djvu | 3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

Analysis

max time kernel
54s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Size

351KB
MD5

312ad3b67a1f3a75637ea9297df1cedb
SHA1

7d922b102a52241d28f1451d3542db12b0265b75
SHA256

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512

848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Score

10^/10

djvu nymaim privateloader discovery evasion loader main persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://185.215.113.208/ferrari4.exe

Extracted

Family

nymaim

208.67.104.9

212.192.241.16

Extracted

Family

djvu

http://acacaca.org/test2/get.php

Attributes

extension
.vvyu
offline_id
rE5LpDv2ftYRXAo7bC18EpzfRMTHSGjgfyIMfZt1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-QsoSRIeAK6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0531Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1476-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1476-194-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2792-199-0x0000000004290000-0x00000000043AB000-memory.dmp	family_djvu
behavioral1/memory/1476-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1476-202-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1476-238-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3812-249-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3812-248-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3812-260-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3812-308-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6132 1084 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts WerFault.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6132	1084	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	WerFault.exe

Executes dropped EXE 20 IoCs

Processes:

NiceProcessX64.bmp.exeWEFdanE.exe.exeddoAKFf.exe.exeutube.bmp.exemixinte04.bmp.exechrome.exe.exeB2BCH2.exe.exeInstall.exePING.EXEInstall.exedjkdj778_______.exebuild.exe.exebuild.exe.exeZHalijucihae.exePapebojawo.exepoweroff.exeWerFault.exepoweroff.tmpbuild.exe.exePower Off.exe

pid	process
4720	NiceProcessX64.bmp.exe
3008	WEFdanE.exe.exe
4176	ddoAKFf.exe.exe
4616	utube.bmp.exe
4304	mixinte04.bmp.exe
3408	chrome.exe.exe
2144	B2BCH2.exe.exe
4804	Install.exe
4028	PING.EXE
1820	Install.exe
2656	djkdj778_______.exe
2792	build.exe.exe
1476	build.exe.exe
924	ZHalijucihae.exe
4904	Papebojawo.exe
3600	poweroff.exe
4820	WerFault.exe
1944	poweroff.tmp
3812	build.exe.exe
2188	Power Off.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/5872-317-0x0000000140000000-0x0000000140684000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exeInstall.exemixinte04.bmp.exebuild.exe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	mixinte04.bmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	build.exe.exe

Loads dropped DLL 1 IoCs

Processes:

PING.EXE

pid process

4028 PING.EXE
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1532 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4028	PING.EXE

pid	process
1532	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ddoAKFf.exe.exeWEFdanE.exe.exebuild.exe.exeWerFault.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ddoAKFf.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ddoAKFf.exe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	WEFdanE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WEFdanE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c1e6a3be-1b3c-46b6-acb4-462bac1b7500\\build.exe.exe\" --AutoStart"	build.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ZHifuqadoly.exe\""	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 api.2ip.ua
116 api.2ip.ua
117 api.2ip.ua
161 ip-api.com
20 ipinfo.io
21 ipinfo.io
88 api.2ip.ua
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe

flow	ioc
89	api.2ip.ua
116	api.2ip.ua
117	api.2ip.ua
161	ip-api.com
20	ipinfo.io
21	ipinfo.io
88	api.2ip.ua

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

build.exe.exeWerFault.exe

description	pid	process	target process
PID 2792 set thread context of 1476	2792	build.exe.exe	build.exe.exe
PID 4820 set thread context of 3812	4820	WerFault.exe	build.exe.exe

Drops file in Program Files directory 9 IoCs

Processes:

WerFault.exepoweroff.tmp

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\ZHifuqadoly.exe	WerFault.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ZHifuqadoly.exe.config	WerFault.exe
File created	C:\Program Files (x86)\powerOff\is-GIEOV.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-LLQU7.tmp	poweroff.tmp
File created	C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe	WerFault.exe
File created	C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe.config	WerFault.exe
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1952	4304	WerFault.exe	mixinte04.bmp.exe
4768	5092	WerFault.exe	gcleaner.exe
5168	5092	WerFault.exe	gcleaner.exe
5544	5092	WerFault.exe	gcleaner.exe
5816	5092	WerFault.exe	gcleaner.exe
6044	5092	WerFault.exe	gcleaner.exe
4220	5092	WerFault.exe	gcleaner.exe
4820	5872	WerFault.exe	rmaa1045.exe
5164	3992	WerFault.exe	rundll32.exe
4768	5092	WerFault.exe	gcleaner.exe
2656	5092	WerFault.exe	gcleaner.exe
5572	5092	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chrome.exe.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4036 schtasks.exe
5292 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3396 tasklist.exe
3648 tasklist.exe

pid	process
4036	schtasks.exe
5292	schtasks.exe

pid	process
3396	tasklist.exe
3648	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4748 taskkill.exe
5784 taskkill.exe

pid	process
4748	taskkill.exe
5784	taskkill.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4028 PING.EXE
616 PING.EXE

pid	process
4028	PING.EXE
616	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exeNiceProcessX64.bmp.exe

pid	process
4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe
4720	NiceProcessX64.bmp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

chrome.exe.exe

pid process

3408 chrome.exe.exe

pid	process
3408	chrome.exe.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

taskkill.exeWerFault.exetasklist.exeMarito.exe.pifZHalijucihae.exePapebojawo.exe

description	pid	process
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	2656	WerFault.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	3648	tasklist.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	3396	Marito.exe.pif
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	924	ZHalijucihae.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	4904	Papebojawo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

poweroff.tmp

pid process

1944 poweroff.tmp

pid	process
1944	poweroff.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exeddoAKFf.exe.exeWEFdanE.exe.exeutube.bmp.exeB2BCH2.exe.exeInstall.execmd.execmd.exePING.EXEbuild.exe.exeInstall.exe

