ammyyadmin | 718398bf0ff9b1c409f357af1c44bcaf33d9e454db519e3c01879eaf3370d028

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

sigorta

18.198.25.148:1604

Mutex

af7e773d-541a-46fd-87d3-06bb0a26aab9

Attributes

encryption_key
D306945220105109C86E6E257D749CE885E76091
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

phorphiex

185.215.113.66

Attributes

mutex
6246464

Extracted

Family

quasar

Version

1.4.1

Botnet

Discord

anonam39-28434.portmap.io:28434

Mutex

05aac410-7e7c-4d54-8ab3-5dd8debced86

Attributes

encryption_key
988A53977562DB64E94AB77416B59FECD5DEB50D
install_name
Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
a7

Extracted

Family

redline

185.215.113.9:12617

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbb-63.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin

DeerStealer 6 IoCs

Detects DeerStealer malware - JaffaCakes118.

stealer

resource	yara_rule
behavioral2/files/0x0008000000023cd3-305.dat	DeerStealer
behavioral2/memory/3184-398-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp	DeerStealer
behavioral2/memory/3184-442-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp	DeerStealer
behavioral2/memory/3184-623-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp	DeerStealer
behavioral2/memory/3184-628-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp	DeerStealer
behavioral2/memory/3184-650-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp	DeerStealer

Deerstealer family
deerstealer

Detects Lobshot family 6 IoCs

resource	yara_rule
behavioral2/memory/5312-352-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot
behavioral2/memory/5312-354-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot
behavioral2/memory/5312-356-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot
behavioral2/memory/2520-428-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot
behavioral2/memory/2520-430-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot
behavioral2/memory/2520-515-0x0000000000400000-0x0000000000420000-memory.dmp	family_lobshot

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot
Lobshot family
lobshot

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysvplervcs.exe

Phorphiex family
phorphiex

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023b78-55.dat	family_phorphiex
behavioral2/files/0x000c000000023cc7-78.dat	family_phorphiex
behavioral2/files/0x0007000000023cd0-111.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b70-19.dat	family_quasar
behavioral2/memory/2824-27-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023d76-585.dat	family_quasar
behavioral2/memory/900-590-0x0000000000380000-0x00000000006EA000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023d6d-735.dat	family_quasar
behavioral2/memory/5888-740-0x0000000000F60000-0x00000000012A0000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023b77-694.dat	family_redline
behavioral2/memory/6084-699-0x0000000000FB0000-0x0000000001002000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 5764 created 3376	5764	nxmr.exe	55
PID 5764 created 3376	5764	nxmr.exe	55
PID 5476 created 3376	5476	winupsecvmgr.exe	55
PID 5476 created 3376	5476	winupsecvmgr.exe	55
PID 5476 created 3376	5476	winupsecvmgr.exe	55
PID 5212 created 3376	5212	2598123388.exe	55
PID 5212 created 3376	5212	2598123388.exe	55

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/5476-575-0x00007FF6BB660000-0x00007FF6BBBF7000-memory.dmp	xmrig
behavioral2/memory/5184-622-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp	xmrig
behavioral2/memory/5184-646-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp	xmrig
behavioral2/memory/5184-730-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
241	4996	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4732	powershell.exe
1940	powershell.exe
2572	powershell.exe
5340	powershell.exe
5268	powershell.exe
5200	powershell.exe
5016	powershell.exe
6112	powershell.exe
2244	powershell.exe
5340	powershell.exe
5268	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysklnorbcv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	AA_v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RedeemShore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	nc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysvplervcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1444010583.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Discord.exe

Executes dropped EXE 41 IoCs

pid	Process
2824	aa.exe
3520	nc.exe
1848	newtpp.exe
3516	AA_v3.exe
2624	AA_v3.exe
3208	AA_v3.exe
1492	t1.exe
4968	sysppvrdnvs.exe
4840	whats-new.exe
564	m.exe
3304	sysklnorbcv.exe
4344	sysvplervcs.exe
3184	server.exe
216	pi.exe
5276	360_.exe
5312	360_.exe
5992	1444010583.exe
4732	ef12ce34.exe
2520	ef12ce34.exe
5764	nxmr.exe
5428	peinf.exe
5960	236031592.exe
5476	winupsecvmgr.exe
5124	SharpHound.exe
5204	newfile.exe
5832	o.exe
3268	vpn.exe
6104	863528686.exe
900	Discord.exe
6124	Discord.exe
6040	1252821226.exe
2036	Discord.exe
5212	2598123388.exe
3280	RedeemShore.exe
1600	winupsecvmgr.exe
6084	hna.exe
6088	staged.exe
6036	ss.exe
4356	Discord.exe
5888	Amogus.exe
5200	Win64.exe

