nymaim | 736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe
Size

380KB
MD5

c0b4de4f711b7c28369d7a4018f94759
SHA1

4cf0c26459c732e1b334b8a2b4748161d922e657
SHA256

736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
SHA512

6e0f13d4492841eecf84bba5953aeec94563aa3c5bc11845e6d6a94915cb4493564f920e849a51551328c25aae71674646768a7ec666dd8263767a9ec3293ada
SSDEEP

6144:x/QiQXCykm+ksmpk3U9j0IidOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3yP6m6UR0IqlL//plmW9bTXeVhDrE

Score

10^/10

nymaim evasion persistence trojan vmprotect

Malware Config

Extracted

Family

nymaim

45.15.156.54

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5672	2280	rundll32.exe	25

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	PowerOff.exe

Executes dropped EXE 9 IoCs

pid	Process
4384	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp
4904	PowerOff.exe
2880	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
7868	GcleanerEU.exe
7976	gcleaner.exe
4860	random.exe
1880	pb1117.exe
4904	random.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000200000001e73b-188.dat	vmprotect
behavioral1/files/0x000200000001e73b-187.dat	vmprotect
behavioral1/memory/1880-191-0x0000000140000000-0x000000014061B000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	PowerOff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Kokaegaejaeky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Loads dropped DLL 2 IoCs

pid	Process
4384	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp
5704	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Kokaegaejaeky.exe\""	PowerOff.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221018073747.pma	setup.exe
File created	C:\Program Files\Windows Multimedia Platform\VRWVKPZCWJ\poweroff.exe	PowerOff.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Kokaegaejaeky.exe	PowerOff.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Kokaegaejaeky.exe.config	PowerOff.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\13df1a6b-42aa-4741-8002-0a0a50063cde.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3464	7868	WerFault.exe	99
4204	7976	WerFault.exe	102
2544	7868	WerFault.exe	99
5220	7868	WerFault.exe	99
5300	7868	WerFault.exe	99
5396	7976	WerFault.exe	102
5480	7868	WerFault.exe	99
5596	7976	WerFault.exe	102
5628	7868	WerFault.exe	99
5804	7976	WerFault.exe	102
5848	7868	WerFault.exe	99
5872	5704	WerFault.exe	141
5948	7976	WerFault.exe	102
6000	7868	WerFault.exe	99
6056	7976	WerFault.exe	102
6208	7868	WerFault.exe	99
6296	7976	WerFault.exe	102
6568	7976	WerFault.exe	102
6680	7976	WerFault.exe	102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6316	taskkill.exe
6696	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe
4008	Kokaegaejaeky.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	PowerOff.exe
Token: SeDebugPrivilege	2880	Kokaegaejaeky.exe
Token: SeDebugPrivilege	4008	Kokaegaejaeky.exe
Token: SeDebugPrivilege	6316	taskkill.exe
Token: SeDebugPrivilege	6696	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4384	1748	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe	83
PID 1748 wrote to memory of 4384	1748	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe	83
PID 1748 wrote to memory of 4384	1748	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe	83
PID 4384 wrote to memory of 4904	4384	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp	84
PID 4384 wrote to memory of 4904	4384	736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp	84
PID 4904 wrote to memory of 2880	4904	PowerOff.exe	89
PID 4904 wrote to memory of 2880	4904	PowerOff.exe	89
PID 4904 wrote to memory of 4008	4904	PowerOff.exe	90
PID 4904 wrote to memory of 4008	4904	PowerOff.exe	90
PID 2880 wrote to memory of 5452	2880	Kokaegaejaeky.exe	95
PID 2880 wrote to memory of 5452	2880	Kokaegaejaeky.exe	95
PID 5452 wrote to memory of 6456	5452	msedge.exe	96
PID 5452 wrote to memory of 6456	5452	msedge.exe	96
PID 4008 wrote to memory of 6656	4008	Kokaegaejaeky.exe	97
PID 4008 wrote to memory of 6656	4008	Kokaegaejaeky.exe	97
PID 6656 wrote to memory of 7868	6656	cmd.exe	99
PID 6656 wrote to memory of 7868	6656	cmd.exe	99
PID 6656 wrote to memory of 7868	6656	cmd.exe	99
PID 4008 wrote to memory of 7928	4008	Kokaegaejaeky.exe	100
PID 4008 wrote to memory of 7928	4008	Kokaegaejaeky.exe	100
PID 7928 wrote to memory of 7976	7928	cmd.exe	102
PID 7928 wrote to memory of 7976	7928	cmd.exe	102
PID 7928 wrote to memory of 7976	7928	cmd.exe	102
PID 4008 wrote to memory of 8084	4008	Kokaegaejaeky.exe	103
PID 4008 wrote to memory of 8084	4008	Kokaegaejaeky.exe	103
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105
PID 5452 wrote to memory of 8156	5452	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe
"C:\Users\Admin\AppData\Local\Temp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\is-UIG46.tmp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UIG46.tmp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp" /SL5="$30184,140559,56832,C:\Users\Admin\AppData\Local\Temp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\is-76GUE.tmp\PowerOff.exe
    "C:\Users\Admin\AppData\Local\Temp\is-76GUE.tmp\PowerOff.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\96-f0d1b-0ab-e359f-3eab8ac65004f\Kokaegaejaeky.exe
      "C:\Users\Admin\AppData\Local\Temp\96-f0d1b-0ab-e359f-3eab8ac65004f\Kokaegaejaeky.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Adds Run key to start application
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbba5546f8,0x7ffbba554708,0x7ffbba554718
        6⤵
        