description	pid	process	target process
PID 4120 wrote to memory of 4720	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	NiceProcessX64.bmp.exe
PID 4120 wrote to memory of 4720	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	NiceProcessX64.bmp.exe
PID 4120 wrote to memory of 3008	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	WEFdanE.exe.exe
PID 4120 wrote to memory of 3008	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	WEFdanE.exe.exe
PID 4120 wrote to memory of 3008	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	WEFdanE.exe.exe
PID 4120 wrote to memory of 4176	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	ddoAKFf.exe.exe
PID 4120 wrote to memory of 4176	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	ddoAKFf.exe.exe
PID 4120 wrote to memory of 4176	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	ddoAKFf.exe.exe
PID 4120 wrote to memory of 4616	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	utube.bmp.exe
PID 4120 wrote to memory of 4616	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	utube.bmp.exe
PID 4120 wrote to memory of 4616	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	utube.bmp.exe
PID 4120 wrote to memory of 4304	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	mixinte04.bmp.exe
PID 4120 wrote to memory of 4304	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	mixinte04.bmp.exe
PID 4120 wrote to memory of 4304	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	mixinte04.bmp.exe
PID 4176 wrote to memory of 5028	4176	ddoAKFf.exe.exe	where.exe
PID 4176 wrote to memory of 5028	4176	ddoAKFf.exe.exe	where.exe
PID 4176 wrote to memory of 5028	4176	ddoAKFf.exe.exe	where.exe
PID 3008 wrote to memory of 4588	3008	WEFdanE.exe.exe	where.exe
PID 3008 wrote to memory of 4588	3008	WEFdanE.exe.exe	where.exe
PID 3008 wrote to memory of 4588	3008	WEFdanE.exe.exe	where.exe
PID 4120 wrote to memory of 3408	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	chrome.exe.exe
PID 4120 wrote to memory of 3408	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	chrome.exe.exe
PID 4120 wrote to memory of 3408	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	chrome.exe.exe
PID 4120 wrote to memory of 2144	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	B2BCH2.exe.exe
PID 4120 wrote to memory of 2144	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	B2BCH2.exe.exe
PID 4120 wrote to memory of 2144	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	B2BCH2.exe.exe
PID 4616 wrote to memory of 4804	4616	utube.bmp.exe	Install.exe
PID 4616 wrote to memory of 4804	4616	utube.bmp.exe	Install.exe
PID 4616 wrote to memory of 4804	4616	utube.bmp.exe	Install.exe
PID 4176 wrote to memory of 4696	4176	ddoAKFf.exe.exe	cmd.exe
PID 4176 wrote to memory of 4696	4176	ddoAKFf.exe.exe	cmd.exe
PID 4176 wrote to memory of 4696	4176	ddoAKFf.exe.exe	cmd.exe
PID 2144 wrote to memory of 4028	2144	B2BCH2.exe.exe	PING.EXE
PID 2144 wrote to memory of 4028	2144	B2BCH2.exe.exe	PING.EXE
PID 2144 wrote to memory of 4028	2144	B2BCH2.exe.exe	PING.EXE
PID 3008 wrote to memory of 3356	3008	WEFdanE.exe.exe	cmd.exe
PID 3008 wrote to memory of 3356	3008	WEFdanE.exe.exe	cmd.exe
PID 3008 wrote to memory of 3356	3008	WEFdanE.exe.exe	cmd.exe
PID 4804 wrote to memory of 1820	4804	Install.exe	Install.exe
PID 4804 wrote to memory of 1820	4804	Install.exe	Install.exe
PID 4804 wrote to memory of 1820	4804	Install.exe	Install.exe
PID 4696 wrote to memory of 4568	4696	cmd.exe	cmd.exe
PID 4696 wrote to memory of 4568	4696	cmd.exe	cmd.exe
PID 4696 wrote to memory of 4568	4696	cmd.exe	cmd.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 4548	3356	cmd.exe	cmd.exe
PID 4028 wrote to memory of 2656	4028	PING.EXE	djkdj778_______.exe
PID 4028 wrote to memory of 2656	4028	PING.EXE	djkdj778_______.exe
PID 4120 wrote to memory of 2792	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	build.exe.exe
PID 4120 wrote to memory of 2792	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	build.exe.exe
PID 4120 wrote to memory of 2792	4120	3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 1820 wrote to memory of 4472	1820	Install.exe	forfiles.exe
PID 1820 wrote to memory of 4472	1820	Install.exe	forfiles.exe
PID 1820 wrote to memory of 4472	1820	Install.exe	forfiles.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe
PID 2792 wrote to memory of 1476	2792	build.exe.exe	build.exe.exe

C:\Users\Admin\AppData\Local\Temp\3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe
"C:\Users\Admin\AppData\Local\Temp\3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4720

C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
3⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Nell.vst & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4548

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:3396

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:4164

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fbpXyeUvKokpHuiTLJQCMdBrjOglErOlAahxaNiKQXgzzuRkquHkiUUZVuLsNJRGzwJfSNBYBuMPeoJyXrlbcCrFbgnkwQWuyHZavCajEJJqotWNbFzJnxkRXtRE$" Mia.vst
5⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Voglio.exe.pif
Voglio.exe.pif D
5⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Voglio.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Voglio.exe.pif Films\WEFdanE.exe.exe"
6⤵
PID:5656

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Runs ping.exe
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\7zS1028.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\7zS18D2.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:4668

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:2484

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:4672

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:4920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:3736

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "grgvEemJi" /SC once /ST 02:55:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "grgvEemJi"
5⤵
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "grgvEemJi"
5⤵
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsAbafpwyZvVmVDlMF" /SC once /ST 09:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\YvFUKuJ.exe\" Yz /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5292

C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
3⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Calore.sldm & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4568