Loads dropped DLL 3 IoCs

pid	Process
4840	whats-new.exe
4840	whats-new.exe
4996	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	newtpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	t1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c321cbe9 = "C:\\ProgramData\\ef12ce34.exe"	360_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c321cbe9 = "C:\\ProgramData\\ef12ce34.exe"	ef12ce34.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Telemetry Crash Uploader = "C:\\ProgramData\\Telemetry.exe"	newfile.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
138	bitbucket.org
140	bitbucket.org
190	raw.githubusercontent.com
191	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AA_v3.exe
File opened for modification	\??\PhysicalDrive0	AA_v3.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\a7	Discord.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v3.exe
File opened for modification	C:\Windows\system32\a7	Discord.exe
File opened for modification	C:\Windows\system32\a7\Discord.exe	Discord.exe
File opened for modification	C:\Windows\system32\a7\Discord.exe	Discord.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v3.exe
File created	C:\Windows\system32\a7\Discord.exe	Discord.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF	AA_v3.exe
File opened for modification	C:\Windows\system32\a7	Discord.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v3.exe
File opened for modification	C:\Windows\system32\a7\Discord.exe	Discord.exe
File opened for modification	C:\Windows\system32\a7	Discord.exe
File opened for modification	C:\Windows\system32\a7\Discord.exe	Discord.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5276 set thread context of 5312	5276	360_.exe	171
PID 4732 set thread context of 2520	4732	ef12ce34.exe	187
PID 5476 set thread context of 5904	5476	winupsecvmgr.exe	210
PID 5476 set thread context of 5184	5476	winupsecvmgr.exe	211