        PID:6456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:8156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        6⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        6⤵
        
        PID:4060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        
        PID:4164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        6⤵
        
        PID:3616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3664 /prefetch:8
        6⤵
        
        PID:6064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
        6⤵
        
        PID:6248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
        6⤵
        
        PID:6280
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
        6⤵
        
        PID:6776
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:6904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7ff647f95460,0x7ff647f95470,0x7ff647f95480
        7⤵
        
        PID:6936
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
        6⤵
        
        PID:7004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
        6⤵
        
        PID:7404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
        6⤵
        
        PID:7492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
        6⤵
        
        PID:7576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,17393381904264105493,16083440415160134954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
        6⤵
        
        PID:7624
  - - C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kokaegaejaeky.exe
      "C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kokaegaejaeky.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe /eufive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe /eufive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:7868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 452
        7⤵
        Program crash
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 764
        7⤵
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 772
        7⤵
        Program crash
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 772
        7⤵
        Program crash
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 856
        7⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 984
        7⤵
        Program crash
        
        PID:5628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1016
        7⤵
        Program crash
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1360
        7⤵
        Program crash
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe" & exit
        7⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 492
        7⤵
        Program crash
        
        PID:6208
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:7928
      - C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe /mixfive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:7976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 456
        7⤵
        Program crash
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 764
        7⤵
        Program crash
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 772
        7⤵
        Program crash
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 792
        7⤵
        Program crash
        
        PID:5804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 856
        7⤵
        Program crash
        
        PID:5948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 984
        7⤵
        Program crash
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 1020
        7⤵
        Program crash
        
        PID:6296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 1324
        7⤵
        Program crash
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe" & exit
        7⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
        7⤵
        Program crash
        
        PID:6680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe & exit
        5⤵
        
        PID:8084
      - C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe" -q
        7⤵
        Executes dropped EXE
        
        PID:4904
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czikux4k.oan\pb1117.exe & exit
        5⤵
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\czikux4k.oan\pb1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\czikux4k.oan\pb1117.exe
        6⤵
        Executes dropped EXE
        
        PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7868 -ip 7868
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7976 -ip 7976
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7868 -ip 7868
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7868 -ip 7868
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7868 -ip 7868
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7976 -ip 7976
1⤵
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7868 -ip 7868
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7976 -ip 7976
1⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7868 -ip 7868
1⤵
PID:5588

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:5704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 612
    3⤵
    - Program crash
    PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7976 -ip 7976
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7868 -ip 7868
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5704 -ip 5704
1⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7976 -ip 7976
1⤵
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7868 -ip 7868
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7976 -ip 7976
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7868 -ip 7868
1⤵
PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7976 -ip 7976
1⤵
PID:6240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7976 -ip 7976
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7976 -ip 7976
1⤵
PID:6608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe