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:64

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DSFRIKxgXaTKtMXZByrebjRJrDwrxjAhOWIxSGWRcDMpumUWppHSeWRsqWOyIdTLSGVitCiVojGUmHDEJyUkEHlStdzWSRotKwsm$" Avvenne.sldm
5⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Marito.exe.pif
Marito.exe.pif x
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:616

C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte04.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe" & exit
3⤵
PID:1500

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte04.bmp.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1320
3⤵
- Program crash
PID:1952

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3408

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\is-0O8H4.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0O8H4.tmp\B2BCH2.exe.tmp" /SL5="$A01E4,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
3⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\is-UIU8O.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-UIU8O.tmp\djkdj778_______.exe" /S /UID=91
4⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\AppData\Local\Temp\0c-c28a1-dea-c4ea3-5ad78c47faec6\ZHalijucihae.exe
"C:\Users\Admin\AppData\Local\Temp\0c-c28a1-dea-c4ea3-5ad78c47faec6\ZHalijucihae.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
6⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffe932946f8,0x7ffe93294708,0x7ffe93294718
7⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 /prefetch:2
7⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
7⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
7⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
7⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
7⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 /prefetch:8
7⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
7⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
7⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:8
7⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
7⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
7⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6420 /prefetch:8
7⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6168 /prefetch:8
7⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
7⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
7⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
7⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10921673799839662023,8798960295013649629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
7⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Papebojawo.exe
"C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Papebojawo.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe /mixfive & exit
6⤵
PID:2944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe /mixfive
7⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 456
8⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 764
8⤵
- Program crash
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 784
8⤵
- Program crash
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 816
8⤵
- Program crash
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 856
8⤵
- Program crash
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 984
8⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1016
8⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1356
8⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe" & exit
8⤵
PID:5324

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
9⤵
- Kills process with taskkill
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 492
8⤵
- Program crash
PID:5572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe & exit
6⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe
C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe
7⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe
"C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe" -HELP
8⤵
PID:5348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l5sg4plv.jre\CCikZMg.exe & exit
6⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\l5sg4plv.jre\CCikZMg.exe
C:\Users\Admin\AppData\Local\Temp\l5sg4plv.jre\CCikZMg.exe
7⤵
PID:2160

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
8⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Affaticato.hopp & ping -n 5 localhost
8⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:5704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0gysqoua.n3t\toolspab3.exe & exit
6⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\0gysqoua.n3t\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\0gysqoua.n3t\toolspab3.exe
7⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\0gysqoua.n3t\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\0gysqoua.n3t\toolspab3.exe
8⤵
PID:5332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dlg1se5z.gho\rmaa1045.exe & exit
6⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\dlg1se5z.gho\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\dlg1se5z.gho\rmaa1045.exe
7⤵
PID:5872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5872 -s 852
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
PID:4820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gqtkoppq.44t\CiTuDrb.exe & exit
6⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\gqtkoppq.44t\CiTuDrb.exe
C:\Users\Admin\AppData\Local\Temp\gqtkoppq.44t\CiTuDrb.exe
7⤵
PID:5852

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
8⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Gurge.mov & ping -n 5 localhost
8⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:5344

C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe
"C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Local\Temp\is-JH3GR.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JH3GR.tmp\poweroff.tmp" /SL5="$901D8,490199,350720,C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1944

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
7⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:1476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c1e6a3be-1b3c-46b6-acb4-462bac1b7500" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:1532

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4820

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe
"C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe"
6⤵
PID:2492

C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe
"C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe"
7⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4304 -ip 4304
1⤵
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5092 -ip 5092
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5092 -ip 5092
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5092 -ip 5092
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5092 -ip 5092
1⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5092 -ip 5092
1⤵
PID:6028

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:6132

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 600
3⤵
- Program crash
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5092 -ip 5092
1⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5872 -ip 5872
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3992 -ip 3992
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5092 -ip 5092
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5092 -ip 5092
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5092 -ip 5092
1⤵
PID:5504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\YvFUKuJ.exe
C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\YvFUKuJ.exe Yz /site_id 525403 /S
1⤵
PID:5284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x334
1⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\E7A7.exe
C:\Users\Admin\AppData\Local\Temp\E7A7.exe
1⤵
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Windows NT\IFWSURPQWY\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
Filesize
1KB

MD5
286b5c52a9647376a6bc1843b4ada6d6

SHA1
bab9cd8dbb57c023c7739256bdd293aea6a86e5b

SHA256
a32d9d0af70b17b5e1614f9fddbc6b4169f57d4492925279609bdac745f8ad69

SHA512
60eeb812c0e4e2c6321dfaeef0542990fa7f94f921f6a92bb03dda6ae823a76e29d036421ef4343adacda237a4eb34d6ba383ec16c1914d613bb99901abb404e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
eba45bc75daf7421d4767f04582068ca

SHA1
e2d2b46d3780a8b7cdde6e542430f0da28684ce8

SHA256
87f79123a6048371f5e4eccca848509ff8315dea4be740c8480fe945c02b4f38

SHA512
0c081c029224806b1f1f200da673a9554e5d40756736f9ca8bc073c25703092c6d1e72a2fd971b41bedeba26e6ca9fa85486df39f852505925a49d8b94e0e330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
4f74b1c3f52834fb5d5d0946410f286a

SHA1
e8b1734733535d236f422c282271e97b784b5261

SHA256
56b6f9f565e620e3cc377ac2265180c96efff2844f11cbb229eef977327869f1

SHA512
b84101ebe8570b2f0ecbefafcf58b941100ac6efc9cbbfc711e57bedf6cb6fc62141bd2d66c34f4b316568948ff6448c96ddef2cfde625965a9ea5968beefb2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
7ac4c7e7bd5adbcf4ffb70fa62a9dad9