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023caf-32.dat	upx
behavioral2/memory/3520-39-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3520-46-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\whats-new-text.jpg	whats-new.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\whats-new.gif	whats-new.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\whats-new.htm	whats-new.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysvplervcs.exe	m.exe
File created	C:\Windows\sysppvrdnvs.exe	newtpp.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	newtpp.exe
File created	C:\Windows\sysklnorbcv.exe	t1.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	t1.exe
File created	C:\Windows\sysvplervcs.exe	m.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4048	sc.exe
3656	sc.exe
3332	sc.exe
3188	sc.exe
4172	sc.exe
1320	sc.exe
4988	sc.exe
1180	sc.exe
4676	sc.exe
2000	sc.exe
3372	sc.exe
2816	sc.exe
5112	sc.exe
1968	sc.exe
3512	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	236031592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1252821226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedeemShore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	staged.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysvplervcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	863528686.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef12ce34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whats-new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef12ce34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5452	PING.EXE
5448	PING.EXE
2068	PING.EXE
5452	PING.EXE
6076	PING.EXE
5352	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 26cea10935e9b5b3a5d92e5261aef73160acf9137dbf1f75892187eaa2ce6fc91a791a2b1b799a33c55161323ef8407e83a51ba90f3dece3e8e5422d313a2fede531db0da9f72b93c8b839	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AA_v3.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5452	PING.EXE
5448	PING.EXE
2068	PING.EXE
5452	PING.EXE
6076	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1348	schtasks.exe
6004	schtasks.exe
6044	schtasks.exe
6120	schtasks.exe
5452	schtasks.exe
5448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
3048	msedge.exe
3048	msedge.exe
3812	msedge.exe
3812	msedge.exe
3856	identity_helper.exe
3856	identity_helper.exe
5312	360_.exe
5312	360_.exe
5340	powershell.exe
5340	powershell.exe
5340	powershell.exe
5992	1444010583.exe
5992	1444010583.exe
2520	ef12ce34.exe
2520	ef12ce34.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5764	nxmr.exe
5764	nxmr.exe
6112	powershell.exe
6112	powershell.exe
6112	powershell.exe
5764	nxmr.exe
5764	nxmr.exe
5476	winupsecvmgr.exe
5476	winupsecvmgr.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
5476	winupsecvmgr.exe
5476	winupsecvmgr.exe
5476	winupsecvmgr.exe
5476	winupsecvmgr.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
5212	2598123388.exe
5212	2598123388.exe
5200	powershell.exe
5200	powershell.exe
5200	powershell.exe
4996	rundll32.exe
4996	rundll32.exe
5212	2598123388.exe
5212	2598123388.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
3304	sysklnorbcv.exe
4344	sysvplervcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	4363463463464363463463463.exe
Token: SeDebugPrivilege	2824	aa.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	5340	powershell.exe
Token: SeDebugPrivilege	5992	1444010583.exe
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	6112	powershell.exe
Token: SeIncreaseQuotaPrivilege	6112	powershell.exe
Token: SeSecurityPrivilege	6112	powershell.exe
Token: SeTakeOwnershipPrivilege	6112	powershell.exe
Token: SeLoadDriverPrivilege	6112	powershell.exe
Token: SeSystemProfilePrivilege	6112	powershell.exe
Token: SeSystemtimePrivilege	6112	powershell.exe
Token: SeProfSingleProcessPrivilege	6112	powershell.exe
Token: SeIncBasePriorityPrivilege	6112	powershell.exe
Token: SeCreatePagefilePrivilege	6112	powershell.exe
Token: SeBackupPrivilege	6112	powershell.exe
Token: SeRestorePrivilege	6112	powershell.exe
Token: SeShutdownPrivilege	6112	powershell.exe
Token: SeDebugPrivilege	6112	powershell.exe
Token: SeSystemEnvironmentPrivilege	6112	powershell.exe
Token: SeRemoteShutdownPrivilege	6112	powershell.exe
Token: SeUndockPrivilege	6112	powershell.exe
Token: SeManageVolumePrivilege	6112	powershell.exe
Token: 33	6112	powershell.exe
Token: 34	6112	powershell.exe
Token: 35	6112	powershell.exe
Token: 36	6112	powershell.exe
Token: SeIncreaseQuotaPrivilege	6112	powershell.exe
Token: SeSecurityPrivilege	6112	powershell.exe
Token: SeTakeOwnershipPrivilege	6112	powershell.exe
Token: SeLoadDriverPrivilege	6112	powershell.exe
Token: SeSystemProfilePrivilege	6112	powershell.exe
Token: SeSystemtimePrivilege	6112	powershell.exe
Token: SeProfSingleProcessPrivilege	6112	powershell.exe
Token: SeIncBasePriorityPrivilege	6112	powershell.exe
Token: SeCreatePagefilePrivilege	6112	powershell.exe
Token: SeBackupPrivilege	6112	powershell.exe
Token: SeRestorePrivilege	6112	powershell.exe
Token: SeShutdownPrivilege	6112	powershell.exe
Token: SeDebugPrivilege	6112	powershell.exe
Token: SeSystemEnvironmentPrivilege	6112	powershell.exe
Token: SeRemoteShutdownPrivilege	6112	powershell.exe
Token: SeUndockPrivilege	6112	powershell.exe
Token: SeManageVolumePrivilege	6112	powershell.exe
Token: 33	6112	powershell.exe
Token: 34	6112	powershell.exe
Token: 35	6112	powershell.exe
Token: 36	6112	powershell.exe
Token: SeIncreaseQuotaPrivilege	6112	powershell.exe
Token: SeSecurityPrivilege	6112	powershell.exe
Token: SeTakeOwnershipPrivilege	6112	powershell.exe
Token: SeLoadDriverPrivilege	6112	powershell.exe
Token: SeSystemProfilePrivilege	6112	powershell.exe
Token: SeSystemtimePrivilege	6112	powershell.exe
Token: SeProfSingleProcessPrivilege	6112	powershell.exe
Token: SeIncBasePriorityPrivilege	6112	powershell.exe
Token: SeCreatePagefilePrivilege	6112	powershell.exe
Token: SeBackupPrivilege	6112	powershell.exe
Token: SeRestorePrivilege	6112	powershell.exe
Token: SeShutdownPrivilege	6112	powershell.exe
Token: SeDebugPrivilege	6112	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2824	aa.exe
3208	AA_v3.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2824	aa.exe
3208	AA_v3.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2824	1176	4363463463464363463463463.exe	96
PID 1176 wrote to memory of 2824	1176	4363463463464363463463463.exe	96
PID 1176 wrote to memory of 3520	1176	4363463463464363463463463.exe	97
PID 1176 wrote to memory of 3520	1176	4363463463464363463463463.exe	97
PID 1176 wrote to memory of 3520	1176	4363463463464363463463463.exe	97
PID 3520 wrote to memory of 3456	3520	nc.exe	98
PID 3520 wrote to memory of 3456	3520	nc.exe	98
PID 3520 wrote to memory of 3456	3520	nc.exe	98
PID 1176 wrote to memory of 1848	1176	4363463463464363463463463.exe	104
PID 1176 wrote to memory of 1848	1176	4363463463464363463463463.exe	104
PID 1176 wrote to memory of 1848	1176	4363463463464363463463463.exe	104
PID 1176 wrote to memory of 3516	1176	4363463463464363463463463.exe	105
PID 1176 wrote to memory of 3516	1176	4363463463464363463463463.exe	105
PID 1176 wrote to memory of 3516	1176	4363463463464363463463463.exe	105
PID 2624 wrote to memory of 3208	2624	AA_v3.exe	107
PID 2624 wrote to memory of 3208	2624	AA_v3.exe	107
PID 2624 wrote to memory of 3208	2624	AA_v3.exe	107
PID 1176 wrote to memory of 1492	1176	4363463463464363463463463.exe	108
PID 1176 wrote to memory of 1492	1176	4363463463464363463463463.exe	108
PID 1176 wrote to memory of 1492	1176	4363463463464363463463463.exe	108
PID 1848 wrote to memory of 4968	1848	newtpp.exe	109
PID 1848 wrote to memory of 4968	1848	newtpp.exe	109
PID 1848 wrote to memory of 4968	1848	newtpp.exe	109
PID 1176 wrote to memory of 4840	1176	4363463463464363463463463.exe	110
PID 1176 wrote to memory of 4840	1176	4363463463464363463463463.exe	110
PID 1176 wrote to memory of 4840	1176	4363463463464363463463463.exe	110
PID 1176 wrote to memory of 564	1176	4363463463464363463463463.exe	111
PID 1176 wrote to memory of 564	1176	4363463463464363463463463.exe	111
PID 1176 wrote to memory of 564	1176	4363463463464363463463463.exe	111
PID 1492 wrote to memory of 3304	1492	t1.exe	112
PID 1492 wrote to memory of 3304	1492	t1.exe	112
PID 1492 wrote to memory of 3304	1492	t1.exe	112
PID 4968 wrote to memory of 2600	4968	sysppvrdnvs.exe	113
PID 4968 wrote to memory of 2600	4968	sysppvrdnvs.exe	113
PID 4968 wrote to memory of 2600	4968	sysppvrdnvs.exe	113
PID 4968 wrote to memory of 2788	4968	sysppvrdnvs.exe	115
PID 4968 wrote to memory of 2788	4968	sysppvrdnvs.exe	115
PID 4968 wrote to memory of 2788	4968	sysppvrdnvs.exe	115
PID 2600 wrote to memory of 4732	2600	cmd.exe	117
PID 2600 wrote to memory of 4732	2600	cmd.exe	117
PID 2600 wrote to memory of 4732	2600	cmd.exe	117
PID 2788 wrote to memory of 1180	2788	cmd.exe	118
PID 2788 wrote to memory of 1180	2788	cmd.exe	118
PID 2788 wrote to memory of 1180	2788	cmd.exe	118
PID 2788 wrote to memory of 3332	2788	cmd.exe	119
PID 2788 wrote to memory of 3332	2788	cmd.exe	119
PID 2788 wrote to memory of 3332	2788	cmd.exe	119
PID 2788 wrote to memory of 3188	2788	cmd.exe	120
PID 2788 wrote to memory of 3188	2788	cmd.exe	120
PID 2788 wrote to memory of 3188	2788	cmd.exe	120
PID 2788 wrote to memory of 4048	2788	cmd.exe	121
PID 2788 wrote to memory of 4048	2788	cmd.exe	121
PID 2788 wrote to memory of 4048	2788	cmd.exe	121
PID 2788 wrote to memory of 2816	2788	cmd.exe	122
PID 2788 wrote to memory of 2816	2788	cmd.exe	122
PID 2788 wrote to memory of 2816	2788	cmd.exe	122
PID 564 wrote to memory of 4344	564	m.exe	123
PID 564 wrote to memory of 4344	564	m.exe	123
PID 564 wrote to memory of 4344	564	m.exe	123
PID 3304 wrote to memory of 1476	3304	sysklnorbcv.exe	124
PID 3304 wrote to memory of 1476	3304	sysklnorbcv.exe	124
PID 3304 wrote to memory of 1476	3304	sysklnorbcv.exe	124
PID 3304 wrote to memory of 1368	3304	sysklnorbcv.exe	126
PID 3304 wrote to memory of 1368	3304	sysklnorbcv.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\Files\nc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS0CDF84D7\a.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
- - C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1180
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3332
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3188
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4048
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:3516
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5112
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4676
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\1444010583.exe
        
