redline | 8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884

Analysis

max time kernel
18s
max time network
165s
platform
windows10_x64
resource
win10v20210410
submitted
03-07-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C24D05331D2CF344AF12C1C169270846.exe
Size

940KB
MD5

c24d05331d2cf344af12c1c169270846
SHA1

eeab48b61aabf4a403a5feb47b9b88c31d63b525
SHA256

8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
SHA512

379a145b157501d7aa09f599390f7e14e1f81b7f0f017eebe6084ee534c171760de63a0888d608ec05455304f0cc70a9fdb7dc53421a496f4968e8d6198a4afa

Score

10^/10

redline vidar 916 discovery evasion infostealer persistence stealer upx vmprotect

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

916

https://sergeevih43.tumblr.com

Attributes

profile_id
916

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4120-223-0x0000000004F20000-0x0000000004F71000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5096-159-0x00000000009E0000-0x0000000000A7D000-memory.dmp	family_vidar
behavioral2/memory/5096-160-0x0000000000400000-0x0000000000633000-memory.dmp	family_vidar

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

758____Dawn.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 758____Dawn.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	758____Dawn.exe

Executes dropped EXE 16 IoCs

Processes:

C24D05331D2CF344AF12C1C169270846.tmp758____Dawn.exeprolab.exeprolab.tmpKywimaeshaetu.exeNanaenetaepe.exeNewouttab02.exeEU.exeebook.exeJoSetp.exeEra.exe.commd6_6ydj.exe4897368.exe8186519.exeEra.exe.com6764820.exe

pid	process
1412	C24D05331D2CF344AF12C1C169270846.tmp
2184	758____Dawn.exe
3476	prolab.exe
3496	prolab.tmp
4028	Kywimaeshaetu.exe
1808	Nanaenetaepe.exe
5096	Newouttab02.exe
4464	EU.exe
5072	ebook.exe
4452	JoSetp.exe
4104	Era.exe.com
4428	md6_6ydj.exe
4444	4897368.exe
4868	8186519.exe
4672	Era.exe.com
4120	6764820.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe	vmprotect
behavioral2/memory/4428-201-0x0000000000400000-0x0000000000648000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Kywimaeshaetu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Kywimaeshaetu.exe

Loads dropped DLL 3 IoCs

Processes:

C24D05331D2CF344AF12C1C169270846.tmprundll32.exe

pid process

1412 C24D05331D2CF344AF12C1C169270846.tmp
4124 rundll32.exe
4124 rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

758____Dawn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Laloraebeli.exe\""	758____Dawn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

325 ipinfo.io
105 ip-api.com
116 ipinfo.io
119 ipinfo.io
199 ip-api.com
310 ipinfo.io
313 ipinfo.io
314 ipinfo.io

flow	ioc
325	ipinfo.io
105	ip-api.com
116	ipinfo.io
119	ipinfo.io
199	ip-api.com
310	ipinfo.io
313	ipinfo.io
314	ipinfo.io

Drops file in Program Files directory 24 IoCs

Processes:

prolab.tmp758____Dawn.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-BS6P1.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-L4J3S.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-QGI8S.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-P89F8.tmp	prolab.tmp
File created	C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe	758____Dawn.exe
File created	C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe.config	758____Dawn.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Laloraebeli.exe	758____Dawn.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Laloraebeli.exe.config	758____Dawn.exe
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-7NQ3E.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-76JQN.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-5VJVJ.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-JGS83.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-LAGRT.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-CU4DJ.tmp	prolab.tmp

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8860	7044	WerFault.exe	rUNdlL32.eXe
8324	5416	WerFault.exe	LibraVPN.exe
7188	6596	WerFault.exe	app.exe
4568	5392	WerFault.exe	app.exe
580	6028	WerFault.exe	app.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

7260 timeout.exe
5380 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

6024 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

9112 taskkill.exe
5952 taskkill.exe
5100 taskkill.exe
4284 taskkill.exe

pid	process
7260	timeout.exe
5380	timeout.exe

pid	process
6024	ipconfig.exe

pid	process
9112	taskkill.exe
5952	taskkill.exe
5100	taskkill.exe
4284	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000003926730419509ffb630ed74e521feb5ec908adb55df8dcefae259ccbb2a96188a0f93755e275b0cb31bd04de22d291b5c049ae40e7496209b28f93450d64	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "{3D16CC04-A6FE-4BC1-82E3-0D90B0AA7C62}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4e00283bea6fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F768CDCE-33B2-44A3-BE8D-C2DC8E6B264C} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{4B431C22-8E0F-486A-8893-ACB3ACBF2D3D}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000bbfe5dac934ee7ee357b05909ca1ec35eb29221ef79cb036e01fa81c240349b26215805798aa7d3fed86cca2851d1b0078d522840a3bc4463a64076589d538a37fbdcf78a0530ffbd3ab151c1903170807093c89695d964e82f5	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Nanaenetaepe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Nanaenetaepe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Nanaenetaepe.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5052 PING.EXE

pid	process
5052	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	323	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	331	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	117	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	311	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	312	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	319	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	322	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

prolab.tmpNanaenetaepe.exe

pid	process
3496	prolab.tmp
3496	prolab.tmp
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe
1808	Nanaenetaepe.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4512 MicrosoftEdgeCP.exe
4512 MicrosoftEdgeCP.exe

pid	process
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

758____Dawn.exeNanaenetaepe.exeKywimaeshaetu.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeJoSetp.exe

description	pid	process
Token: SeDebugPrivilege	2184	758____Dawn.exe
Token: SeDebugPrivilege	1808	Nanaenetaepe.exe
Token: SeDebugPrivilege	4028	Kywimaeshaetu.exe
Token: SeDebugPrivilege	3900	MicrosoftEdge.exe
Token: SeDebugPrivilege	3900	MicrosoftEdge.exe
Token: SeDebugPrivilege	3900	MicrosoftEdge.exe
Token: SeDebugPrivilege	3900	MicrosoftEdge.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4452	JoSetp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

prolab.tmp

pid process

3496 prolab.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3900 MicrosoftEdge.exe
4512 MicrosoftEdgeCP.exe
4512 MicrosoftEdgeCP.exe