SHA1
7c024b6ffe561bf25590dbb14f774beae3c6fe13

SHA256
81e7af6b1adea9c253551009d2880006233b8c06405c91f30991171c2681014c

SHA512
a224be187745597ad7c981cb94781e2ac5cb7d5f9b16cb200f664f06bd414c128bbd1c862b96cc0a9ccc7955e6bc0984a05f6480f1f497533318d758dff3dfcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
396B

MD5
0c135f54329d825647546e2ccb4a1281

SHA1
dfadd8ee6601d4dfb2b86b92cf0acf56cfb5326d

SHA256
f2bccde60989d986397f683a01789074d1c4fc505724c12785960a7b2289c2fc

SHA512
1e146751ebcecd4f3ea055e23a73f02a4b51a3a043c42d2e7bd901e266e47655a959212cf2c56813a4d1b5462e2a54783998d8ad595503ebb7ce61e893bb1e38

Download Submit
C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe
Filesize
438KB

MD5
2f3d0323ba962334ef87ed098ad02289

SHA1
5b4c70e331af83eaf384f45a01e322b094353375

SHA256
12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

SHA512
1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

Download Submit
C:\Users\Admin\AppData\Local\118cb2ef-16cb-4cf6-bdf5-809ca6c9a1b4\build2.exe
Filesize
438KB

MD5
2f3d0323ba962334ef87ed098ad02289

SHA1
5b4c70e331af83eaf384f45a01e322b094353375

SHA256
12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

SHA512
1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c-c28a1-dea-c4ea3-5ad78c47faec6\ZHalijucihae.exe
Filesize
324KB

MD5
55f9c8c226d3f434d9518522123c3201

SHA1
17e8b2629c9ab9122500ecf8802828d894b4aa39

SHA256
0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b

SHA512
886cd1f6677572abb54b8ec8fa9f2936b895b04fa888df75013dae22ba3e211c1db2271da9b1caad40d8f36e0e29ea8a0ca11e883f6f37938d948f36fe3a8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c-c28a1-dea-c4ea3-5ad78c47faec6\ZHalijucihae.exe
Filesize
324KB

MD5
55f9c8c226d3f434d9518522123c3201

SHA1
17e8b2629c9ab9122500ecf8802828d894b4aa39

SHA256
0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b

SHA512
886cd1f6677572abb54b8ec8fa9f2936b895b04fa888df75013dae22ba3e211c1db2271da9b1caad40d8f36e0e29ea8a0ca11e883f6f37938d948f36fe3a8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c-c28a1-dea-c4ea3-5ad78c47faec6\ZHalijucihae.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Papebojawo.exe
Filesize
435KB

MD5
78ace771addfcc39028bd3216e1f9dff

SHA1
b1c3ef0ec4193cb6ccb7be1612551008b1a1dec3

SHA256
944bba57cbfeecdfd9fa1c0a61681fdcf5f1cca885a66bde958107e18d786bdd

SHA512
876e49031c59f159774e4cbdd22388dfef1f66afb7b2ac8ebfc42f991c824cee7b0202be3663babaac00fadb649f589bfd518ab7c119a8962b9f5034504fbf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Papebojawo.exe
Filesize
435KB

MD5
78ace771addfcc39028bd3216e1f9dff

SHA1
b1c3ef0ec4193cb6ccb7be1612551008b1a1dec3

SHA256
944bba57cbfeecdfd9fa1c0a61681fdcf5f1cca885a66bde958107e18d786bdd

SHA512
876e49031c59f159774e4cbdd22388dfef1f66afb7b2ac8ebfc42f991c824cee7b0202be3663babaac00fadb649f589bfd518ab7c119a8962b9f5034504fbf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\34-3790d-5b6-63aa8-adb1f2f5e1e5a\Papebojawo.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1028.tmp\Install.exe
Filesize
6.3MB

MD5
bb1bc57d6d77d1820baa0b2f2202bfc2

SHA1
ededf38046ea50a3283c6e24618bea36dd7fc888

SHA256
e48f064091be84300399ea45d97c048c22ff28312268bbb6304afc11b9c04d4e

SHA512
d06c97b2517ef1b00cf1deadbf880cd8c62050980355a5d12c718f018cc54243c0235bff4e8cf73e39fa93b7e8df28cbaa9a20939d363c6cfe092e80099c0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1028.tmp\Install.exe
Filesize
6.3MB

MD5
bb1bc57d6d77d1820baa0b2f2202bfc2

SHA1
ededf38046ea50a3283c6e24618bea36dd7fc888

SHA256
e48f064091be84300399ea45d97c048c22ff28312268bbb6304afc11b9c04d4e

SHA512
d06c97b2517ef1b00cf1deadbf880cd8c62050980355a5d12c718f018cc54243c0235bff4e8cf73e39fa93b7e8df28cbaa9a20939d363c6cfe092e80099c0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18D2.tmp\Install.exe
Filesize
6.8MB

MD5
3914ad6061cdb09ade58320aa0f5a4a1

SHA1
2ee210ac01e55a54a282ba67a87e4e72ea023f8a

SHA256
f50e0f95bdb02f9582abf6a74df87ab41550fa8fa82d28cf8924e4963e3df297

SHA512
02d56ed137846facb58a52107bf44cafd31cc771492814f99149bacb399e31c40c2e81161f3be2e48bae738ce2cf6e9e15f91eae6bee8b883b1fdf0047768377

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18D2.tmp\Install.exe
Filesize
6.8MB

MD5
3914ad6061cdb09ade58320aa0f5a4a1

SHA1
2ee210ac01e55a54a282ba67a87e4e72ea023f8a

SHA256
f50e0f95bdb02f9582abf6a74df87ab41550fa8fa82d28cf8924e4963e3df297

SHA512
02d56ed137846facb58a52107bf44cafd31cc771492814f99149bacb399e31c40c2e81161f3be2e48bae738ce2cf6e9e15f91eae6bee8b883b1fdf0047768377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvenne.sldm
Filesize
924KB