        C:\Users\Admin\AppData\Local\Temp\1444010583.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:6056
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:6080
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\236031592.exe
        
        C:\Users\Admin\AppData\Local\Temp\236031592.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5960
    - - C:\Users\Admin\AppData\Local\Temp\863528686.exe
        
        C:\Users\Admin\AppData\Local\Temp\863528686.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6104
      - C:\Users\Admin\AppData\Local\Temp\2598123388.exe
        
        C:\Users\Admin\AppData\Local\Temp\2598123388.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\1252821226.exe
        
        C:\Users\Admin\AppData\Local\Temp\1252821226.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6040
- - C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdeef746f8,0x7ffdeef74708,0x7ffdeef74718
        5⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:4764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        5⤵
        
        PID:212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
        5⤵
        
        PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
        5⤵
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
        5⤵
        
        PID:2596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        5⤵
        
        PID:5600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
        5⤵
        
        PID:5608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2730786700419402177,13045592802404634311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3224 /prefetch:2
        5⤵
        
        PID:3308
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\sysvplervcs.exe
      C:\Windows\sysvplervcs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3372
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4988
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3512
- - C:\Users\Admin\AppData\Local\Temp\Files\server.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\server.exe"
    3⤵
    - Executes dropped EXE
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\Files\360_.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\Files\360_.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5312
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\ProgramData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c (ping -n 10 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\Files\360_.exe") & (start "" "C:\ProgramData\ef12ce34.exe")
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5452
      - C:\ProgramData\ef12ce34.exe
        