Filesize
290KB

MD5
7db9bcb98de064386dcac141d67f6106

SHA1
63dcc088af15158a096d1437d51656c79b1f5fe7

SHA256
3e891b681d20f0b0058a1e68f7a51fe8867887582b08dbf067fc1777a03dc809

SHA512
94f970ef5f799eda73e172f51a39ea975b999a572f1b1adf7925ce12e4895e316758387cdb7e9db7ad6d9675a6042380ba689b6bc159001691f9e7655efba0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1y4urz3q.0rt\GcleanerEU.exe

Filesize
290KB

MD5
7db9bcb98de064386dcac141d67f6106

SHA1
63dcc088af15158a096d1437d51656c79b1f5fe7

SHA256
3e891b681d20f0b0058a1e68f7a51fe8867887582b08dbf067fc1777a03dc809

SHA512
94f970ef5f799eda73e172f51a39ea975b999a572f1b1adf7925ce12e4895e316758387cdb7e9db7ad6d9675a6042380ba689b6bc159001691f9e7655efba0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kokaegaejaeky.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kokaegaejaeky.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\46-a0662-a20-a9cb2-c48128ff55693\Kokaegaejaeky.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\96-f0d1b-0ab-e359f-3eab8ac65004f\Kokaegaejaeky.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\96-f0d1b-0ab-e359f-3eab8ac65004f\Kokaegaejaeky.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\96-f0d1b-0ab-e359f-3eab8ac65004f\Kokaegaejaeky.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\czikux4k.oan\pb1117.exe

Filesize
3.5MB

MD5
b9d012f7383a10a51e3d6b9dbec0ae9b

SHA1
dafcd1c3f721be08aeeefdf76e092924933b34b4

SHA256
23a6737bb26f8e970591b7d4843e3b4a5e9b6cd92d87138ff8efe2ed488065dc

SHA512
cb7707b913f43e08d87058644d3f4bceadbf7023bd0a1b40b8111b71b6ef575fcb586f0d6922569a39e935b1c1d5c3d84f3ad1de1687a434c7ab01d071e7609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\czikux4k.oan\pb1117.exe

Filesize
3.5MB

MD5
b9d012f7383a10a51e3d6b9dbec0ae9b

SHA1
dafcd1c3f721be08aeeefdf76e092924933b34b4

SHA256
23a6737bb26f8e970591b7d4843e3b4a5e9b6cd92d87138ff8efe2ed488065dc

SHA512
cb7707b913f43e08d87058644d3f4bceadbf7023bd0a1b40b8111b71b6ef575fcb586f0d6922569a39e935b1c1d5c3d84f3ad1de1687a434c7ab01d071e7609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe

Filesize
290KB

MD5
7db9bcb98de064386dcac141d67f6106

SHA1
63dcc088af15158a096d1437d51656c79b1f5fe7

SHA256
3e891b681d20f0b0058a1e68f7a51fe8867887582b08dbf067fc1777a03dc809

SHA512
94f970ef5f799eda73e172f51a39ea975b999a572f1b1adf7925ce12e4895e316758387cdb7e9db7ad6d9675a6042380ba689b6bc159001691f9e7655efba0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvadykb0.ff4\gcleaner.exe

Filesize
290KB

MD5
7db9bcb98de064386dcac141d67f6106

SHA1
63dcc088af15158a096d1437d51656c79b1f5fe7

SHA256
3e891b681d20f0b0058a1e68f7a51fe8867887582b08dbf067fc1777a03dc809

SHA512
94f970ef5f799eda73e172f51a39ea975b999a572f1b1adf7925ce12e4895e316758387cdb7e9db7ad6d9675a6042380ba689b6bc159001691f9e7655efba0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76GUE.tmp\PowerOff.exe

Filesize
543KB

MD5
d7d4cb1c5321695ac3030e8826720a97

SHA1
318200c66ed537b6b51bbe7afc03ee19ba505dae

SHA256
ddb41f2b2af2551f55f8173d928553fc3fa0b211e3adeea0e508716bac993fdd

SHA512
57d60fc647668f6bde7919e64a21ea96a8d2ed552b0a2cc45b20077eb7780901b0c9e04d9affe3d356ca2ff85e974b1abd6b8c8458e360107560a3ddf024b972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76GUE.tmp\PowerOff.exe