pid	process
3900	MicrosoftEdge.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C24D05331D2CF344AF12C1C169270846.exeC24D05331D2CF344AF12C1C169270846.tmp758____Dawn.exeprolab.exeNanaenetaepe.execmd.execmd.exeEU.execmd.execmd.execmd.execmd.exeebook.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3944 wrote to memory of 1412	3944	C24D05331D2CF344AF12C1C169270846.exe	C24D05331D2CF344AF12C1C169270846.tmp
PID 3944 wrote to memory of 1412	3944	C24D05331D2CF344AF12C1C169270846.exe	C24D05331D2CF344AF12C1C169270846.tmp
PID 3944 wrote to memory of 1412	3944	C24D05331D2CF344AF12C1C169270846.exe	C24D05331D2CF344AF12C1C169270846.tmp
PID 1412 wrote to memory of 2184	1412	C24D05331D2CF344AF12C1C169270846.tmp	758____Dawn.exe
PID 1412 wrote to memory of 2184	1412	C24D05331D2CF344AF12C1C169270846.tmp	758____Dawn.exe
PID 2184 wrote to memory of 3476	2184	758____Dawn.exe	prolab.exe
PID 2184 wrote to memory of 3476	2184	758____Dawn.exe	prolab.exe
PID 2184 wrote to memory of 3476	2184	758____Dawn.exe	prolab.exe
PID 3476 wrote to memory of 3496	3476	prolab.exe	prolab.tmp
PID 3476 wrote to memory of 3496	3476	prolab.exe	prolab.tmp
PID 3476 wrote to memory of 3496	3476	prolab.exe	prolab.tmp
PID 2184 wrote to memory of 4028	2184	758____Dawn.exe	Kywimaeshaetu.exe
PID 2184 wrote to memory of 4028	2184	758____Dawn.exe	Kywimaeshaetu.exe
PID 2184 wrote to memory of 1808	2184	758____Dawn.exe	Nanaenetaepe.exe
PID 2184 wrote to memory of 1808	2184	758____Dawn.exe	Nanaenetaepe.exe
PID 1808 wrote to memory of 4964	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4964	1808	Nanaenetaepe.exe	cmd.exe
PID 4964 wrote to memory of 5096	4964	cmd.exe	Newouttab02.exe
PID 4964 wrote to memory of 5096	4964	cmd.exe	Newouttab02.exe
PID 4964 wrote to memory of 5096	4964	cmd.exe	Newouttab02.exe
PID 1808 wrote to memory of 4272	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4272	1808	Nanaenetaepe.exe	cmd.exe
PID 4272 wrote to memory of 4464	4272	cmd.exe	EU.exe
PID 4272 wrote to memory of 4464	4272	cmd.exe	EU.exe
PID 4272 wrote to memory of 4464	4272	cmd.exe	EU.exe
PID 1808 wrote to memory of 4580	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4580	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4648	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4648	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4756	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4756	1808	Nanaenetaepe.exe	cmd.exe
PID 4464 wrote to memory of 4788	4464	EU.exe	cmd.exe
PID 4464 wrote to memory of 4788	4464	EU.exe	cmd.exe
PID 4464 wrote to memory of 4788	4464	EU.exe	cmd.exe
PID 4788 wrote to memory of 4980	4788	cmd.exe	cmd.exe
PID 4788 wrote to memory of 4980	4788	cmd.exe	cmd.exe
PID 4788 wrote to memory of 4980	4788	cmd.exe	cmd.exe
PID 4980 wrote to memory of 4564	4980	cmd.exe	findstr.exe
PID 4980 wrote to memory of 4564	4980	cmd.exe	findstr.exe
PID 4980 wrote to memory of 4564	4980	cmd.exe	findstr.exe
PID 1808 wrote to memory of 5028	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 5028	1808	Nanaenetaepe.exe	cmd.exe
PID 4756 wrote to memory of 5072	4756	cmd.exe	ebook.exe
PID 4756 wrote to memory of 5072	4756	cmd.exe	ebook.exe
PID 4756 wrote to memory of 5072	4756	cmd.exe	ebook.exe
PID 5028 wrote to memory of 4452	5028	cmd.exe	JoSetp.exe
PID 5028 wrote to memory of 4452	5028	cmd.exe	JoSetp.exe
PID 4980 wrote to memory of 4104	4980	cmd.exe	Era.exe.com
PID 4980 wrote to memory of 4104	4980	cmd.exe	Era.exe.com
PID 4980 wrote to memory of 4104	4980	cmd.exe	Era.exe.com
PID 5072 wrote to memory of 4124	5072	ebook.exe	rundll32.exe
PID 5072 wrote to memory of 4124	5072	ebook.exe	rundll32.exe
PID 5072 wrote to memory of 4124	5072	ebook.exe	rundll32.exe
PID 1808 wrote to memory of 4280	1808	Nanaenetaepe.exe	cmd.exe
PID 1808 wrote to memory of 4280	1808	Nanaenetaepe.exe	cmd.exe
PID 4980 wrote to memory of 5052	4980	cmd.exe	PING.EXE
PID 4980 wrote to memory of 5052	4980	cmd.exe	PING.EXE
PID 4980 wrote to memory of 5052	4980	cmd.exe	PING.EXE
PID 4280 wrote to memory of 4428	4280	cmd.exe	md6_6ydj.exe
PID 4280 wrote to memory of 4428	4280	cmd.exe	md6_6ydj.exe
PID 4280 wrote to memory of 4428	4280	cmd.exe	md6_6ydj.exe
PID 4512 wrote to memory of 5020	4512	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4512 wrote to memory of 5020	4512	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4512 wrote to memory of 5020	4512	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\C24D05331D2CF344AF12C1C169270846.exe
"C:\Users\Admin\AppData\Local\Temp\C24D05331D2CF344AF12C1C169270846.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\is-BBEGK.tmp\C24D05331D2CF344AF12C1C169270846.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BBEGK.tmp\C24D05331D2CF344AF12C1C169270846.tmp" /SL5="$5006A,448783,365056,C:\Users\Admin\AppData\Local\Temp\C24D05331D2CF344AF12C1C169270846.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\is-JQQAT.tmp\758____Dawn.exe
"C:\Users\Admin\AppData\Local\Temp\is-JQQAT.tmp\758____Dawn.exe" /S /UID=lab212
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe
"C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\is-T9265.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T9265.tmp\prolab.tmp" /SL5="$6005C,575243,216576,C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Users\Admin\AppData\Local\Temp\13-3eda2-6c6-a6a86-cae083c6b9992\Kywimaeshaetu.exe
"C:\Users\Admin\AppData\Local\Temp\13-3eda2-6c6-a6a86-cae083c6b9992\Kywimaeshaetu.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Nanaenetaepe.exe
"C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Nanaenetaepe.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe
C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe
6⤵
- Executes dropped EXE
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Newouttab02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:5244

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Newouttab02.exe /f
8⤵
- Kills process with taskkill
PID:5952

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hquj5xen.plz\EU.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\hquj5xen.plz\EU.exe
C:\Users\Admin\AppData\Local\Temp\hquj5xen.plz\EU.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Osato.vstx
7⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^qaJLWToopItHXeKcUdMKzxsMIPgjvdvtayjvMROgHwFYUOpCpAOeLfAFwWriFVMSkqfSQgIrCnesOzRTFLrVCxaeFHxPOHJMfNMUmsMURLAhjoQIypBTRQdRHjhoUTfUPdewGXxgYptQT$" Offerto.vstx
9⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
Era.exe.com u
9⤵
- Executes dropped EXE
PID:4104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com u
10⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com u
11⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com u
12⤵
PID:4392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
9⤵
- Runs ping.exe
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
7⤵
PID:8156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rqfvas1v.xdg\GcleanerEU.exe /eufive & exit
5⤵
PID:4580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mwaxiroj.dop\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:4648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe
C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\EBOOKE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe
7⤵
- Loads dropped DLL
PID:4124

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~3\BKLNGF~1\KGJOCB~1.TMP,jkxCM0hv C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\EBOOKE~1.TMP
8⤵
PID:6192

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31801
9⤵
PID:8492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5768.tmp.ps1"
9⤵
PID:8376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp949D.tmp.ps1"
9⤵
PID:7732

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
10⤵
PID:9188

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
9⤵
PID:5976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
9⤵
PID:5928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jv1qnnfd.upl\JoSetp.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\jv1qnnfd.upl\JoSetp.exe
C:\Users\Admin\AppData\Local\Temp\jv1qnnfd.upl\JoSetp.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Users\Admin\AppData\Roaming\4897368.exe
"C:\Users\Admin\AppData\Roaming\4897368.exe"
7⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Roaming\8186519.exe
"C:\Users\Admin\AppData\Roaming\8186519.exe"
7⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
PID:4936