        "C:\ProgramData\ef12ce34.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\ProgramData\ef12ce34.exe
        
        "C:\ProgramData\ef12ce34.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\ProgramData"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5764
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5428
- - C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe"
    3⤵
    - Executes dropped EXE
    PID:5124
- - C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\Files\o.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5832
- - C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:900
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\a7\Discord.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6044
  - - C:\Windows\system32\a7\Discord.exe
      "C:\Windows\system32\a7\Discord.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      PID:6124
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\a7\Discord.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWI3RRrXPiXl.bat" "
        5⤵
        
        PID:5036
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5480
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5448
      - C:\Windows\system32\a7\Discord.exe
        
        "C:\Windows\system32\a7\Discord.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\a7\Discord.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DjQLZNLIpgSH.bat" "
        7⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Windows\system32\a7\Discord.exe
        
        "C:\Windows\system32\a7\Discord.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\a7\Discord.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c1IZ4mxEpgFR.bat" "
        9⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:8
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5452
- - C:\Users\Admin\AppData\Local\Temp\Files\RedeemShore.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RedeemShore.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Min Min.bat & Min.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\Files\hna.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hna.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6084
- - C:\Users\Admin\AppData\Local\Temp\Files\staged.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\staged.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\Files\ss.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6036
- - C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe"
    3⤵
    - Executes dropped EXE
    PID:5888
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1348
  - - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
      4⤵
      Executes dropped EXE
      PID:5200
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mb6gVOkAahW9.bat" "
        5⤵
        
        PID:4688
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3892
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6112
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5904
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5200
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5016

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe" -service -lunch
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3208
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1076

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5476

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
46B

MD5
76038623e270f399769df67a3ed15c16

SHA1
ebf7d7537f45738be48e6f64d59c846b13fb4334

SHA256
4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

SHA512
a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
334B

MD5
1cc2cf11c8b2bc557a2f22d84b226085

SHA1
b0b19c4cd67fe4293c5e4ab62e63212479c6c973

SHA256
cdc06ee67d9070aaea3abe3fed38f3827ebdfbf5e539b0ce691b037af4ee0d15

SHA512
39d33643a1f882e25f4009fd976e5761bde40c05fb5565bf82f325e54fe43c53673086a9d14c48ab78c8c7f0f9f8dfc44d3b54e522477cb04eedd73d18d284a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
92cb0f371ff4d47d2f2c27e1278a9037

SHA1
d6982e4dbbf85f2704ece5a561694f4e5128f3ed

SHA256
57169e3c62af3d1c992934bf8052460a06e76a8713dd85008e807f2d223d9468

SHA512
939f53757663944d148df53576bf598d511f8761acb69c04178ebe991386c8e0cbfa87c2bc15618de4669cb1c90a650fc5dfff0e4800d18dad82a30c563f55d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bbfc209494e146b335961d68e6d056c

SHA1
1622da7e6acd0f801980590a9a99f72b57901ef0

SHA256
794533e85cc55b5ee2c86c5f67b936cac0220d1b611d2bbb74816ca6d313f063

SHA512
79fa4a17e3f5ac4d410b12d2b468f96e8acc372501afc275a74d917fcd05853688b34587f1e7af041d904eef9261085a1a582e2b51c7053e2c22154b92352b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba8648a03de09b3f52f853b4bbd8405c

SHA1
0db3173eb798712bdd607d0299c05936210bd398

SHA256
82d68b3a0ddfa25955c7e985420b6f97107e0d0ed4aec81d8ef33545f83b0d59

SHA512
03a881f3ac5ef6d1ed47c5450469d553c06496ac452bab8674f2cff5b59f81091eabc2e067895bff8a1ee03e9268fccd6cf8e51139baf6ff934d08cc89d0ee90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce5df185d80497a7cd411d4e842eddea

SHA1
d8d95efdc3178173ff354d9fc2f3956d241e3653

SHA256
d8c8231f437708b12f56f693ffd20c4d71c46e11e0f1742132d5fdb682b5d254

SHA512
e28cdc2c84feb982a6ba9714ef230d8955a52ce267d06034dc5c5f1ac7a5aeac61bfd3589f1439830bcb38291487b8a328d0536285751dba3f34a2f51736c776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d65d024cbf5bd5514393fcc3208c1911

SHA1
7b5b7eadb315e24082e1e77abda92ded830c5ba7

SHA256
215e51a7c6ba060303e9875419a79d3d98b2a0df93bce718fdec606e93385f62

SHA512
8c6fa7b4db2de7aedee834f9d3dee19fc0eb2af2cbf308e4a0f89c6792b883f7a1ec9a0bca663df2eeebac90de1ca8f2d0a096efbc7bbb507dd2a3d195d64d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1004B