MD5
8d43aaaa503ccec51f69d8ac1419f386

SHA1
e3378f8d216b01cef082df1325bae645997954a0

SHA256
89498543687c8280a266c6e3318a64e1f7f0b1fa9d158c8f47b4e3e3f3e63587

SHA512
d72ac47cc569616523a155f04b1b971fa14b0e09a1929d26c15fba9d67077ac1357e2e4a99a4a66d7a24169d617c6ce6356280e68133e5745078aa26ae9a93fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calore.sldm
Filesize
9KB

MD5
8d3e1239e664dcb8f43adb6ccd0778c7

SHA1
8a4efdf95f637a7d8af58ce79e37dbda47a09b46

SHA256
8365b7b98c5c569b94a9a6783e7ab0f5242dc77bda1c22a59d063ca29ed21b58

SHA512
2570c993a52fa6c064170fa3cbb8cb7f99e404322ed9d9c3ccfc001537cee53848fa70a1c90161d7930771ade6d63b12f89d93a38c28023a480c3ff480431fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Marito.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Marito.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.vst
Filesize
924KB

MD5
fb187f587afab3d53db47b1c62e66867

SHA1
9f2f29e0bb02466f1090905cee8e6ae1b97edc44

SHA256
eb8d14d1f351b0e3f71f1738a2adec765fbcd1f331ed75adc731b58f447d78b9

SHA512
3794be161f27d0762ac3dd06c1bcdd0ec0e9b3acc84d8de39d9fe4f3433e19e3e7fe16cbf3ad647642babc8e9bf4972938414301de4ffb387d94ef81d2bbab9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nell.vst
Filesize
8KB

MD5
44c400dcd4a04a7e9d92cbf701dc8dd3

SHA1
3d403e7d512c1bafe096cf194f985fbcf63acfae

SHA256
b9a2d76b7822428f6c8a6ebe4738ce10f64b3fa4d3768f2a35aa0cf69aa5d035

SHA512
e778d9b4351b154ddf6e594e6ceaaffc2784927ddb013e7505b3569278ab3e58cb7baa6d6f1fc479af2956ea51f0d88ab1cc7a3d1853dfaf0be56e1f5c37d6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.sldm
Filesize
1.0MB

MD5
3f51b6f369d7260ff3046bdb0193135f

SHA1
087bf314fdcaf384c0abdfd5368dea52a571d165

SHA256
9499974c9c668df5b9203420adf6b31e10cbda19316469b3e13cf5106d543132

SHA512
3b7f1daf524f2e8b2c36ab888176c1497bd9331c7244548e49d05fb5f2087c9a81361ff5b2c18b55d62d3847436c67364091f9ecf342b169282b93dd798dad42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Speranza.vst
Filesize
1.1MB

MD5
43aed65e54b5911f2fcd57e198237bcf

SHA1
39ab13b5403dfff76c2318f1511cb36c7e8eb371

SHA256
b9d5b94da65b40974e51916c67f7fe135782e99a13203f989baa9696ff2e3763

SHA512
712e92ed9f40fe400513cf360219965e04ce97fcdca6724956bc20564b59688417f0b1a1ee722c4fdbf07d31017a5d8799c1d9ffa10b172d40cc2cd0762c5f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Voglio.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Voglio.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe
Filesize
297KB

MD5
35625d265e1282e62215e683fe75a78f

SHA1
af4e9bbfca4603ce84605267290afee9ddad9581

SHA256
110b6d893666d49624a43b59f3d45a527adc294daa9e3c33e6de4d9da579310c

SHA512
a4ac45d9c71c27240b2ee3ab5dcd986f5c06f57d9d25fa0d94ada96daed09e6fc00e3fb61ea39db46a1bb93c2cd828544a10a4fb1ca8caa41b7c54b9d665b556

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckmwj3fg.vee\gcleaner.exe
Filesize
297KB

MD5
35625d265e1282e62215e683fe75a78f

SHA1
af4e9bbfca4603ce84605267290afee9ddad9581

SHA256
110b6d893666d49624a43b59f3d45a527adc294daa9e3c33e6de4d9da579310c

SHA512
a4ac45d9c71c27240b2ee3ab5dcd986f5c06f57d9d25fa0d94ada96daed09e6fc00e3fb61ea39db46a1bb93c2cd828544a10a4fb1ca8caa41b7c54b9d665b556

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0O8H4.tmp\B2BCH2.exe.tmp
Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JH3GR.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JH3GR.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UIU8O.tmp\djkdj778_______.exe
Filesize
654KB

MD5
6c0577d77a62c8bdf98ba2b140785755

SHA1
9a68170711e2d9fa854523c51ad6b6f52c846024

SHA256
02fa861f478283a7030003854fb38447a1d7de8ccdd3b9dd0733984f0002c654

SHA512
7463c3d2357a5f53f035ec137e193e5eee27df4f6df8c10b40d963286b221a1dd63906ce5dcb9ffdc1f9931f5df489435a077ef92ae54cdb707969a10e9db798

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UIU8O.tmp\djkdj778_______.exe
Filesize
654KB

MD5
6c0577d77a62c8bdf98ba2b140785755

SHA1
9a68170711e2d9fa854523c51ad6b6f52c846024

SHA256
02fa861f478283a7030003854fb38447a1d7de8ccdd3b9dd0733984f0002c654

SHA512
7463c3d2357a5f53f035ec137e193e5eee27df4f6df8c10b40d963286b221a1dd63906ce5dcb9ffdc1f9931f5df489435a077ef92ae54cdb707969a10e9db798

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UIU8O.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe
Filesize
76KB

