1.tmp

Filesize
96KB

MD5
5af87691ad0fee4b5115865ccfe53979

SHA1
09f9acddd608fb6f339afeb46b3cb087105a97b3

SHA256
1ef7ea76c7dc5b79690b017252e2384499526e602e380cccf275d8e5b7d521ec

SHA512
ca1587f50208c1f32816d67509db88fa42bb2f5c25e7198c433b579b7378b16820909b6283d40dd15bcffcdbe03b72a59d63cc5ce0b00e07ef15ecb98c47f952

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

Filesize
940KB

MD5
0bc6d1c595e440233c6daa45813657a0

SHA1
3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

SHA256
1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

SHA512
0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

Filesize
62KB

MD5
647d824a19511783d1a011f8b775c1d4

SHA1
46b0213afa55d27a688e9729ac120d4574318cb5

SHA256
8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

SHA512
ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5a410d66-f84f-4a6b-9b29-3982febe58d9

Filesize
2KB

MD5
cf1757763f7c622b83bf395d83e4f0ca

SHA1
e9bb082f6e6590e33a4d78973845bf0dc839b996

SHA256
0e021a4120d00e82fb8bcb9c09de7f16af42eef1919ae7e16613355b6179f887

SHA512
4489e574471a04681f3d552cf39e4ba1e44c4b55ce34c5771170d83fb6e840a309db5ba45b8413732ecaeeb596a1f2dc8cb4cc2383becf09b9f5465398d0f18d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
14f34f550218dc99eed3bcac468ad4a2

SHA1
b34b5847e53c956cdf030b2a6a66b86e895ca801

SHA256
6cf3e456c69af29e88a47283df6f8e791458e9db9a21eb2f12e75f855a3b104e

SHA512
6cdc9a1302c7f07c3ff530c77ee64c408c45c09f2697be7420fb2cb677b4a364ff9add4dc272b6735f1575dda0465d7310f3ccb5dbf085c4e445e54384414e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
44afe137d6da2d8c8a3cf03565ceb922

SHA1
8f2aad4b06f9ee22e9c5246a86e84c909ae3e5c4

SHA256
f4d6f8b581c21d0438bdf30ca00e281f37194da8e26b0aeadbe1a4e628ae63da

SHA512
2382a1bff95ffc2ddffa0b8297c166c4603dd96df4c95a6225e331bf9ac135840871379c3807c402980619f8c77babc629f5817eb03056b5fe6f4045a1797dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
427c7412265d03a068b525ff83d398eb

SHA1
0437568cb613ffba42bc238ce3c5d9fdb3d730a8

SHA256
b1c884b98c0d882e923f666481d575372b74677a3fb56254bfca257fe4898b59

SHA512
4c8999331a7a0adc51a1e6bf3cb5889a880c15034b75f36eb4e0044e646defd760c3a226cf198fb16daf7e6dfbff831a2f59f97d7b61f6b4c3530d859e0d8e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\289e7b94-e86b-4492-9c42-778dcc760399

Filesize
593B

MD5
54819d455f1a5f87469fbdd940cef82a

SHA1
7cecf5c69f7d3427a1bd47a659ffaaca610a83d9

SHA256
89db6e3d58703491edb753deefba2db148f3a5ee8e9e5259697c9f99b1b8504f

SHA512
3cf379550de8d031a488b05388935c58643b255530a3e4d4bafd248600763fce122898bd72e683d6258f265fb04e05e6bb8dd67be0a5ab702128dac41aa65b14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\43e274d1-7ff0-4b79-9157-996889e72172

Filesize
656B

MD5
8f37a4ba4cac59aa68f34628798f0013

SHA1
04d8772e3b64a1631f633736c759460a20b676cd

SHA256
fc8bdc10ac21522a88213fd7f55af6f2504e510a962441a5dfeaeb53c50d0019

SHA512
7ba63529ec24ce3fab65274178b30dc60f0a48c501984b1807867d8b7e417a0720a6d47a3682781d2bd7bebc3f9c46b4055e39f064e570c2ba3a70e40ede37c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\4d57d156-e288-4049-ad74-bea6dd99d183

Filesize
593B

MD5
4ac702bf964adc12b4475bbd85f468c6

SHA1
572dce5914f251ca5c0c762316400939abdb1dce

SHA256
085b75f94933267aa9ab9d8007c4c3b57a94dcc5536a39c365b7b6c595bb3b20

SHA512
8b8cba86ea3ff0113be67c54dc743d3382ddf791e489cb456923db7ffd415eee760c9a90a4114d00f86303ae6de3549443bacc5b156c90731022e9809091bba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\61acf195-e395-4582-bc0f-fca59ed20277