MD5
d13f59e48b092a381b7a08bdf75d6e20

SHA1
0104c470b6fd1cba0ba51fc116f2ca83f0e199bc

SHA256
ff8dd5a877b2ba3affa99bf6a2ff9109c270ab7589efef7bcae14381d1ed56ed

SHA512
1ee9698b23b3b67d79ed17e20af2725699017514eaa62e245e1c939fcedf9042c6ad4d932a87fca2f059350bef4eff471340a8d1058c3e269375cdba568100b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c44dd9d65e55f148c70f0b9d4be316c9

SHA1
ab17ef210932e32a947b3729434568442e0b648e

SHA256
ccc9ab74ab839e0a274d5b710909088c6bdab95f37d1350b57a07584b54a530b

SHA512
70c54174e3938fa552b01b14f3760becae15d7f5faaa9e58796aff6f19b38f16ceca25027b5aa07afc64226efe85e88dc734d072bd2b42de3d9a1dd33081278e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b3ca9245fe62f6c265eff3d81c649b6

SHA1
821b3fe96f2f88670d6899e98b0d3bfa2e98df47

SHA256
4aef0b8a564c8d85a5cbf9e88c2254036d3b87e8a68af007ee0bd65c4db1b54b

SHA512
8f1602d9536af9c368c2a5a4b7cd283415b8e9df21ed23f7e85401f60cae93c54175891c19f081e6d3f16e423caa1a0e9cb0265c543c869fbcbb206c6718b995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4aba37d0dbb66c79f20dcfc49d663623

SHA1
c9c9a7c91fa8223fac79db7c6183bc1e813245bd

SHA256
d69ccf46ffaeb3395f24c4035e5b4f4b208a7b3dd37e0f22a72a499b19f0502f

SHA512
68a8526c213af1b9a02f2becaf6920b9b39784e972d1118acc82fc656f8cb61a255e92e1cc913d2464426c2e7e9738fe2255d63ea54cc6a84ae6d97be368808c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1373832757.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1444010583.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\236031592.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CDF84D7\a.bat

Filesize
27B

MD5
d08d00bf2860aef273c8c220ae2ea185

SHA1
8667ccdee9c9efc02f8189205115e8e2cdd9c9b8

SHA256
fad871e138c600ccbf5626eb652af4d1acc82681c1a834316c2eaac96db4f0cf

SHA512
df8bb38c9aaba659260864737a5ddaf8abef8419e6504a61b9443689a97db846a05900f79c372d20d424645d426d4dc998c2a302543b7d0568787f9db5f98078

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
242KB

MD5
3e0762a3cb8bb78800749f6c5924831f

SHA1
adfc645e8a15110a1ee3c26cf6adc4d54d007aab

SHA256
eef56a170741e2f7542cf17efb5dc4245b652d6147c2e8dabf88aaa238c0c0f1

SHA512
89a5a443c582e1d6dd01c47629ad9d77636307871f482c911523b687bf60a040d53402dac119688bc03b05d4267c29ecfafa313eaf62cdb98498a98c7f307407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360_.exe

Filesize
200KB

MD5
5d026af9171c4bcec7b38ff42b1fb266

SHA1
e97563e92862f5284352147ba3de4fca45e11f81

SHA256
052cee21bf536d51bcaf66edc262a1c391dea5a941cda58b83bf1eea43037169

SHA512
c5fbb96bfb4e9de7ac71ce9595678e9e724a9728bb26085f2e411d29638ffb2e74e3106375a5251b96d01f2007752559a042b22ce4594bda8a0982c588c288ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe

Filesize
3.4MB

MD5
498c660116bb0632661303fdab08987f

SHA1
f1cdffdf141f619a69988723596cbfc9f007a524

SHA256
6189620c5399e8b0f67d5355a22fb217969fde046f92aa7c0709b9cc84089b72

SHA512
d6f090fa05a80f3dc16e805c1490c3e3d1e5ab3896c0ec31aeb3f7f732438bb84a84c65b241975458c64a3d0f909fc5c41cb446b4c13015961785420c1b565ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RedeemShore.exe

Filesize
7.3MB

MD5
bf53f19b542df72aacf589a049619bc7

SHA1
1fdd0458c805758732b118a3b98fcc12877f5f54

SHA256
c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469

SHA512
31c8be3877f44e87005ad9fdb55de190e88954d1647fcdd1563fe6d17bc88ed5333537bf510365d8e69aff865d7c81535708207cf0b8e331adbfd72f49662739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe

Filesize
1022KB

MD5
aaf1146ec9c633c4c3fbe8091f1596d8

SHA1
a5059f5a353d7fa5014c0584c7ec18b808c2a02c

SHA256
cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272

SHA512
164261748e32598a387da62b5966e9fa4463e8e6073226e0d57dd9026501cd821e62649062253d8d29e4b9195c495ecaeab4b9f88bd3f34d3c79ed9623658b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aa.exe