C:\Users\Admin\AppData\Roaming\6764820.exe
"C:\Users\Admin\AppData\Roaming\6764820.exe"
7⤵
- Executes dropped EXE
PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe
6⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hsu1xdn.zej\ifhwwyy.exe & exit
5⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\5hsu1xdn.zej\ifhwwyy.exe
C:\Users\Admin\AppData\Local\Temp\5hsu1xdn.zej\ifhwwyy.exe
6⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe /Verysilent /subid=623 & exit
5⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe /Verysilent /subid=623
6⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\is-A5141.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A5141.tmp\Setup3310.tmp" /SL5="$502E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe" /Verysilent /subid=623
7⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\is-JGLME.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JGLME.tmp\Setup.exe" /Verysilent
8⤵
PID:6056

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
9⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:6956

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
9⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:7144

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
11⤵
- Kills process with taskkill
PID:4284

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:7260

C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
"C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
9⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\is-95T4V.tmp\MediaBurner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-95T4V.tmp\MediaBurner.tmp" /SL5="$303FC,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
10⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\is-EONMJ.tmp\JFHGSFGSIUGFSUIG.exe
"C:\Users\Admin\AppData\Local\Temp\is-EONMJ.tmp\JFHGSFGSIUGFSUIG.exe" /S /UID=burnerch1
11⤵
PID:5520

C:\Program Files\Windows Photo Viewer\VAIFXVWJZM\ultramediaburner.exe
"C:\Program Files\Windows Photo Viewer\VAIFXVWJZM\ultramediaburner.exe" /VERYSILENT
12⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\is-MBKQ6.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MBKQ6.tmp\ultramediaburner.tmp" /SL5="$303D8,281924,62464,C:\Program Files\Windows Photo Viewer\VAIFXVWJZM\ultramediaburner.exe" /VERYSILENT
13⤵
PID:7080

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
14⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\f9-a4bf1-04e-5f3b8-6a0c116522858\Cifapyvezhi.exe
"C:\Users\Admin\AppData\Local\Temp\f9-a4bf1-04e-5f3b8-6a0c116522858\Cifapyvezhi.exe"
12⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\22-aeba7-d5b-522a1-acd4fb1b29d76\Taezheraeryce.exe
"C:\Users\Admin\AppData\Local\Temp\22-aeba7-d5b-522a1-acd4fb1b29d76\Taezheraeryce.exe"
12⤵
PID:4820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ky3ajyzu.nnr\GcleanerEU.exe /eufive & exit
13⤵
PID:7992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izzbbg1x.pqn\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:7940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gifsezdx.ptd\ifhwwyy.exe & exit
13⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\gifsezdx.ptd\ifhwwyy.exe
C:\Users\Admin\AppData\Local\Temp\gifsezdx.ptd\ifhwwyy.exe
14⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9092

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:8936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jgdfnn22.3uy\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:7596

C:\Users\Admin\AppData\Local\Temp\jgdfnn22.3uy\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\jgdfnn22.3uy\Setup3310.exe /Verysilent /subid=623
14⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\is-6V1IG.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6V1IG.tmp\Setup3310.tmp" /SL5="$206CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\jgdfnn22.3uy\Setup3310.exe" /Verysilent /subid=623
15⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\is-E1GCD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-E1GCD.tmp\Setup.exe" /Verysilent
16⤵
PID:7632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\30k0sioy.by1\google-game.exe & exit
13⤵
PID:8476

C:\Users\Admin\AppData\Local\Temp\30k0sioy.by1\google-game.exe
C:\Users\Admin\AppData\Local\Temp\30k0sioy.by1\google-game.exe
14⤵
PID:9164

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
15⤵
PID:8120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tukx00fu.emk\GcleanerWW.exe /mixone & exit
13⤵
PID:8200

C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
9⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\is-L55O0.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L55O0.tmp\lylal220.tmp" /SL5="$203FA,389391,305664,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
10⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\is-BHO5R.tmp\ElZané_çé_.exe
"C:\Users\Admin\AppData\Local\Temp\is-BHO5R.tmp\ElZané_çé_.exe" /S /UID=lylal220
11⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\97-f9819-5bc-154b1-a4e0f4aa88952\Tysyhipaere.exe
"C:\Users\Admin\AppData\Local\Temp\97-f9819-5bc-154b1-a4e0f4aa88952\Tysyhipaere.exe"
12⤵
PID:6604

C:\Program Files\Windows Media Player\JQIEIIURZT\irecord.exe
"C:\Program Files\Windows Media Player\JQIEIIURZT\irecord.exe" /VERYSILENT
12⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\is-1E7T5.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1E7T5.tmp\irecord.tmp" /SL5="$104C4,5808768,66560,C:\Program Files\Windows Media Player\JQIEIIURZT\irecord.exe" /VERYSILENT
13⤵
PID:3840

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
14⤵
PID:6960

C:\Users\Admin\AppData\Local\Temp\ea-e9bf3-09b-96aa6-3e65050a7f438\Fuzhapaewepe.exe
"C:\Users\Admin\AppData\Local\Temp\ea-e9bf3-09b-96aa6-3e65050a7f438\Fuzhapaewepe.exe"
12⤵
PID:5684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u13h143q.jgd\GcleanerEU.exe /eufive & exit
13⤵
PID:8104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkps4bsz.zjf\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:6828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\shh4vjdw.5lk\ifhwwyy.exe & exit
13⤵
PID:8684

C:\Users\Admin\AppData\Local\Temp\shh4vjdw.5lk\ifhwwyy.exe
C:\Users\Admin\AppData\Local\Temp\shh4vjdw.5lk\ifhwwyy.exe
14⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9132

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:7420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dloc4gkm.btz\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:8560

C:\Users\Admin\AppData\Local\Temp\dloc4gkm.btz\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\dloc4gkm.btz\Setup3310.exe /Verysilent /subid=623
14⤵
PID:7472

C:\Users\Admin\AppData\Local\Temp\is-CPL3T.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CPL3T.tmp\Setup3310.tmp" /SL5="$20380,138429,56832,C:\Users\Admin\AppData\Local\Temp\dloc4gkm.btz\Setup3310.exe" /Verysilent /subid=623
15⤵
PID:7724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yltrlmf0.fdv\google-game.exe & exit
13⤵
PID:8220

C:\Users\Admin\AppData\Local\Temp\yltrlmf0.fdv\google-game.exe
C:\Users\Admin\AppData\Local\Temp\yltrlmf0.fdv\google-game.exe
14⤵
PID:9168

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
15⤵
PID:7044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 616
16⤵
- Program crash
PID:8860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohna13vr.el2\GcleanerWW.exe /mixone & exit
13⤵
PID:9208

C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
9⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\is-G25UO.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G25UO.tmp\LabPicV3.tmp" /SL5="$20426,448783,365056,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
10⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\is-N8G8P.tmp\758____Dawn.exe
"C:\Users\Admin\AppData\Local\Temp\is-N8G8P.tmp\758____Dawn.exe" /S /UID=lab214
11⤵
PID:5944