MD5
07666fcd21dcb317d4c8f5988a540063

SHA1
8832c775043b438f81cc0285837cb0ce958e6a71

SHA256
2959c17f91617b3db05a890170a2ceaa8eaf4d7f6a20fe6d453f58b87cad7aff

SHA512
74ed1752a98d996fc00a5d65c9c83a872f093f0eb1ceb1c9e8f816f78d80eed59f268f6f9b069ce3738cce7fe6630d832bb9dbac70325be38d2daa942f48bb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqlzzop4.kik\random.exe
Filesize
76KB

MD5
07666fcd21dcb317d4c8f5988a540063

SHA1
8832c775043b438f81cc0285837cb0ce958e6a71

SHA256
2959c17f91617b3db05a890170a2ceaa8eaf4d7f6a20fe6d453f58b87cad7aff

SHA512
74ed1752a98d996fc00a5d65c9c83a872f093f0eb1ceb1c9e8f816f78d80eed59f268f6f9b069ce3738cce7fe6630d832bb9dbac70325be38d2daa942f48bb9c

Download Submit
C:\Users\Admin\AppData\Local\c1e6a3be-1b3c-46b6-acb4-462bac1b7500\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
Filesize
521KB

MD5
300156dc1d3849922f353f244bda0dfb

SHA1
1f5d047002625fb63f5f4a85b18cd3c7dabc690f

SHA256
d311534b6a4a31102eb47cb0be36386237fa1e07d614553b053523cc6c72bf26

SHA512
a804e87ae5abdd44ebfdc3598bb4a2a23890550017b3ad5794dd404634c0ad82602b2eb8182416b5a8b803e0dc2408f260b852e78f3387ac771863ed8091958a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
Filesize
521KB

MD5
300156dc1d3849922f353f244bda0dfb

SHA1
1f5d047002625fb63f5f4a85b18cd3c7dabc690f

SHA256
d311534b6a4a31102eb47cb0be36386237fa1e07d614553b053523cc6c72bf26

SHA512
a804e87ae5abdd44ebfdc3598bb4a2a23890550017b3ad5794dd404634c0ad82602b2eb8182416b5a8b803e0dc2408f260b852e78f3387ac771863ed8091958a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
Filesize
937KB

MD5
30bf97b0d9cfc24ddb76d6240f4dd041

SHA1
50c81bc2df517c6239468e3bd30c964c789720db

SHA256
87d338b6e921a78c634dbfa9ec6d03e144e6f0e9f7f1aee2133f3ea0c6c2c8fd

SHA512
87d5b1c15394e44507478541752f43af0507d44cd931f79e8cb635625316432b196583fdfaa4533ee93adca9fac4b0218c873c366fb7ed956bc4aaa416415cdd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
Filesize
937KB

MD5
30bf97b0d9cfc24ddb76d6240f4dd041

SHA1
50c81bc2df517c6239468e3bd30c964c789720db

SHA256
87d338b6e921a78c634dbfa9ec6d03e144e6f0e9f7f1aee2133f3ea0c6c2c8fd

SHA512
87d5b1c15394e44507478541752f43af0507d44cd931f79e8cb635625316432b196583fdfaa4533ee93adca9fac4b0218c873c366fb7ed956bc4aaa416415cdd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
730KB

MD5
ddb05e91b2eea44ac63abcb0c3c4e9bc

SHA1
31661ef0a52d01f2157284ff603d1e54975e8d65

SHA256
f142c4971ac3911f455587b100f715857c10478bc1ea7ca5c0b40ae5fc3e2276

SHA512
3bf69666af699bb881916033343f5ce8348577f08686cae977a8efd854426982c4b277f04194c2cd2d1fcc95e47790aa850252dda44b73e01ca56fa06ced3f27

Download Submit
C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
Filesize
211KB

MD5
baec9b40c3e4e67b18d3e65e2254d48c

SHA1
cba8f35fa9db4e67d800211ff017a65243b4e074

SHA256
4b64dcf88672644d50fc8c61722b0aa2e1c997dea3e2de6636867ccfc2564a8d

SHA512
8c0addad974a25e19041f6f1f692b9cfd16e731e04f7c0a088c6fa18e8837c79574f11e203192f717df6aa22e53b1f0366b01329ad6ac7815656f193be3b4936

Download Submit
C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
Filesize
211KB

MD5
baec9b40c3e4e67b18d3e65e2254d48c

SHA1
cba8f35fa9db4e67d800211ff017a65243b4e074

SHA256
4b64dcf88672644d50fc8c61722b0aa2e1c997dea3e2de6636867ccfc2564a8d

SHA512
8c0addad974a25e19041f6f1f692b9cfd16e731e04f7c0a088c6fa18e8837c79574f11e203192f717df6aa22e53b1f0366b01329ad6ac7815656f193be3b4936

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
Filesize
836KB

MD5
61c0ced89e41898e1bd7298d7917dfcb

SHA1
76a34faa0558de5209725cf66c56ce177fda1717

SHA256
e873934da3fd78f5ab8b52c84cec3485524ba9aa798568ff9883aea697474d85

SHA512
f9749177d2b6169566a4f43276aa48dfa947b4b3896d7cb84192ddec3699b86aa9d10116066788fc5947d451e72c58f19b836673e437b83db8e7e14dc42d138f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
Filesize
836KB

MD5
61c0ced89e41898e1bd7298d7917dfcb

SHA1
76a34faa0558de5209725cf66c56ce177fda1717

SHA256
e873934da3fd78f5ab8b52c84cec3485524ba9aa798568ff9883aea697474d85

SHA512
f9749177d2b6169566a4f43276aa48dfa947b4b3896d7cb84192ddec3699b86aa9d10116066788fc5947d451e72c58f19b836673e437b83db8e7e14dc42d138f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
Filesize
425KB