Filesize
656B

MD5
b2a9e2c727aef50740c11940d71648b4

SHA1
cbadfa03185f2ab336992996383018b03263fc31

SHA256
6183e8f3ae969674f9267d6a7e28979073f14b76920852cae1a016c593c9320b

SHA512
1e82300b07e69f6906ff2838f0420369acf26ce448e32f17ba3e3054d6eb824707fd1aa57d84b9bac5a6f36c32220a0db417299d982fb6179f85588dfca275e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\7bca2c38-886a-4da3-8191-1b3df189d13a

Filesize
745B

MD5
d75481dfff7c4df0deee979356ca2e52

SHA1
53402703b5e465f67444cea833df398a5fe005e6

SHA256
d9722db8769cd5b038eebbf68638739f99e8d9f7cd48c5a3e34b8cc1f915111d

SHA512
c958d34c1853212c87014a5909410936fec30c6b934ee49d9bc338fdc03602646189c83a1100351ffd5ea54c374ca9256ddc8a13c73d6f75e1894f4a9fa97f24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\c873f880-3edf-468a-b40c-ed7aaeda08ef

Filesize
10KB

MD5
8f786472a72545d4e3eee2dd6e0dc3f1

SHA1
86c1c584b890db17ea755b0474bbeedc33283545

SHA256
4dfa6854e572492a95feedef630d3e02c50304fc6162006931e27a2acd54deab

SHA512
0a4d61012aaca403dfd8950c2a9a5c23a124ca136fcd566d959a530d177003af298eaa471619b4be8004038dfa084a7c71b13ef693d47198ef054aa956d4255a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
08c8f86bb5350f2f80e0b1249178f0dc

SHA1
70478be8dac37dec29a54a1a8e2a0889c6949782

SHA256
d35b6839638e46f2e152d567d9ee099d075783bbeda7cfbc76f108a8eaaf863a

SHA512
b17967b7d52856a0efe9420b27e3ac714a9c014f0d40115bc76ceabc3e28bbb6ee3f2c8ec34143326fa13d20ec5c54dcc33698525a1a9abdc916dc0bc2544f03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
2639c8f368303f8a26083be23609442f

SHA1
d65f4f21a99e4f3059bf0330c16d3c81e638dcd5

SHA256
6c8652fd27e08290bb4627918a7b7ab66dec29314f4434c6b1c5ddc694522b72

SHA512
84053a114647fa192dff600eddc927fbc6db79019feb690fa90407c9aac131d29408493c9fc1d3aa031a437f771b962e895c24e35e35839c74d685c84545149e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
0d591427df3119257edbfdc3e02fbcb6

SHA1
e4442da5801bc8fec154623af136876952f314a5

SHA256
0235029c85d431a619c26f8731676df3cf8c71a36e7f8734a041e21efe2134f4

SHA512
853a1e68f75addb8733e4f4b660d8b78f8c403797f01c8dc2f35a8f71bf5c658bad308531f130149cdff6579c8ba5870b4c2d3d8361c77e77131989be379cc6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

Filesize
6KB

MD5
439ddc3d290ccd75796fd89a2abf56bf

SHA1
57bb9c324f0e8b8ab5b667449bebd4d3d6c96aab

SHA256
f7529c3a53751d7feb58e130e18d01c43e5101535251941cb6608f0ba0291afc

SHA512
0cac61f253a0227217f22e9cbf3088a316bdb1d48e88232a5832577c21509f8634435d44fd6e25e51cc65ca33d82b99a92d077c66d07919aa4b6d25844786cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3dc733f51b6c47c0e57ae7035b9abacf

SHA1
d4c28a6f9d4bae9e297440a46726a2cb3e2504ba

SHA256
aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1

SHA512
e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
81084a8c06cbeb056e9b6a418819fe42

SHA1
3c88293860188bd7ff111f7236aaf001a046ed29

SHA256
595d3dc4b5228c397212fbba74c795d0f78b1c09645ae9f6e7ca2460b218b617

SHA512
cf454adcc3b3ff8ab52db0dd39b7518215cef98c8c42e677d730e1eaa77117b318c997767b811a833ff3a5cd8f5ae12c155ea257666868d030b0c3647ebe898f

Download Submit
C:\Windows\Temp\1.exe

Filesize
313KB

MD5
a36dc92515ad9a1efd791c57e6b8825b

SHA1
787767c3c8717c4f165adc1b20acc9a8352bab06

SHA256
e3b5a04c8bc029a519b7edb6f32ef05b48e83f8ba5d78957aaff4900c1abbbad

SHA512
74401be47fc01142abd227bc1383958be499dabefff142be673d2b340e17e8944f4ee9d82f07d2380532f7f45eaa1dce2f73b482b17d39da19f9da5d1db0421f