C:\Program Files\Windows Security\SNJUOUJLNF\prolab.exe
"C:\Program Files\Windows Security\SNJUOUJLNF\prolab.exe" /VERYSILENT
12⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\is-JF3HI.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JF3HI.tmp\prolab.tmp" /SL5="$10472,575243,216576,C:\Program Files\Windows Security\SNJUOUJLNF\prolab.exe" /VERYSILENT
13⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\24-f291c-b5a-1ba95-4c307dd6390b7\Loqevaesovo.exe
"C:\Users\Admin\AppData\Local\Temp\24-f291c-b5a-1ba95-4c307dd6390b7\Loqevaesovo.exe"
12⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\11-63427-8ba-f69aa-d4bdef2d075e9\Tysyhipaere.exe
"C:\Users\Admin\AppData\Local\Temp\11-63427-8ba-f69aa-d4bdef2d075e9\Tysyhipaere.exe"
12⤵
PID:6564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0rvdbga2.bcv\GcleanerEU.exe /eufive & exit
13⤵
PID:8012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eqrmtr44.pln\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:6168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\csdbh1pa.dyu\ifhwwyy.exe & exit
13⤵
PID:8548

C:\Users\Admin\AppData\Local\Temp\csdbh1pa.dyu\ifhwwyy.exe
C:\Users\Admin\AppData\Local\Temp\csdbh1pa.dyu\ifhwwyy.exe
14⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:8124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wcqarzl.uwz\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\2wcqarzl.uwz\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\2wcqarzl.uwz\Setup3310.exe /Verysilent /subid=623
14⤵
PID:7528

C:\Users\Admin\AppData\Local\Temp\is-SNGVS.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SNGVS.tmp\Setup3310.tmp" /SL5="$25036E,138429,56832,C:\Users\Admin\AppData\Local\Temp\2wcqarzl.uwz\Setup3310.exe" /Verysilent /subid=623
15⤵
PID:7772

C:\Users\Admin\AppData\Local\Temp\is-3JPPM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3JPPM.tmp\Setup.exe" /Verysilent
16⤵
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p3pxcrbv.hh4\google-game.exe & exit
13⤵
PID:8092

C:\Users\Admin\AppData\Local\Temp\p3pxcrbv.hh4\google-game.exe
C:\Users\Admin\AppData\Local\Temp\p3pxcrbv.hh4\google-game.exe
14⤵
PID:5440

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
9⤵
PID:5984

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
10⤵
PID:6700

C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
"C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
9⤵
PID:5892

C:\Users\Admin\AppData\Roaming\5256615.exe
"C:\Users\Admin\AppData\Roaming\5256615.exe"
10⤵
PID:6252

C:\Users\Admin\AppData\Roaming\4951894.exe
"C:\Users\Admin\AppData\Roaming\4951894.exe"
10⤵
PID:6288

C:\Users\Admin\AppData\Roaming\2945290.exe
"C:\Users\Admin\AppData\Roaming\2945290.exe"
10⤵
PID:6324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r0bqyzek.0dk\google-game.exe & exit
5⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\r0bqyzek.0dk\google-game.exe
C:\Users\Admin\AppData\Local\Temp\r0bqyzek.0dk\google-game.exe
6⤵
PID:5236

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
7⤵
PID:5728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xn0ns2l5.toz\CHLbrowser.exe /VERYSILENT & exit
5⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\xn0ns2l5.toz\CHLbrowser.exe
C:\Users\Admin\AppData\Local\Temp\xn0ns2l5.toz\CHLbrowser.exe /VERYSILENT
6⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\xn0ns2l5.toz\CHLbrowser.exe
C:\Users\Admin\AppData\Local\Temp\xn0ns2l5.toz\CHLbrowser.exe
7⤵
PID:6080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0h0epcw.ljz\askinstall46.exe & exit
5⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\p0h0epcw.ljz\askinstall46.exe
C:\Users\Admin\AppData\Local\Temp\p0h0epcw.ljz\askinstall46.exe
6⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:6868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0wwvtg00.cw0\app.exe & exit
5⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\0wwvtg00.cw0\app.exe
C:\Users\Admin\AppData\Local\Temp\0wwvtg00.cw0\app.exe
6⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\0wwvtg00.cw0\app.exe
"C:\Users\Admin\AppData\Local\Temp\0wwvtg00.cw0\app.exe"
7⤵
PID:7928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 724
7⤵
- Program crash
PID:7188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cuwx2tto.mbp\GcleanerWW.exe /mixone & exit
5⤵
PID:8144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xpw3p5pz.nfk\libravpn_setup.exe subid=685 /verysilent & exit
5⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\xpw3p5pz.nfk\libravpn_setup.exe
C:\Users\Admin\AppData\Local\Temp\xpw3p5pz.nfk\libravpn_setup.exe subid=685 /verysilent
6⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\is-MEMQO.tmp\libravpn_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MEMQO.tmp\libravpn_setup.tmp" /SL5="$108C6,11382886,1080320,C:\Users\Admin\AppData\Local\Temp\xpw3p5pz.nfk\libravpn_setup.exe" subid=685 /verysilent
7⤵
PID:8424

C:\Program Files (x86)\LibraVPN\LibraVPN.exe
"C:\Program Files (x86)\LibraVPN\LibraVPN.exe"
8⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
9⤵
PID:5292

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:7692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
10⤵
PID:4644

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
11⤵
PID:7404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
9⤵
PID:7460

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
10⤵
PID:7512

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
11⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
9⤵
PID:7728

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:5568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
10⤵
PID:3300

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
11⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
9⤵
PID:8260

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:9096

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
10⤵
PID:5408

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
11⤵
PID:8292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
9⤵
PID:7972

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:6020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
10⤵
PID:5652

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
11⤵
PID:7812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
9⤵
PID:6172

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:7712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
10⤵
PID:7572

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
11⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
9⤵
PID:4264

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
10⤵
PID:7172

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
11⤵
PID:7752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c ipconfig /flushdns
9⤵
PID:4228

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:7780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /flushdns
10⤵
PID:4684

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
11⤵
- Gathers network information
PID:6024

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wireguard.exe
9⤵
PID:5948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wireguard.exe
10⤵
- Kills process with taskkill
PID:9112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2088
9⤵
- Program crash
PID:8324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gsbzr1q.1xl\app.exe /8-2222 & exit
5⤵
PID:7340

C:\Users\Admin\AppData\Local\Temp\5gsbzr1q.1xl\app.exe
C:\Users\Admin\AppData\Local\Temp\5gsbzr1q.1xl\app.exe /8-2222
6⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\5gsbzr1q.1xl\app.exe
"C:\Users\Admin\AppData\Local\Temp\5gsbzr1q.1xl\app.exe" /8-2222
7⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 1220
8⤵
- Program crash
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 460
7⤵
- Program crash
PID:4568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8212

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\Windows Media Player\GYOMJHMKMF\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\A0399TZS.cookie
MD5
1fbc6d136dca70cd0a3b99b155e0ff54

SHA1
cb9ccd4ac77a72c94af731267e733e10c41fe375

SHA256
b8bf694c359c75a9349379bf205dad779c9fb16d1f9416992e0d6fe96b4244f4

SHA512
d6c858a5aaae7d887f7b30d9bfeaf0340b7caf5acaf42f0e678656c99a128a10884546bc3a9e0267bb13057eedc2014564485f910ccec684fc8bbdb667fe7f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe
MD5
fa76b075201edbd88efa1fe19d4478d6