Filesize
3.1MB

MD5
c35b138798d06ef2009300eff2932703

SHA1
37db536bd71308ae8a50007b7b45d892c18db15e

SHA256
f1369f6d5a14faf0f921e01db5024a65f919434b9b7efef1e3c765c9bb209861

SHA512
f4145bfa51dedd5f0c91b383e3ebdbf4e11e7977413d6c95cbb8a718ebb4d68d82d1a3122890dac291784ec61c275df0764bcf53bfb3d35ba5e7023dcdcc5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hna.exe

Filesize
304KB

MD5
efeaaeb1be566969f1ee9333cf828c9d

SHA1
c6ce1744d201715216ef0e9cb8c2c699555ad5fc

SHA256
6bce463db5e9683428f40370efc41ae6e04f0ec36e439cfd04b86372da3e2e14

SHA512
bd2d57d9394c6df63ac11129625fdfd9c836933ca10a017b9e4144b998aab98e6abc8ac74b6bdacf971eb08687e800f7b04a3d4c893c93040da519d460d95d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\m.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nc.exe

Filesize
69KB

MD5
1b7ee505711d9f7f8cd58b36c8bfc84d

SHA1
6444b592d935bb1ebd7a429b9dc12e19a54c961b

SHA256
26b4ab7deb136a911001098973f32866765c9616162a748e3fbe8aa820b542ec

SHA512
949efc89b83b17045564101f23d1ebefad49201d380831e060bf685a7c3313b4a265ebbb87d7fb2dd9d936b2f2d684ac12b30bdd590270f89d500c0e87ccbeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe

Filesize
392KB

MD5
a896758e32aa41a6b5f04ed92fe87a6c

SHA1
e44b9c7bfd9bab712984c887913a01fbddf86933

SHA256
7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c

SHA512
e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\server.exe

Filesize
2.6MB

MD5
bf9acb6e48b25a64d9061b86260ca0b6

SHA1
933ee238ef2b9cd33fab812964b63da02283ae40

SHA256
02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

SHA512
ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ss.exe

Filesize
72KB

MD5
61584ce40b3b4c6f5b9ac4fb4f8f0ec9

SHA1
e1ae0b513f73c77309a8b29d91c5a3b6f9d5173c

SHA256
ea0a6a37969c93adf76a55f9833d9d1ab2a0017705cc22fd66bd6c6277c84070

SHA512
2c203be3ace0acdccf5c203bb79050388f991b60f6ec4df96fedd3a603eac6ffec26f237c47655a4c90e4b3efa2c4092a747e3890e2ea0df3c28a6e59b779b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\staged.exe

Filesize
72KB

MD5
449c0175718415174c3961728c7b48ba

SHA1
573e1558ba736edefc6a41dda6505f07b9eddfd8

SHA256
53c9a6fc60f1b68e23f9a4060452d035af7e2eb73fec2f42b6012fc98417115a

SHA512
423841097e9711322c647735f69a40105ca1a9a5d4245b92d1334909f6fde9d4ef2df195296b929c052022ba677c6705cdea6779f43f3cd767261b5bf9065efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe

Filesize
72KB

MD5
838be6b50f90ec703b0fa5107f417576

SHA1
ce4cb87dc8a87f2553219ef47d8cc3a04430871b

SHA256
ead55926421a3dd85015f4b2a5fd533a06322cc7cbfc907a3653f2f073849b58

SHA512
ebb26bd7ffc4b2e3ba905fc2974d5b7ced171085860793095af7ae1e8d04837a0678dfc34d564c03eed305317cabd9374612b9daccfa7cec685d992221ddcd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe

Filesize
108KB

MD5
a774da459014620248490f5bcddb2cea

SHA1
451b5c9ccd458908f8132dc8f9f754d2c54016b0

SHA256
7748028d079b05131fa680290366c8a094d756ee1ae3fb7b9f68883b6cdea7b7

SHA512
8939387e38bc8222d705315987736f98d6b78330c75b9804aded78d3e1702ad674bd874163d830326523d4523d787b56e0221ab0855471a7a4d24fbe97232641

Download Submit
C:\Users\Admin\AppData\Local\Temp\GS93EE.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e44xlo3y.0zw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs941E.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
memory/900-590-0x0000000000380000-0x00000000006EA000-memory.dmp

Filesize
3.4MB

Download
memory/1176-13-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/1176-14-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1176-3-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1176-2-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download
memory/1176-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/1176-1-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1600-796-0x00007FF7D9AE0000-0x00007FF7DA077000-memory.dmp