Download Submit
C:\Windows\Temp\2.exe

Filesize
435KB

MD5
1f3cfcf8aad3e5e3164405d272aa213e

SHA1
96f1c646d19deab4ff071fbc6b3c73c87ce56e49

SHA256
fcdab9639af874cba780e20c21a9bc662b160dc313ddb75e5f82f779f1680101

SHA512
0d2008b613bed0f1bed205ace8e89d13d5b5e0fca924ca1f9d0e322564c7d7610e0e735e3686701d3042fef1c164dcd43e40a67eb60199b885fbcb761fa41b06

Download Submit
\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe

Filesize
11.0MB

MD5
d60d266e8fbdbd7794653ecf2aba26ed

SHA1
469ed7d853d590e90f05bdf77af114b84c88de2c

SHA256
d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2

SHA512
80df5d568e34dfc086f546e8d076749e58a7230ed1aa33f3a5c9d966809becadc9922317095032d6e6a7ecdfbfbce02a72cc82513ab0d132c5ffa6c07682bd87

Download Submit
\Users\Admin\AppData\Local\Temp\is-F9JF4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-QM2VO.tmp\231.tmp

Filesize
3.1MB

MD5
81636f80b1e7c0b8f946c8ff0081436a

SHA1
9e7b01f8324e089b925cb9050ce74cd099c58370

SHA256
ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

SHA512
67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

Download Submit
\Users\Admin\AppData\Local\Temp\is-SKA3J.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
memory/1336-95-0x00000000010B0000-0x0000000001184000-memory.dmp

Filesize
848KB

Download
memory/1336-115-0x00000000010B0000-0x0000000001184000-memory.dmp

Filesize
848KB

Download
memory/1496-302-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/1496-303-0x0000000140000000-0x0000000141A86000-memory.dmp

Filesize
26.5MB

Download
memory/1496-298-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/1496-300-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/1524-671-0x0000000001030000-0x0000000001084000-memory.dmp

Filesize
336KB

Download
memory/1644-718-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-709-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-711-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-720-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-719-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-715-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1644-713-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1660-687-0x0000000000A40000-0x0000000000A9C000-memory.dmp

Filesize
368KB

Download
memory/1720-617-0x0000000000FB0000-0x000000000100C000-memory.dmp

Filesize
368KB

Download
memory/1868-707-0x0000000000190000-0x00000000001E4000-memory.dmp

Filesize
336KB

Download
memory/1924-664-0x0000000000190000-0x00000000001FD000-memory.dmp

Filesize
436KB

Download
memory/1924-733-0x0000000002F50000-0x0000000003350000-memory.dmp

Filesize
4.0MB

Download
memory/1924-724-0x0000000002F50000-0x0000000003350000-memory.dmp

Filesize
4.0MB

Download
memory/1924-735-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1924-737-0x0000000076850000-0x0000000076897000-memory.dmp

Filesize
284KB

Download
memory/1924-739-0x0000000000190000-0x00000000001FD000-memory.dmp

Filesize
436KB

Download
memory/1976-58-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000001260000-0x0000000001268000-memory.dmp

Filesize
32KB

Download
memory/1976-2-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-57-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

Filesize
4KB

Download
memory/1988-275-0x0000000000930000-0x0000000000C64000-memory.dmp

Filesize
3.2MB

Download
memory/1992-112-0x00000000010B0000-0x0000000001184000-memory.dmp

Filesize
848KB

Download
memory/1992-277-0x00000000010B0000-0x0000000001184000-memory.dmp

Filesize
848KB

Download
memory/2168-111-0x00000000008F0000-0x0000000000C24000-memory.dmp

Filesize
3.2MB

Download
memory/2252-575-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2252-577-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2252-576-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2532-697-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-580-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2628-87-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2892-76-0x00000000000A0000-0x0000000000585000-memory.dmp

Filesize
4.9MB

Download
memory/2892-89-0x00000000000A0000-0x0000000000585000-memory.dmp

Filesize
4.9MB

Download
memory/2912-2593-0x0000000005010000-0x00000000052A8000-memory.dmp

Filesize
2.6MB

Download
memory/2940-656-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-649-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-654-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-651-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-653-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-647-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-645-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2940-655-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3192-738-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/3728-2594-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3920-811-0x0000000000C30000-0x0000000000C84000-memory.dmp

Filesize
336KB

Download
memory/4024-829-0x0000000004710000-0x0000000004782000-memory.dmp

Filesize
456KB

Download
memory/4024-830-0x0000000004780000-0x00000000047F0000-memory.dmp

Filesize
448KB

Download
memory/6428-3743-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/6652-3705-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7280-2822-0x0000000001000000-0x0000000001038000-memory.dmp

Filesize
224KB

Download
memory/7872-2886-0x0000000001170000-0x00000000011BA000-memory.dmp

Filesize
296KB

Download
memory/9812-2466-0x0000000001ED0000-0x0000000001F16000-memory.dmp

Filesize
280KB

Download
memory/9812-2467-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/10012-2504-0x0000000000180000-0x00000000001CA000-memory.dmp

Filesize
296KB

Download