SHA1
79274359e835b7b6b1c2a0ba43b89d3fff9a537c

SHA256
f967f045556fd6ea5b79b255a158c516075025de620ef4fff7ad09d124b15fdd

SHA512
901f4b52813dffe2f84558669fe72586aa0209fd5eb3bcd3164960a657b68fb1116717f4d29c46604be5a192e043c8a5fcce2fe5ae18abb2b5bdb15d5f0ccdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ckjbjvq.t1u\Newouttab02.exe
MD5
fa76b075201edbd88efa1fe19d4478d6

SHA1
79274359e835b7b6b1c2a0ba43b89d3fff9a537c

SHA256
f967f045556fd6ea5b79b255a158c516075025de620ef4fff7ad09d124b15fdd

SHA512
901f4b52813dffe2f84558669fe72586aa0209fd5eb3bcd3164960a657b68fb1116717f4d29c46604be5a192e043c8a5fcce2fe5ae18abb2b5bdb15d5f0ccdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\13-3eda2-6c6-a6a86-cae083c6b9992\Kywimaeshaetu.exe
MD5
db52c8b815d8aede5028ed0e7f46044e

SHA1
da2186352a3b48a837d83e85cec26f7cac0b38d2

SHA256
75f93bb568a9fe7a428aa49de18520bd885a793dc2da7af4b8af1fc2c9f10b78

SHA512
30e14006f76e1d928908f75554d8d580bab81356dc3485bef9e9445d304ab445f18c7615548fb7d0cb8a5e524c584ab637443a866bea7d40531ea6c9dc190e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\13-3eda2-6c6-a6a86-cae083c6b9992\Kywimaeshaetu.exe
MD5
db52c8b815d8aede5028ed0e7f46044e

SHA1
da2186352a3b48a837d83e85cec26f7cac0b38d2

SHA256
75f93bb568a9fe7a428aa49de18520bd885a793dc2da7af4b8af1fc2c9f10b78

SHA512
30e14006f76e1d928908f75554d8d580bab81356dc3485bef9e9445d304ab445f18c7615548fb7d0cb8a5e524c584ab637443a866bea7d40531ea6c9dc190e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\13-3eda2-6c6-a6a86-cae083c6b9992\Kywimaeshaetu.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hsu1xdn.zej\ifhwwyy.exe
MD5
a128a7ab31a41859c5a9e85868d4174f

SHA1
7d614c5f27d5bd60af17e023b68fb67f787c461d

SHA256
8bcf3984e139a272179407ef7f22e912d9e686d59db6dd92b36d1a546e73a34d

SHA512
202464ce77f88b6a8878dd63acf1ed92267179a9f1d75f747b20f12abae0acb7373d56d5f37b1c54613e662600b8c842b77fdc5a032431b2119a41f5554c774e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hsu1xdn.zej\ifhwwyy.exe
MD5
a128a7ab31a41859c5a9e85868d4174f

SHA1
7d614c5f27d5bd60af17e023b68fb67f787c461d

SHA256
8bcf3984e139a272179407ef7f22e912d9e686d59db6dd92b36d1a546e73a34d

SHA512
202464ce77f88b6a8878dd63acf1ed92267179a9f1d75f747b20f12abae0acb7373d56d5f37b1c54613e662600b8c842b77fdc5a032431b2119a41f5554c774e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arteria.vstx
MD5
8d9279100d5da3507139dd80a8a1411c

SHA1
de3c5b973719007b2dea55a144368a4ca699f06b

SHA256
d43b4969cad8ced73b5397042a5f4cd47bf3ae5c3f53523d1a59dff18d4743a7

SHA512
a10b73b8f20129ca4f647971f8a1e600f8e64213f5168973f092f60efed09bc782d110cca57dff1dc38004e13cbb943e9ed07e4c1dc429fa8c03ee320fbd7ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Due.vstx
MD5
088d8445bccdefd29f978725373c3e31

SHA1
c1009da147d5b0072476705e5abafded32437adc

SHA256
3506bc68c001484d8395523e43b3f1b722bf43b4447aea6a8771b44b3cc2116a

SHA512
049cc85eea9b1105adaaf1dd14ffe5b7c963dc84d5d46f8dfb91f2e0d3b8613d350f8c500ee56e2afb08d7a028002fbf2388b82fedd94a101640d4319536d1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Offerto.vstx
MD5
73adf2c372c1cbeff401247d9b340165

SHA1
578ba120179b9d312d5ab3a242daea9b5cb1bcce

SHA256
95b6935fb610cfb970e5f278d2f28bbdd4b1f2e4853e52d1b7f252b6fbcaee18

SHA512
1305333bb2cd6cf739e89124a59aa18a24075aad9971a4ec3d8818fdae257fe26d431082b66af0ba9ccb895cdaffa9122ca1447db67fda0ce924e228c180fda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Osato.vstx
MD5
5b10deadd97299b70afd2de8ab161ec0

SHA1
d15867dfbc984294236bd4fbe12f9aac75692fc5

SHA256
c4d49fd084f7d73a1e1698472a25f84cef2f9b1f8ada11959b93506ae3693bc0

SHA512
7596d70d6e860a2305dabb97cad21d581356f4134f60d8bd7efa5319959e4bef04d3695f0813bf5d009fa02ea3a843eca5ac50be2f33bb45625301598c8f9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\u
MD5
8d9279100d5da3507139dd80a8a1411c

SHA1
de3c5b973719007b2dea55a144368a4ca699f06b

SHA256
d43b4969cad8ced73b5397042a5f4cd47bf3ae5c3f53523d1a59dff18d4743a7

SHA512
a10b73b8f20129ca4f647971f8a1e600f8e64213f5168973f092f60efed09bc782d110cca57dff1dc38004e13cbb943e9ed07e4c1dc429fa8c03ee320fbd7ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Kenessey.txt
MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Nanaenetaepe.exe
MD5
5e811a4c585c044b63d8fcfa7de859b0

SHA1
8db92be7d3fe25f293887eca5d1a2979cfa6b2b8

SHA256
9805d9def7c162f0724270ec42ea2153946bc61aeb93bdf24463e43863466319

SHA512
ea10185c4988d773b053387204a4c8414d6fea79c34a875df1f4bbe47d2b065b23a8431f1b4686ab77be9f7c2f15dbc962d9239929ce19a93971ae56e3d169ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Nanaenetaepe.exe
MD5
5e811a4c585c044b63d8fcfa7de859b0

SHA1
8db92be7d3fe25f293887eca5d1a2979cfa6b2b8

SHA256
9805d9def7c162f0724270ec42ea2153946bc61aeb93bdf24463e43863466319

SHA512
ea10185c4988d773b053387204a4c8414d6fea79c34a875df1f4bbe47d2b065b23a8431f1b4686ab77be9f7c2f15dbc962d9239929ce19a93971ae56e3d169ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1-9663a-f5e-13488-85166b94376f1\Nanaenetaepe.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\hquj5xen.plz\EU.exe
MD5
4de367690e3923991a345a76234b7908

SHA1
38e7d48e047608bb46c5d20202d6bb3041cbe1b2

SHA256
f9b04de368ff3348a1485b575cf1edbf702f6fe6d66d5ee1aed43dc151a36679

SHA512
6154d0d46f2ea43ac9aea4576a0402971916c9a9bfd8dcaa70ae09642ecf5bca179181c3b290931d8d49dc8d27004ab30609719e60a1e83edb15c79194d70744