MD5
49c0c567c85b7409ee92a75dc0b60d87

SHA1
f8998a6bf639b5c7d18e6c71ef889ade22d39874

SHA256
bba6479adae33b5748f46cd5a2c41749212ba6265081f88a02c1f3785564c036

SHA512
af53109bd6b4122fa5af996245548ad9b2d81460637565fdc55cd3783796bce16734b813505cb7d9d380692547bc101b7b5c9057ad64df6c2e8bca0e06031078

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
Filesize
425KB

MD5
49c0c567c85b7409ee92a75dc0b60d87

SHA1
f8998a6bf639b5c7d18e6c71ef889ade22d39874

SHA256
bba6479adae33b5748f46cd5a2c41749212ba6265081f88a02c1f3785564c036

SHA512
af53109bd6b4122fa5af996245548ad9b2d81460637565fdc55cd3783796bce16734b813505cb7d9d380692547bc101b7b5c9057ad64df6c2e8bca0e06031078

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
Filesize
7.3MB

MD5
ef024db8f16ffdb1b94650c81d1b7373

SHA1
9bfe522d355879d74555deff3c32a4599301f794

SHA256
4e6580672fc24155c9f780b55295a30784bb4413f2d59c73e3d5c9146bb12280

SHA512
fba6e9ae174d45f8cda630c1f9dc900a1163a8a59f37ca0db8ab71f9e8606eda98f791ec5bbf917b41599a1bc5d2f67c89c7025746ea31eef083b8f39a5cef5f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
Filesize
7.3MB

MD5
ef024db8f16ffdb1b94650c81d1b7373

SHA1
9bfe522d355879d74555deff3c32a4599301f794

SHA256
4e6580672fc24155c9f780b55295a30784bb4413f2d59c73e3d5c9146bb12280

SHA512
fba6e9ae174d45f8cda630c1f9dc900a1163a8a59f37ca0db8ab71f9e8606eda98f791ec5bbf917b41599a1bc5d2f67c89c7025746ea31eef083b8f39a5cef5f

Download Submit
C:\Users\Public\Desktop\powerOff.lnk
Filesize
1KB

MD5
8ef70c2911b03ce6a72aad85b222bed8

SHA1
5b9b5262d16c5185e19b85974f0d15871baab349

SHA256
8cd19cb44847c77059295c98ebbfcfd925b3bb12fa1decda2b901a21a640346f

SHA512
8586a2ed7ebc829de06c19c6a815995e362054d4435c61a091c9a5f7e42ea611b8590d2b9688431d19e555cc107ccc24c6a3ec3531ff57cb593bb39155ce9f71

Download Submit
\??\c:\users\admin\appdata\local\temp\is-0o8h4.tmp\b2bch2.exe.tmp
Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
memory/64-219-0x0000000000000000-mapping.dmp

Download
memory/220-257-0x0000000000000000-mapping.dmp

Download
memory/616-294-0x0000000000000000-mapping.dmp

Download
memory/924-231-0x00007FFE94B60000-0x00007FFE95596000-memory.dmp

Filesize
10.2MB

Download
memory/924-221-0x0000000000000000-mapping.dmp

Download
memory/1072-215-0x0000000000000000-mapping.dmp

Download
memory/1336-203-0x0000000000000000-mapping.dmp

Download
memory/1476-238-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-192-0x0000000000000000-mapping.dmp

Download
memory/1476-194-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1500-195-0x0000000000000000-mapping.dmp

Download
memory/1532-208-0x0000000000000000-mapping.dmp

Download
memory/1588-347-0x00000214E5390000-0x00000214E53B2000-memory.dmp

Filesize
136KB

Download
memory/1588-331-0x00007FFE935F0000-0x00007FFE940B1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-296-0x00007FFE935F0000-0x00007FFE940B1000-memory.dmp

Filesize
10.8MB

Download
memory/1820-181-0x0000000010000000-0x0000000010D69000-memory.dmp

Filesize
13.4MB

Download
memory/1820-173-0x0000000000000000-mapping.dmp

Download
memory/1944-242-0x0000000000000000-mapping.dmp

Download
memory/2144-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-244-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-155-0x0000000000000000-mapping.dmp

Download
memory/2144-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2160-301-0x0000000000000000-mapping.dmp

Download
memory/2188-259-0x0000000000000000-mapping.dmp

Download
memory/2188-263-0x00007FFE94B60000-0x00007FFE95596000-memory.dmp

Filesize
10.2MB

Download
memory/2332-274-0x0000000000000000-mapping.dmp

Download
memory/2484-207-0x0000000000000000-mapping.dmp

Download
memory/2492-271-0x0000000000000000-mapping.dmp

Download
memory/2492-313-0x00000000006AD000-0x00000000006D6000-memory.dmp

Filesize
164KB

Download
memory/2492-315-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/2656-183-0x0000000000000000-mapping.dmp

Download
memory/2656-191-0x00007FFE94B60000-0x00007FFE95596000-memory.dmp

Filesize
10.2MB

Download
memory/2792-198-0x00000000041F4000-0x0000000004286000-memory.dmp

Filesize
584KB

Download
memory/2792-188-0x0000000000000000-mapping.dmp

Download
memory/2792-199-0x0000000004290000-0x00000000043AB000-memory.dmp

Filesize
1.1MB

Download
memory/2944-270-0x0000000000000000-mapping.dmp

Download
memory/3008-136-0x0000000000000000-mapping.dmp

Download
memory/3356-167-0x0000000000000000-mapping.dmp

Download
memory/3396-220-0x0000000000000000-mapping.dmp

Download
memory/3396-278-0x0000000000000000-mapping.dmp

Download
memory/3408-182-0x0000000002778000-0x0000000002789000-memory.dmp

Filesize
68KB

Download
memory/3408-151-0x0000000000000000-mapping.dmp

Download
memory/3408-176-0x0000000000400000-0x00000000024BB000-memory.dmp

Filesize
32.7MB

Download
memory/3408-171-0x00000000025C0000-0x00000000025C9000-memory.dmp

Filesize
36KB

Download
memory/3408-193-0x0000000000400000-0x00000000024BB000-memory.dmp

Filesize
32.7MB

Download
memory/3600-287-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3600-233-0x0000000000000000-mapping.dmp