Filesize
5.6MB

Download
memory/1600-761-0x00007FF7D9AE0000-0x00007FF7DA077000-memory.dmp

Filesize
5.6MB

Download
memory/1940-171-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/2520-428-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-515-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-430-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2572-196-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/2824-27-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2824-26-0x00007FFDEDD43000-0x00007FFDEDD45000-memory.dmp

Filesize
8KB

Download
memory/2824-50-0x00007FFDEDD40000-0x00007FFDEE801000-memory.dmp

Filesize
10.8MB

Download
memory/2824-49-0x00007FFDEDD43000-0x00007FFDEDD45000-memory.dmp

Filesize
8KB

Download
memory/2824-42-0x00007FFDEDD40000-0x00007FFDEE801000-memory.dmp

Filesize
10.8MB

Download
memory/2824-47-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/2824-48-0x000000001BCB0000-0x000000001BD62000-memory.dmp

Filesize
712KB

Download
memory/3184-442-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-502-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-420-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-623-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-628-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-650-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3184-398-0x00007FF7D8B10000-0x00007FF7D8E13000-memory.dmp

Filesize
3.0MB

Download
memory/3520-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3520-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4732-141-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/4732-154-0x00000000074F0000-0x0000000007593000-memory.dmp

Filesize
652KB

Download
memory/4732-120-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/4732-121-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4732-156-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/4732-123-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/4732-124-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4732-122-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/4732-139-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/4732-140-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4732-142-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/4732-167-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/4732-168-0x0000000007820000-0x0000000007831000-memory.dmp

Filesize
68KB

Download
memory/4732-169-0x0000000007850000-0x000000000785E000-memory.dmp

Filesize
56KB

Download
memory/4732-155-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/4732-170-0x0000000007860000-0x0000000007874000-memory.dmp

Filesize
80KB

Download
memory/4732-143-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/4732-153-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/4732-182-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/4732-166-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/4732-181-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/4840-223-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4840-224-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/4840-248-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/4840-254-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4996-294-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4996-741-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/5124-531-0x0000014B64E80000-0x0000014B64EB2000-memory.dmp

Filesize
200KB

Download
memory/5124-528-0x0000014B4C530000-0x0000014B4C56C000-memory.dmp

Filesize
240KB

Download
memory/5124-530-0x0000014B64E10000-0x0000014B64E40000-memory.dmp

Filesize
192KB

Download
memory/5124-527-0x0000014B4A8C0000-0x0000014B4A9C4000-memory.dmp

Filesize
1.0MB

Download
memory/5124-532-0x0000014B64EC0000-0x0000014B64F70000-memory.dmp

Filesize
704KB

Download
memory/5124-529-0x0000014B4AD70000-0x0000014B4AD80000-memory.dmp

Filesize
64KB

Download
memory/5184-730-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp

Filesize
7.9MB

Download
memory/5184-576-0x000001A540350000-0x000001A540370000-memory.dmp

Filesize
128KB

Download
memory/5184-646-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp

Filesize
7.9MB

Download
memory/5184-622-0x00007FF6D09B0000-0x00007FF6D119F000-memory.dmp

Filesize
7.9MB

Download
memory/5204-542-0x0000000000BA0000-0x0000000000C08000-memory.dmp

Filesize
416KB

Download
memory/5212-665-0x00007FF792620000-0x00007FF792BB7000-memory.dmp

Filesize
5.6MB

Download
memory/5268-472-0x00000000078E0000-0x0000000007983000-memory.dmp

Filesize
652KB

Download
memory/5268-462-0x000000006E9A0000-0x000000006E9EC000-memory.dmp

Filesize
304KB

Download
memory/5312-354-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5312-356-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5312-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5340-385-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/5340-370-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/5340-371-0x000000006E9A0000-0x000000006E9EC000-memory.dmp

Filesize
304KB

Download
memory/5340-384-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/5340-381-0x0000000007900000-0x00000000079A3000-memory.dmp

Filesize
652KB

Download
memory/5340-367-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/5476-575-0x00007FF6BB660000-0x00007FF6BBBF7000-memory.dmp

Filesize
5.6MB

Download
memory/5764-501-0x00007FF7121B0000-0x00007FF712747000-memory.dmp

Filesize
5.6MB

Download
memory/5888-740-0x0000000000F60000-0x00000000012A0000-memory.dmp

Filesize
3.2MB

Download
memory/5904-645-0x00007FF7C8000000-0x00007FF7C8029000-memory.dmp

Filesize
164KB

Download
memory/5904-621-0x00007FF7C8000000-0x00007FF7C8029000-memory.dmp

Filesize
164KB

Download
memory/5992-419-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/6084-701-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/6084-702-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/6084-700-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/6084-699-0x0000000000FB0000-0x0000000001002000-memory.dmp

Filesize
328KB

Download
memory/6112-490-0x000001DF4A0F0000-0x000001DF4A112000-memory.dmp

Filesize
136KB

Download