Download Submit
C:\Users\Admin\AppData\Local\Temp\hquj5xen.plz\EU.exe
MD5
4de367690e3923991a345a76234b7908

SHA1
38e7d48e047608bb46c5d20202d6bb3041cbe1b2

SHA256
f9b04de368ff3348a1485b575cf1edbf702f6fe6d66d5ee1aed43dc151a36679

SHA512
6154d0d46f2ea43ac9aea4576a0402971916c9a9bfd8dcaa70ae09642ecf5bca179181c3b290931d8d49dc8d27004ab30609719e60a1e83edb15c79194d70744

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A5141.tmp\Setup3310.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BBEGK.tmp\C24D05331D2CF344AF12C1C169270846.tmp
MD5
c28e875d5b389344b0e60e1e235bb01d

SHA1
d3dc5ed07827855cab04230a81a4db16a2591f64

SHA256
aefbb6b10da985def2a138e96db1903beac455dc8a3808c64e28f6319d7d37b9

SHA512
9f2fb62f73f6240699efc0fc8941dbc088f1a69fec90ebe8830f502dadf4fd6ddd4d140de1b5552ce83c62dbf235565ff320afae2ff972c33070541b237b4fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JQQAT.tmp\758____Dawn.exe
MD5
7f7c5018070142b1e5bc16a36f450058

SHA1
7c5a85acea2a9889a737eb577b24051817ddcb0e

SHA256
8ccc7b8fb23cc307cec5e9a1a6850e783feb95315d442e8c93280a3683556925

SHA512
8c7487577ad0597930b310b3a60e6408fe60197351e52a73763917fb54483aad3a5613c4fbd901cf84a0d63cb986251e6af722922a06bce6d4d781fc52c39b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JQQAT.tmp\758____Dawn.exe
MD5
7f7c5018070142b1e5bc16a36f450058

SHA1
7c5a85acea2a9889a737eb577b24051817ddcb0e

SHA256
8ccc7b8fb23cc307cec5e9a1a6850e783feb95315d442e8c93280a3683556925

SHA512
8c7487577ad0597930b310b3a60e6408fe60197351e52a73763917fb54483aad3a5613c4fbd901cf84a0d63cb986251e6af722922a06bce6d4d781fc52c39b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9265.tmp\prolab.tmp
MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9265.tmp\prolab.tmp
MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jv1qnnfd.upl\JoSetp.exe
MD5
77a963eca7fb8d9cc1445300b7b0a7ce

SHA1
aa8480805d69e12f0145272ce7728e07d6b322ec

SHA256
7c69bda4793eb89215ef92986ebf7ae33e49b6178e9357cccd0f538de445e296

SHA512
6602e43f67d17c6900237428a95c3296ccb7778e1447bc12d6cd282061e3532988b3254183173ad743f79fbc28986f757252228efb4fd0e9c958122fa6aa4b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jv1qnnfd.upl\JoSetp.exe
MD5
77a963eca7fb8d9cc1445300b7b0a7ce

SHA1
aa8480805d69e12f0145272ce7728e07d6b322ec

SHA256
7c69bda4793eb89215ef92986ebf7ae33e49b6178e9357cccd0f538de445e296

SHA512
6602e43f67d17c6900237428a95c3296ccb7778e1447bc12d6cd282061e3532988b3254183173ad743f79fbc28986f757252228efb4fd0e9c958122fa6aa4b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwaxiroj.dop\installer.exe
MD5
cf1f9dce41c99713a59ebc54c83d7029

SHA1
65c23f99c7676bd14635476bf61c1f8da3f234ab

SHA256
e6122041fe8cff64f468b0d404fc43b885c7a2e427bcac0dca0e0692b4f64670

SHA512
d0820580d7ee2b1419c6e2599eb5239530a6904c95012083c51753bd75f0d9d7e711d8b4c4b019ce239f50f94fddf2a66864829081d1ad6b80017d6bcf00fae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4ohfypk.upa\md6_6ydj.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0bqyzek.0dk\google-game.exe
MD5
26a2014da76c70d223a918888a444e42

SHA1
c6aafb67d3aa0495fa32de8c3fe1fd256bfcb199

SHA256
22811245067eb0e6e0a6a0696a69a02679221e02e41193939699e6657be11f6c

SHA512
eb52bf7acc36c5903da582f0836c2fec2acae5d6eb5996f6bdf2f7bc7b42ba019f41d2b8f6b7cbe6a02ed09dbca5b0c4d4d064f2646bc7eb6533f830ce43d363

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0bqyzek.0dk\google-game.exe
MD5
26a2014da76c70d223a918888a444e42

SHA1
c6aafb67d3aa0495fa32de8c3fe1fd256bfcb199

SHA256
22811245067eb0e6e0a6a0696a69a02679221e02e41193939699e6657be11f6c

SHA512
eb52bf7acc36c5903da582f0836c2fec2acae5d6eb5996f6bdf2f7bc7b42ba019f41d2b8f6b7cbe6a02ed09dbca5b0c4d4d064f2646bc7eb6533f830ce43d363

Download Submit
C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe
MD5
cdb7944020b58f58166e03d817dc7cce

SHA1
34f1728649f775b3e46cef08b1c663e5761d4963

SHA256
e375634dcc7a91d9e9228f2323d70ec87e6ed4e5da05c456604ccae94d3b2872

SHA512
7236d98e0987a61f6b757f201eca0afd05c6e22afed6ff25de2527c12b5ea7a9ef43eb644f5e7dcf9a215567e168ff311e63816846d97d3bb86e6685456c5dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rciptm2z.nsk\Setup3310.exe
MD5
cdb7944020b58f58166e03d817dc7cce

SHA1
34f1728649f775b3e46cef08b1c663e5761d4963

SHA256
e375634dcc7a91d9e9228f2323d70ec87e6ed4e5da05c456604ccae94d3b2872

SHA512
7236d98e0987a61f6b757f201eca0afd05c6e22afed6ff25de2527c12b5ea7a9ef43eb644f5e7dcf9a215567e168ff311e63816846d97d3bb86e6685456c5dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqfvas1v.xdg\GcleanerEU.exe
MD5
4f4adcbf8c6f66dcfc8a3282ac2bf10a

SHA1
c35a9fc52bb556c79f8fa540df587a2bf465b940

SHA256
6b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b

SHA512
0d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\EBOOKE~1.TMP
MD5
41d742c8693339b2f78d0e20fed3929b

SHA1
530dea2b6d61762fdf5f38541e0b1385225cc857

SHA256
b67de99e9a96f2d8456fc84e666ad27116b143a09aeda4df9298fa611686b7d4

SHA512
a3b2ae62e7c8d740dbd16eaa7650de3d77b59766e8357b7196e2f067ec8f4dd7c51c6f5baa8d2096233a5c07c7b8b755234a4537ce8b9cca38626d440697d7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe
MD5
b7196d2001cd01391a576a33a7ad9a86

SHA1
2ca92554036aafe4214b5abe505601036e12fe45

SHA256
b701c94f5b6380673a504045866f1546477addd7aa6694bcd89acd88fdc9f3ab

SHA512
54233901eb3f475d07e1ba5266d3391cbfc82dd0fb8f1d6dd588e54b0a5a558ff56538a72194768f1951c4af3e61196aa0cdf82a44a4434747335a3cb15f9219