Filesize
543KB

MD5
d7d4cb1c5321695ac3030e8826720a97

SHA1
318200c66ed537b6b51bbe7afc03ee19ba505dae

SHA256
ddb41f2b2af2551f55f8173d928553fc3fa0b211e3adeea0e508716bac993fdd

SHA512
57d60fc647668f6bde7919e64a21ea96a8d2ed552b0a2cc45b20077eb7780901b0c9e04d9affe3d356ca2ff85e974b1abd6b8c8458e360107560a3ddf024b972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76GUE.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UIG46.tmp\736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0s1evsv.ino\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
memory/1212-184-0x0000000000000000-mapping.dmp

Download
memory/1512-173-0x0000000000000000-mapping.dmp

Download
memory/1748-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1748-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1748-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1880-186-0x0000000000000000-mapping.dmp

Download
memory/1880-191-0x0000000140000000-0x000000014061B000-memory.dmp

Filesize
6.1MB

Download
memory/2880-154-0x00007FFBBB440000-0x00007FFBBBE76000-memory.dmp

Filesize
10.2MB

Download
memory/2880-143-0x0000000000000000-mapping.dmp

Download
memory/3616-177-0x0000000000000000-mapping.dmp

Download
memory/4008-153-0x00007FFBBB440000-0x00007FFBBBE76000-memory.dmp

Filesize
10.2MB

Download
memory/4008-144-0x0000000000000000-mapping.dmp

Download
memory/4060-172-0x0000000000000000-mapping.dmp

Download
memory/4164-175-0x0000000000000000-mapping.dmp

Download
memory/4384-134-0x0000000000000000-mapping.dmp

Download
memory/4560-198-0x0000000000000000-mapping.dmp

Download
memory/4860-181-0x0000000000000000-mapping.dmp

Download
memory/4904-194-0x0000000000000000-mapping.dmp

Download
memory/4904-141-0x0000000000740000-0x00000000007D0000-memory.dmp

Filesize
576KB

Download
memory/4904-151-0x00007FFBBC5F0000-0x00007FFBBD0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-142-0x00007FFBBC5F0000-0x00007FFBBD0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-138-0x0000000000000000-mapping.dmp

Download
memory/5452-156-0x0000000000000000-mapping.dmp

Download
memory/5704-200-0x0000000000000000-mapping.dmp

Download
memory/6064-204-0x0000000000000000-mapping.dmp

Download
memory/6140-205-0x0000000000000000-mapping.dmp

Download
memory/6248-207-0x0000000000000000-mapping.dmp

Download
memory/6280-209-0x0000000000000000-mapping.dmp

Download
memory/6316-210-0x0000000000000000-mapping.dmp

Download
memory/6456-157-0x0000000000000000-mapping.dmp

Download
memory/6464-169-0x0000000000000000-mapping.dmp

Download
memory/6596-213-0x0000000000000000-mapping.dmp

Download
memory/6656-158-0x0000000000000000-mapping.dmp

Download
memory/6696-214-0x0000000000000000-mapping.dmp

Download
memory/6904-217-0x0000000000000000-mapping.dmp

Download
memory/6936-218-0x0000000000000000-mapping.dmp

Download
memory/7004-219-0x0000000000000000-mapping.dmp

Download
memory/7404-221-0x0000000000000000-mapping.dmp

Download
memory/7492-223-0x0000000000000000-mapping.dmp

Download
memory/7576-225-0x0000000000000000-mapping.dmp

Download
memory/7624-226-0x0000000000000000-mapping.dmp

Download
memory/7868-211-0x0000000000768000-0x000000000078F000-memory.dmp

Filesize
156KB

Download
memory/7868-178-0x0000000000768000-0x000000000078F000-memory.dmp

Filesize
156KB

Download
memory/7868-212-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/7868-159-0x0000000000000000-mapping.dmp

Download
memory/7868-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/7868-179-0x00000000006D0000-0x0000000000710000-memory.dmp

Filesize
256KB

Download
memory/7928-162-0x0000000000000000-mapping.dmp

Download
memory/7976-163-0x0000000000000000-mapping.dmp

Download
memory/7976-190-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/7976-216-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/7976-215-0x0000000000708000-0x000000000072F000-memory.dmp

Filesize
156KB

Download
memory/7976-189-0x0000000000708000-0x000000000072F000-memory.dmp

Filesize
156KB

Download
memory/8084-166-0x0000000000000000-mapping.dmp

Download
memory/8156-168-0x0000000000000000-mapping.dmp

Download