Download
memory/3600-235-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3648-218-0x0000000000000000-mapping.dmp

Download
memory/3736-209-0x0000000000000000-mapping.dmp

Download
memory/3792-284-0x0000000000000000-mapping.dmp

Download
memory/3812-260-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3812-308-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3812-248-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3812-249-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3812-245-0x0000000000000000-mapping.dmp

Download
memory/3924-258-0x0000000000000000-mapping.dmp

Download
memory/4012-297-0x0000000000000000-mapping.dmp

Download
memory/4028-293-0x0000000000000000-mapping.dmp

Download
memory/4028-164-0x0000000000000000-mapping.dmp

Download
memory/4032-288-0x0000000000000000-mapping.dmp

Download
memory/4036-214-0x0000000000000000-mapping.dmp

Download
memory/4120-227-0x00000000039B0000-0x0000000003B56000-memory.dmp

Filesize
1.6MB

Download
memory/4120-144-0x00000000039B0000-0x0000000003B56000-memory.dmp

Filesize
1.6MB

Download
memory/4120-132-0x00000000039B0000-0x0000000003B56000-memory.dmp

Filesize
1.6MB

Download
memory/4164-277-0x0000000000000000-mapping.dmp

Download
memory/4164-225-0x0000000000000000-mapping.dmp

Download
memory/4176-137-0x0000000000000000-mapping.dmp

Download
memory/4304-143-0x0000000000000000-mapping.dmp

Download
memory/4304-212-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/4304-168-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/4304-169-0x00000000020B0000-0x00000000020EF000-memory.dmp

Filesize
252KB

Download
memory/4304-170-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4304-213-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4328-291-0x0000000000000000-mapping.dmp

Download
memory/4472-201-0x0000000000000000-mapping.dmp

Download
memory/4548-180-0x0000000000000000-mapping.dmp

Download
memory/4568-178-0x0000000000000000-mapping.dmp

Download
memory/4588-150-0x0000000000000000-mapping.dmp

Download
memory/4616-140-0x0000000000000000-mapping.dmp

Download
memory/4668-204-0x0000000000000000-mapping.dmp

Download
memory/4672-210-0x0000000000000000-mapping.dmp

Download
memory/4676-279-0x0000000000000000-mapping.dmp

Download
memory/4696-163-0x0000000000000000-mapping.dmp

Download
memory/4700-307-0x00000000026D0000-0x00000000026D9000-memory.dmp

Filesize
36KB

Download
memory/4700-300-0x0000000000000000-mapping.dmp

Download
memory/4700-306-0x00000000027F8000-0x0000000002809000-memory.dmp

Filesize
68KB

Download
memory/4720-133-0x0000000000000000-mapping.dmp

Download
memory/4744-295-0x0000000000000000-mapping.dmp

Download
memory/4748-205-0x0000000000000000-mapping.dmp

Download
memory/4804-156-0x0000000000000000-mapping.dmp

Download
memory/4820-236-0x0000000000000000-mapping.dmp

Download
memory/4820-250-0x0000000004065000-0x00000000040F7000-memory.dmp

Filesize
584KB

Download
memory/4904-226-0x0000000000000000-mapping.dmp

Download
memory/4904-232-0x00007FFE94B60000-0x00007FFE95596000-memory.dmp

Filesize
10.2MB

Download
memory/4920-206-0x0000000000000000-mapping.dmp

Download
memory/5028-149-0x0000000000000000-mapping.dmp

Download
memory/5032-211-0x0000000000000000-mapping.dmp

Download
memory/5092-276-0x0000000000000000-mapping.dmp

Download
memory/5092-289-0x00000000026C8000-0x00000000026EE000-memory.dmp

Filesize
152KB

Download
memory/5092-346-0x0000000000400000-0x00000000024D0000-memory.dmp

Filesize
32.8MB

Download
memory/5092-345-0x00000000026C8000-0x00000000026EE000-memory.dmp

Filesize
152KB

Download
memory/5092-292-0x0000000000400000-0x00000000024D0000-memory.dmp

Filesize
32.8MB

Download
memory/5092-326-0x0000000000400000-0x00000000024D0000-memory.dmp

Filesize
32.8MB

Download
memory/5092-322-0x00000000026C8000-0x00000000026EE000-memory.dmp

Filesize
152KB

Download
memory/5092-290-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/5208-302-0x0000000000000000-mapping.dmp

Download
memory/5212-356-0x0000000004270000-0x0000000004898000-memory.dmp

Filesize
6.2MB

Download
memory/5212-363-0x0000000004A10000-0x0000000004A76000-memory.dmp

Filesize
408KB

Download
memory/5212-361-0x00000000041F0000-0x0000000004256000-memory.dmp

Filesize
408KB

Download
memory/5212-358-0x0000000004030000-0x0000000004052000-memory.dmp

Filesize
136KB

Download
memory/5212-365-0x0000000005010000-0x000000000502E000-memory.dmp

Filesize
120KB

Download
memory/5212-355-0x0000000001820000-0x0000000001856000-memory.dmp

Filesize
216KB

Download
memory/5284-350-0x0000000010000000-0x0000000010D69000-memory.dmp

Filesize
13.4MB

Download
memory/5292-303-0x0000000000000000-mapping.dmp

Download
memory/5332-318-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5332-305-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5332-310-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5332-309-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5332-304-0x0000000000000000-mapping.dmp

Download
memory/5732-312-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5732-344-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5732-323-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5732-316-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5732-314-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5732-311-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5872-317-0x0000000140000000-0x0000000140684000-memory.dmp

Filesize
6.5MB

Download