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\ebook.exe
MD5
b7196d2001cd01391a576a33a7ad9a86

SHA1
2ca92554036aafe4214b5abe505601036e12fe45

SHA256
b701c94f5b6380673a504045866f1546477addd7aa6694bcd89acd88fdc9f3ab

SHA512
54233901eb3f475d07e1ba5266d3391cbfc82dd0fb8f1d6dd588e54b0a5a558ff56538a72194768f1951c4af3e61196aa0cdf82a44a4434747335a3cb15f9219

Download Submit
C:\Users\Admin\AppData\Roaming\4897368.exe
MD5
3e101a7ec2008a996b83aec9b901444c

SHA1
09b5de34e66636bb93f7153ba7457c76e4f44130

SHA256
f9cc4c27295ce485194d947ee9c57d71fea38ff81e3adf431877354bc8e68006

SHA512
9022348ac73aefad2bc17843d301130e073b81736d9a457c7c9457ffc6662de9f2b567a8f91c8b3c40b7dd66440f4adfadb2e37303ad66763997a583791d6c43

Download Submit
C:\Users\Admin\AppData\Roaming\4897368.exe
MD5
3e101a7ec2008a996b83aec9b901444c

SHA1
09b5de34e66636bb93f7153ba7457c76e4f44130

SHA256
f9cc4c27295ce485194d947ee9c57d71fea38ff81e3adf431877354bc8e68006

SHA512
9022348ac73aefad2bc17843d301130e073b81736d9a457c7c9457ffc6662de9f2b567a8f91c8b3c40b7dd66440f4adfadb2e37303ad66763997a583791d6c43

Download Submit
C:\Users\Admin\AppData\Roaming\6764820.exe
MD5
ed717334c1c49ccbe7e2132aaefa73b7

SHA1
e5e89f209edbbb26d66d740d230e468a0c63627c

SHA256
35b4cf4ada33822eb3c4825979982e6d7940b1be25885ff74fd6c8620e40a7dc

SHA512
6653b2e30c0abf5a7d3082cbb424c18929b7116a7dea9aa78d2cf8904e8b32edaf965d1a87fa749752e50dbf962c7adc651e4b2970031d2e01f06949fa55613a

Download Submit
C:\Users\Admin\AppData\Roaming\6764820.exe
MD5
ed717334c1c49ccbe7e2132aaefa73b7

SHA1
e5e89f209edbbb26d66d740d230e468a0c63627c

SHA256
35b4cf4ada33822eb3c4825979982e6d7940b1be25885ff74fd6c8620e40a7dc

SHA512
6653b2e30c0abf5a7d3082cbb424c18929b7116a7dea9aa78d2cf8904e8b32edaf965d1a87fa749752e50dbf962c7adc651e4b2970031d2e01f06949fa55613a

Download Submit
C:\Users\Admin\AppData\Roaming\8186519.exe
MD5
6d4b71775ce9d8a5f7f70ddcd8e4da81

SHA1
c3236a1324bc86b037a2770be75ecf868c37ed3e

SHA256
63ba1b32aabb60c03702755dc949acaba31f34b76876ca54c0460261e3578000

SHA512
dc9e44f37e6907d966adaaf581d764e2430c4fd716018738a3cec3d3faa6659e864070c4ba364e56b4a708cb4822d39b6efde5b552aba2c0298b2fcd992f0b76

Download Submit
C:\Users\Admin\AppData\Roaming\8186519.exe
MD5
6d4b71775ce9d8a5f7f70ddcd8e4da81

SHA1
c3236a1324bc86b037a2770be75ecf868c37ed3e

SHA256
63ba1b32aabb60c03702755dc949acaba31f34b76876ca54c0460261e3578000

SHA512
dc9e44f37e6907d966adaaf581d764e2430c4fd716018738a3cec3d3faa6659e864070c4ba364e56b4a708cb4822d39b6efde5b552aba2c0298b2fcd992f0b76

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
6d4b71775ce9d8a5f7f70ddcd8e4da81

SHA1
c3236a1324bc86b037a2770be75ecf868c37ed3e

SHA256
63ba1b32aabb60c03702755dc949acaba31f34b76876ca54c0460261e3578000

SHA512
dc9e44f37e6907d966adaaf581d764e2430c4fd716018738a3cec3d3faa6659e864070c4ba364e56b4a708cb4822d39b6efde5b552aba2c0298b2fcd992f0b76

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
6d4b71775ce9d8a5f7f70ddcd8e4da81

SHA1
c3236a1324bc86b037a2770be75ecf868c37ed3e

SHA256
63ba1b32aabb60c03702755dc949acaba31f34b76876ca54c0460261e3578000

SHA512
dc9e44f37e6907d966adaaf581d764e2430c4fd716018738a3cec3d3faa6659e864070c4ba364e56b4a708cb4822d39b6efde5b552aba2c0298b2fcd992f0b76

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
\Users\Admin\AppData\Local\Temp\is-JGLME.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-JGLME.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-JQQAT.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\EBOOKE~1.TMP
MD5
41d742c8693339b2f78d0e20fed3929b

SHA1
530dea2b6d61762fdf5f38541e0b1385225cc857

SHA256
b67de99e9a96f2d8456fc84e666ad27116b143a09aeda4df9298fa611686b7d4

SHA512
a3b2ae62e7c8d740dbd16eaa7650de3d77b59766e8357b7196e2f067ec8f4dd7c51c6f5baa8d2096233a5c07c7b8b755234a4537ce8b9cca38626d440697d7cf

Download Submit
\Users\Admin\AppData\Local\Temp\wh1p1ojm.2ql\EBOOKE~1.TMP
MD5
41d742c8693339b2f78d0e20fed3929b

SHA1
530dea2b6d61762fdf5f38541e0b1385225cc857

SHA256
b67de99e9a96f2d8456fc84e666ad27116b143a09aeda4df9298fa611686b7d4

SHA512
a3b2ae62e7c8d740dbd16eaa7650de3d77b59766e8357b7196e2f067ec8f4dd7c51c6f5baa8d2096233a5c07c7b8b755234a4537ce8b9cca38626d440697d7cf

Download Submit
memory/512-355-0x00000253FBE10000-0x00000253FBE81000-memory.dmp

Filesize
452KB

Download
memory/1104-330-0x000001429D7D0000-0x000001429D841000-memory.dmp

Filesize
452KB

Download
memory/1156-336-0x0000020C64040000-0x0000020C640B1000-memory.dmp

Filesize
452KB

Download
memory/1392-333-0x00000269D0A90000-0x00000269D0B01000-memory.dmp

Filesize
452KB

Download
memory/1412-115-0x0000000000000000-mapping.dmp

Download
memory/1412-122-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1808-144-0x0000000001144000-0x0000000001145000-memory.dmp

Filesize
4KB

Download
memory/1808-142-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/1808-143-0x0000000001142000-0x0000000001144000-memory.dmp

Filesize
8KB

Download
memory/1808-135-0x0000000000000000-mapping.dmp

Download
memory/1884-342-0x0000021109F80000-0x0000021109FF1000-memory.dmp

Filesize
452KB

Download
memory/2184-123-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/2184-119-0x0000000000000000-mapping.dmp

Download
memory/2436-325-0x000001D0A52D0000-0x000001D0A5341000-memory.dmp

Filesize
452KB

Download
memory/2464-326-0x00000215A8260000-0x00000215A82AC000-memory.dmp

Filesize
304KB

Download
memory/2780-346-0x000001D2ECC00000-0x000001D2ECC71000-memory.dmp

Filesize
452KB

Download
memory/2844-360-0x0000028A10DA0000-0x0000028A10E11000-memory.dmp

Filesize
452KB

Download
memory/3476-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3476-124-0x0000000000000000-mapping.dmp

Download
memory/3496-140-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3496-129-0x0000000000000000-mapping.dmp

Download
memory/3612-229-0x0000000000000000-mapping.dmp

Download
memory/3944-114-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4028-141-0x0000000001220000-0x0000000001222000-memory.dmp

Filesize
8KB

Download
memory/4028-131-0x0000000000000000-mapping.dmp

Download
memory/4032-245-0x0000000000000000-mapping.dmp

Download
memory/4104-181-0x0000000000000000-mapping.dmp

Download
memory/4120-231-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4120-206-0x0000000000000000-mapping.dmp

Download
memory/4120-238-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4120-216-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4120-228-0x0000000009A30000-0x0000000009A31000-memory.dmp

Filesize
4KB

Download
memory/4120-227-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4120-220-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/4120-211-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4120-223-0x0000000004F20000-0x0000000004F71000-memory.dmp

Filesize
324KB

Download
memory/4120-233-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4120-251-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4124-182-0x0000000000000000-mapping.dmp

Download
memory/4124-190-0x00000000009D0000-0x0000000000B11000-memory.dmp

Filesize
1.3MB

Download
memory/4272-150-0x0000000000000000-mapping.dmp

Download
memory/4280-191-0x0000000000000000-mapping.dmp

Download
memory/4392-246-0x0000000000000000-mapping.dmp

Download
memory/4428-201-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4428-193-0x0000000000000000-mapping.dmp

Download
memory/4428-313-0x00000000038D0000-0x00000000038E0000-memory.dmp

Filesize
64KB

Download
memory/4428-302-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/4444-224-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/4444-205-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4444-196-0x0000000000000000-mapping.dmp

Download
memory/4444-222-0x0000000002960000-0x000000000298D000-memory.dmp

Filesize
180KB

Download
memory/4444-265-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/4444-217-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4452-180-0x000000001BAC0000-0x000000001BAC2000-memory.dmp

Filesize
8KB

Download
memory/4452-177-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/4452-178-0x0000000001570000-0x0000000001591000-memory.dmp

Filesize
132KB

Download
memory/4452-174-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4452-179-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4452-171-0x0000000000000000-mapping.dmp

Download
memory/4464-151-0x0000000000000000-mapping.dmp

Download
memory/4564-165-0x0000000000000000-mapping.dmp

Download
memory/4580-155-0x0000000000000000-mapping.dmp

Download
memory/4648-156-0x0000000000000000-mapping.dmp

Download
memory/4672-200-0x0000000000000000-mapping.dmp

Download
memory/4700-215-0x0000000000000000-mapping.dmp

Download
memory/4756-157-0x0000000000000000-mapping.dmp

Download
memory/4788-158-0x0000000000000000-mapping.dmp

Download
memory/4868-226-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/4868-219-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4868-221-0x0000000009820000-0x0000000009821000-memory.dmp

Filesize
4KB

Download
memory/4868-208-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/4868-218-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4868-214-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4868-199-0x0000000000000000-mapping.dmp

Download
memory/4936-232-0x0000000000000000-mapping.dmp

Download
memory/4936-240-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4936-250-0x000000000EA70000-0x000000000EA71000-memory.dmp

Filesize
4KB

Download
memory/4964-146-0x0000000000000000-mapping.dmp

Download
memory/4972-358-0x0000000000000000-mapping.dmp

Download
memory/4980-163-0x0000000000000000-mapping.dmp

Download
memory/5028-166-0x0000000000000000-mapping.dmp

Download
memory/5052-192-0x0000000000000000-mapping.dmp

Download
memory/5072-184-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/5072-168-0x0000000000000000-mapping.dmp

Download
memory/5072-183-0x0000000000CE0000-0x0000000000DCD000-memory.dmp

Filesize
948KB

Download
memory/5096-160-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/5096-147-0x0000000000000000-mapping.dmp

Download
memory/5096-159-0x00000000009E0000-0x0000000000A7D000-memory.dmp

Filesize
628KB

Download
memory/5128-255-0x0000000000000000-mapping.dmp

Download
memory/5136-345-0x0000000000000000-mapping.dmp

Download
memory/5136-348-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5164-363-0x0000000000000000-mapping.dmp

Download
memory/5236-292-0x0000000000000000-mapping.dmp

Download
memory/5244-295-0x0000000000000000-mapping.dmp

Download
memory/5252-259-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5252-257-0x0000000000000000-mapping.dmp

Download
memory/5268-369-0x0000000000000000-mapping.dmp

Download
memory/5308-260-0x0000000000000000-mapping.dmp

Download
memory/5344-339-0x0000000000000000-mapping.dmp

Download
memory/5360-332-0x0000000000000000-mapping.dmp

Download
memory/5364-279-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5364-274-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5364-266-0x0000000000000000-mapping.dmp

Download
memory/5364-289-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5364-288-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5364-270-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/5364-287-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5364-273-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5364-272-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5364-286-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5364-276-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5364-285-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5364-275-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5364-284-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5364-283-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5364-282-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5364-281-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5364-278-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5364-277-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5364-280-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5380-362-0x0000000000000000-mapping.dmp

Download
memory/5452-350-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5452-347-0x0000000000000000-mapping.dmp

Download
memory/5520-367-0x0000000000000000-mapping.dmp

Download
memory/5584-357-0x0000000000000000-mapping.dmp

Download
memory/5728-323-0x00000000048BA000-0x00000000049BB000-memory.dmp

Filesize
1.0MB

Download
memory/5728-296-0x0000000000000000-mapping.dmp

Download
memory/5728-327-0x00000000049C0000-0x0000000004A1D000-memory.dmp

Filesize
372KB

Download
memory/5732-364-0x0000000000000000-mapping.dmp

Download
memory/5744-338-0x0000000000000000-mapping.dmp

Download
memory/5780-340-0x0000000000000000-mapping.dmp

Download
memory/5876-301-0x00007FF787A54060-mapping.dmp

Download
memory/5876-361-0x0000027D0D380000-0x0000027D0D3F1000-memory.dmp

Filesize
452KB

Download
memory/5892-343-0x0000000000000000-mapping.dmp

Download
memory/5900-349-0x0000000000000000-mapping.dmp

Download
memory/5900-352-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5944-366-0x0000000000000000-mapping.dmp

Download
memory/5952-314-0x0000000000000000-mapping.dmp

Download
memory/5984-351-0x0000000000000000-mapping.dmp

Download
memory/6040-291-0x0000000000000000-mapping.dmp

Download
memory/6044-353-0x0000000000000000-mapping.dmp

Download
memory/6056-320-0x0000000000000000-mapping.dmp

Download
memory/6068-368-0x0000000000000000-mapping.dmp

Download
memory/6108-365-0x0000000000000000-mapping.dmp

Download

pid	process
1412	C24D05331D2CF344AF12C1C169270846.tmp
4124	rundll32.exe
4124	rundll32.exe